Fapi_Provision Unsupported URL scheme #2833
Comments
|
It would be interesting to get the output of: To skip the certificate check you can add: |
|
Here is the verbatim output of debug:fapi:src/tss2-fapi/ifapi_config.c:203:expand_home() Expanding path ~/.local/share/tpm2-tss/user/keystore to user's home
debug:fapi:src/tss2-fapi/ifapi_config.c:290:ifapi_config_initialize_finish() Configuration profile directory: /usr/local/etc/tpm2-tss/fapi-profiles/
debug:fapi:src/tss2-fapi/ifapi_config.c:291:ifapi_config_initialize_finish() Configuration user directory: /home/daltas/.local/share/tpm2-tss/user/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:292:ifapi_config_initialize_finish() Configuration key storage directory: /usr/local/var/lib/tpm2-tss/system/keystore
debug:fapi:src/tss2-fapi/ifapi_config.c:293:ifapi_config_initialize_finish() Configuration profile name: P_ECCP256SHA256
debug:fapi:src/tss2-fapi/ifapi_config.c:294:ifapi_config_initialize_finish() Configuration TCTI:
debug:fapi:src/tss2-fapi/ifapi_config.c:295:ifapi_config_initialize_finish() Configuration log directory: /usr/local/var/run/tpm2-tss/eventlog/
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (to) : Copy digest size: 32 (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:470:ifapi_calculate_policy_secret() call
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:176:calculate_policy_key_param() Digest Start (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: 00000000000000000000000000000000 ................
0010: 00000000000000000000000000000000 ................
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd1b14 and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 00000151 ...Q
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:183:calculate_policy_key_param() Key name (size=4):
0000: 4000000b @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5a0a and size 4
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=4):
0000: 4000000b @...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:189:calculate_policy_key_param() Digest Finish (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd1b00 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b5512 and size 32
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=32):
0000: b627b043d329fbeb7dfefbddee7d3d1f .'.C.)..}....}=.
0010: 4391c9f6cbbd96a1bac6a99ae1775a3a C............wZ:
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x5cce675b59b6 and size 0
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=0):
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 837197674484b3f81a90cc8d46a5d724 .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/ifapi_policy_calculate.c:44:copy_policy_digest() Copy policy digest (from) : Copy digest size: 32 (size=32):
0000: 837197674484b3f81a90cc8d46a5d724 .q.gD.......F..$
0010: fd52d76e06520b64f2a1da1b331469aa .R.n.R.d....3.i.
debug:fapi:src/tss2-fapi/fapi_crypto.c:1624:ifapi_crypto_hash_start() call: context=0x7ffe3bfd19d0 hashAlg=11
debug:fapi:src/tss2-fapi/fapi_crypto.c:1695:ifapi_crypto_hash_update() called for context 0x5cce675aac00, buffer 0x7ffe3bfd19e0 and size 122
debug:fapi:src/tss2-fapi/fapi_crypto.c:1700:ifapi_crypto_hash_update() Updating hash with (size=122):
0000: 0023000b000300b20020837197674484 .#.........q.gD.
0010: b3f81a90cc8d46a5d724fd52d76e0652 ......F..$.R.n.R
0020: 0b64f2a1da1b331469aa000600800043 .d....3.i......C
0030: 00100003001000205d03eec2f23c9a49 ........]....<.I
0040: 298ad750dafebe0e7c68185554db1145 )..P....|h.UT..E
0050: a0c8f89977f0cd9f00206057321ec74f ....w.....`W2..O
0060: 34870c1993c1ce51bd200b04a41e6711 4......Q......g.
0070: ecfa859f67e1339de084 ....g.3...
