tpm2_gekekcertificate unable to retrieve gets error 403 while attempting to retrieve EK Certificate from manufacturer site.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tpm2-tools (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The tpm2_getekcerti
Reproduction of failing command on 22.04 with verbose output:
# tpm2_createek -G ecc -c ecc.ctx -u ecc.pub
# tpm2_getekcerti
public-key-hash:
sha256: 474211EA550A89E
INFO on line: "147" in file: "tools/
INFO on line: "325" in file: "tools/
* Trying 18.65.3.44:443...
* Connected to ekop.intel.com (18.65.3.44) port 443 (#0)
* found 384 certificates in /etc/ssl/certs
* GnuTLS ciphers: NORMAL:
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.3 / ECDHE_RSA_
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: proserv.intel.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=
* start date: Thu, 20 Jan 2022 00:00:00 GMT
* expire date: Fri, 20 Jan 2023 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,
* ALPN, server accepted to use h2
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5568bb6261c0)
> GET /ekcertservice/
Host: ekop.intel.com
accept: */*
* Connection state changed (MAX_CONCURRENT
< HTTP/2 403
< content-type: application/json
< content-length: 23
< date: Fri, 26 Aug 2022 20:04:54 GMT
< x-amzn-requestid: 581936e2-
< x-amzn-errortype: ForbiddenException
< x-amz-apigw-id: XfMYDFj-PHcFnZw=
< x-cache: Error from cloudfront
< via: 1.1 6873f4a0be6528b
< x-amz-cf-pop: LAX50-P1
< x-amz-cf-id: ZQmmtTMipkaGy52
* The requested URL returned error: 403
* stopped the pause stream!
* Connection #0 to host ekop.intel.com left intact
ERROR on line: "294" in file: "tools/
ERROR on line: "251" in file: "tools/
# cat ecc.out
#
Output of same operation from working correctly an Lubuntu 20.04 live USB:
root@lubuntu:~# tpm2_createek -G ecc -c ecc.ctx -u ecc.pub
root@lubuntu:~# tpm2_getekcerti
public-key-hash:
sha256: 474211EA550A89E
INFO on line: "124" in file: "tools/
INFO on line: "266" in file: "tools/
* Trying 18.65.3.68:443...
* TCP_NODELAY set
* Connected to ekop.intel.com (18.65.3.68) port 443 (#0)
* found 384 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.3 / ECDHE_RSA_
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: proserv.intel.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=
* start date: Thu, 20 Jan 2022 00:00:00 GMT
* expire date: Fri, 20 Jan 2023 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x555976c87de0)
> GET /ekcertservice/
Host: ekop.intel.com
accept: */*
* Connection state changed (MAX_CONCURRENT
< HTTP/2 200
< content-type: application/json
< content-length: 1447
< date: Fri, 26 Aug 2022 19:56:46 GMT
< x-amzn-requestid: 407023e5-
< strict-
< x-amz-apigw-id: XfLLtElJvHcFaJQ=
< x-amzn-trace-id: Root=1-
< x-cache: Miss from cloudfront
< via: 1.1 182ea9f21966934
< x-amz-cf-pop: LAX50-P1
< x-amz-cf-id: EAWnstw5gH328vY
<
* Connection #0 to host ekop.intel.com left intact
root@lubuntu:~# cat ecc.out
{"pubhash"