[pkix] More fun and games with the Trusted Platform Module

Michael StJohns <msj@nthpermutation.com> Wed, 14 February 2018 01:57 UTC

Return-Path: <msj@nthpermutation.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA2E1270A3 for <pkix@ietfa.amsl.com>; Tue, 13 Feb 2018 17:57:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hj_TNtGgSoXS for <pkix@ietfa.amsl.com>; Tue, 13 Feb 2018 17:57:07 -0800 (PST)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6055A1242F5 for <pkix@ietf.org>; Tue, 13 Feb 2018 17:57:07 -0800 (PST)
Received: by mail-qk0-x236.google.com with SMTP id o7so10487665qkc.1 for <pkix@ietf.org>; Tue, 13 Feb 2018 17:57:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=vkVlDiQver9BW6YJVeILkRXaeLFG5D80p0ETrlsc4N8=; b=ncNhiY3ZJ1euuDQhZfX2FybCvnlj8ys4TjA459OWHJnaMs/0A3DCgGMqjxYzI1x2fw gQOJAJFUOBUF/CE/LwKsNrJOUSpzenMZXBQV8jbFNr09kamGDu/LL/ECxCLLxgBUfV3f fYP1ekRqvr4Ski/DOM6VjSrUAjVYteedX/OZuFyplHfJJqVJZUsNfy734sBxYoZx/onU hiVQB1NSa+foEp7f3pCwyGrX6Q6PUR8XhvzovtSuqQW+rRc0l+0xZ27/86968CTBsU3R PNeOxx8ESP5ajpVmeBQsDPLb8C5ar1wUJ64WyW1oBIIOQJnnk90Lth14KWjPlXeNL5tu wS3w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=vkVlDiQver9BW6YJVeILkRXaeLFG5D80p0ETrlsc4N8=; b=tEqIpBtkAyOxRrlw346Ccno8HN/rvoTE2irDSJC/MvrRsSUmSUZsisxMycpkksM5kL SUFFcxQkaJZhasTOP2bG1CCCH+vJez73g7KfBTGmyri8CgXgD1+dGUxG5CxBf57TmvFK AKXx+teWpxwRUI14nMTfVUBoQaI/pj+/b0+atr6B2G6Z21VmOhVIYHNEFf8xGBnjyzKM 57uQGJBaqjLmuG/03uFTCemlfzso+inbWaQnPHkovZwLKjGESHaUFW8Fbxx5izc/vm1V Al3UYVltPjri0rD7Ij9WPUo6uHU6ZVXqdOkTObRfKY0DMTwVAZFs1IiCoZGBvbg+l6Hq WrHA==
X-Gm-Message-State: APf1xPBPTqh6F1dvdFUDKu1tBHCC0x4yzcyxamqBf1OIV/V2qH3n1fi2 3UBZ93Jst+zp8mz8QQdVDLe76iMX
X-Google-Smtp-Source: AH8x225PiSLhOFLXt5EAULg/lkZJ8xL17ZBi++oOpmUGur7y20R1Gil1ilD4KAQY1zl7ZpEEJp2DnQ==
X-Received: by 10.55.124.66 with SMTP id x63mr4895940qkc.196.1518573426072; Tue, 13 Feb 2018 17:57:06 -0800 (PST)
Received: from ?IPv6:2601:152:4400:4013:4cc8:71cb:2ecb:76fd? ([2601:152:4400:4013:4cc8:71cb:2ecb:76fd]) by smtp.gmail.com with ESMTPSA id g48sm9303781qtc.23.2018.02.13.17.57.04 for <pkix@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Feb 2018 17:57:04 -0800 (PST)
To: pkix@ietf.org
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <3a8caf8a-0273-afd2-dc28-09053c36842e@nthpermutation.com>
Date: Tue, 13 Feb 2018 20:56:55 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/I7wxiKgSQBaKkAXDBS8cWUUO-Fk>
Subject: [pkix] More fun and games with the Trusted Platform Module
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 01:57:09 -0000

Hi -

I thought I'd pass on a discovered stupidity.   As part of some playing 
with TPMs I found out that the endorsement certificate for my personal 
laptop has an invalid encoding.  For some unknown reason, my certificate 
was mis-encoded with a leading zero byte in the serialNumber field.  My 
best guess is that the manufacturer is mistakenly treating the 
serialNumber as an OCTET STRING and just plopping down the serial number 
of the TPM in the body of the INTEGER.

Unfortunately, the certificate parsers I'm using barf on this.....  I'm 
having to basically write my own code to handle these...

serial:

02 14
00 04 8f e6  1d 28 82 d3  cd 48 8a b1  30 b9 4f bc
8928 4b 32

According to the TPM console, this is an intel TPM, V2.0, spec 11.8.50.3425.

I went looking and I have no contacts with Intel in this space - I'd at 
least like to make them aware they are screwing up in at least one 
case.  Does anyone have a pointer?

Thanks - Mike