debug:fapi:src/tss2-fapi/fapi_crypto.c:1746:ifapi_crypto_hash_finish() finish hash (size=32):
0000: 109e8885059dca6ff1aed4e292112861 .......o......(a
0010: 1cc453735cd2806f2c87dd088f08733e ..Ss\..o,.....s>
debug:fapi:src/tss2-fapi/fapi_util.c:2135:ifapi_authorize_object() Authorize object: 101
debug:fapi:src/tss2-fapi/fapi_util.c:2641:ifapi_nv_read() success
debug:fapi:src/tss2-fapi/ifapi_curl.c:172:ifapi_curl_verify_ek_cert() EK Certificate: -----BEGIN CERTIFICATE-----
MIICszCCAligAwIBAgIBATAKBggqhkjOPQQDAjBIMRYwFAYFZ4EFAgEMC2lkOjU2
NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYFZ4EFAgMMC2lkOjAw
MDIwMDY1MCAXDTI0MDUwOTIwNDIwOVoYDzIwNzQwNTA5MjA0MjA5WjBIMRYwFAYF
Z4EFAgEMC2lkOjU2NEQ1NzAwMRYwFAYFZ4EFAgIMC1ZNd2FyZSBUUE0yMRYwFAYF
Z4EFAgMMC2lkOjAwMDIwMDY1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXQPu
wvI8mkkpitdQ2v6+DnxoGFVU2xFFoMj4mXfwzZ9gVzIex080hwwZk8HOUb0gCwSk
HmcR7PqFn2fhM53ghKOCAS8wggErMA4GA1UdDwEB/wQEAwIDCDBYBgNVHREBAf8E
TjBMpEowSDEWMBQGBWeBBQIBDAtpZDo1NjRENTcwMDEWMBQGBWeBBQICDAtWTXdh
cmUgVFBNMjEWMBQGBWeBBQIDDAtpZDowMDAyMDA2NTAMBgNVHRMBAf8EAjAAMBAG
A1UdJQQJMAcGBWeBBQgBMCEGA1UdCQQaMBgwFgYFZ4EFAhAxDTALDAMyLjACAQAC
AXQwHQYDVR0OBBYEFM6kfXI1aBffYqp1fk20fDuDpH8UMCkGCCsGAQUFBwEBBB0w
GzAZBggrBgEFBQcwAoYNeC1zZWxmc2lnbmVkOjARBgNVHSAECjAIMAYGBFUdIAAw
HwYDVR0jBBgwFoAUzqR9cjVoF99iqnV+TbR8O4OkfxQwCgYIKoZIzj0EAwIDSQAw
RgIhAJbxcixLRJVDNuRoVuMn13YRXL+oiBzuSIAlU0Eljyn8AiEAziJn42sAZKgG
bP93Clk7EIQscReRFEUe8DV2kVM2rtE=
-----END CERTIFICATE-----
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:403:ifapi_get_curl_buffer() curl_url_set for CURUPART_URL failed: Unsupported URL scheme
ERROR:fapi:src/tss2-fapi/ifapi_curl.c:195:ifapi_curl_verify_ek_cert() ErrorCode (0x00060025) Get certificate.
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:969:Fapi_Provision_Finish() ErrorCode (0x00060025) Verify EK certificate
ERROR:fapi:src/tss2-fapi/api/Fapi_Provision.c:177:Fapi_Provision() ErrorCode (0x00060025) Provision
Fapi_Provision(0x60025) - fapi:No certificate
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:46:Fapi_Finalize() called: context: 0x7ffe3bfd2108, *context: 0x5cce67596df0
debug:fapi:src/tss2-fapi/api/Fapi_Finalize.c:97:Fapi_Finalize() finishedIt ends with the same error message, unsupported URL scheme, but the debug trace shows a certificate. So is it the contents of the EK certificate that tpm2-tss must not like, I'm guessing. I imported the certificate into Kleopatra and dumped the details below: You can see VMware TPM2 in the certificate name. I exported it from Kleopatra to a pem file you can fetch below. |
JuergenReppSIT
added a commit
to JuergenReppSIT/tpm2-tss
that referenced
this issue
May 10, 2024
The error message "curl_url_set for CURUPART_URL failed: Unsupported URL scheme" was displayed if a self signed EK certificate was stored in the TPM. Now a better error message is displayed to explain that FAPI can be used if "ek_cert_less" is set to "yes" in the FAPI config file. Addresses: tpm2-software#2833 Signed-off-by: Juergen Repp <juergen_repp@web.de>
|
@chopinrlz Thank you very much for the trace. I have created a PR to improve the error message. |
AndreasFuchsTPM
pushed a commit
that referenced
this issue
May 13, 2024
The error message "curl_url_set for CURUPART_URL failed: Unsupported URL scheme" was displayed if a self signed EK certificate was stored in the TPM. Now a better error message is displayed to explain that FAPI can be used if "ek_cert_less" is set to "yes" in the FAPI config file. Addresses: #2833 Signed-off-by: Juergen Repp <juergen_repp@web.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I setup a clean install of Ubuntu Server 24.04 with a clean install of tpm2-tss from master about 5 minutes ago. This is on a VMware Workstation 17.5.1 virtual machine with a TPM. When calling
Fapi_Provisionwith NULL for both hierarchies, and a random value for the lockout, the function call fails with the following error messages:The error code returned is
393253which decodes tofapi:No certificate. The issue appears to be originating atifapi_get_curl_buffer()with the error Unsupported URL scheme.Fapi_InitializeandFapi_GetInfoandFapi_SetAuthCBall work as expected.The text was updated successfully, but these errors were encountered: