Ubuntu
tpm2-tools package

tpm2_gekekcertificate unable to retrieve gets error 403 while attempting to retrieve EK Certificate from manufacturer site.

Bug #1987916 reported by Steven Clark
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tpm2-tools (Ubuntu)
New
Undecided
Unassigned

Bug Description

The tpm2_getekcertificate command from tpm2-tools is unable to retrieve TPM endorsement Key certificates on Ubuntu 22.04 from the Intel PTT cert servers, but can on Ubuntu 20.04.

Reproduction of failing command on 22.04 with verbose output:
# tpm2_createek -G ecc -c ecc.ctx -u ecc.pub
# tpm2_getekcertificate -V -x -u ecc.pub -o ecc.out https://ekop.intel.com/ekcertservice/
public-key-hash:
  sha256: 474211EA550A89E086F0680C09758550A86579E9781685044539C846B4C427ED
INFO on line: "147" in file: "tools/tpm2_getekcertificate.c": Calculating the base64_encode of the hash of the EndorsementPublic Key:
INFO on line: "325" in file: "tools/tpm2_getekcertificate.c": R0IR6lUKieCG8GgMCXWFUKhleel4FoUERTnIRrTEJ-0%3D
* Trying 18.65.3.44:443...
* Connected to ekop.intel.com (18.65.3.44) port 443 (#0)
* found 384 certificates in /etc/ssl/certs
* GnuTLS ciphers: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.3 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: proserv.intel.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Folsom,O=Intel Corporation,CN=proserv.intel.com
* start date: Thu, 20 Jan 2022 00:00:00 GMT
* expire date: Fri, 20 Jan 2023 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Organization Validation Secure Server CA
* ALPN, server accepted to use h2
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5568bb6261c0)
> GET /ekcertservice//R0IR6lUKieCG8GgMCXWFUKhleel4FoUERTnIRrTEJ-0%3D HTTP/2
Host: ekop.intel.com
accept: */*

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403
< content-type: application/json
< content-length: 23
< date: Fri, 26 Aug 2022 20:04:54 GMT
< x-amzn-requestid: 581936e2-6642-4f90-8c98-deb311ff0ba9
< x-amzn-errortype: ForbiddenException
< x-amz-apigw-id: XfMYDFj-PHcFnZw=
< x-cache: Error from cloudfront
< via: 1.1 6873f4a0be6528b5a618dcd775f26d96.cloudfront.net (CloudFront)
< x-amz-cf-pop: LAX50-P1
< x-amz-cf-id: ZQmmtTMipkaGy52vHMEKnvRfr25wTufeeQzbop-HtvbaaRSAzxA7YQ==
* The requested URL returned error: 403
* stopped the pause stream!
* Connection #0 to host ekop.intel.com left intact
ERROR on line: "294" in file: "tools/tpm2_getekcertificate.c": curl_easy_perform() failed: HTTP response code said error
ERROR on line: "251" in file: "tools/tpm2_tool.c": Unable to run tpm2_getekcertificate
# cat ecc.out
#

Output of same operation from working correctly an Lubuntu 20.04 live USB:
root@lubuntu:~# tpm2_createek -G ecc -c ecc.ctx -u ecc.pub
root@lubuntu:~# tpm2_getekcertificate -V -x -u ecc.pub -o ecc.out https://ekop.intel.com/ekcertservice/
public-key-hash:
  sha256: 474211EA550A89E086F0680C09758550A86579E9781685044539C846B4C427ED
INFO on line: "124" in file: "tools/tpm2_getekcertificate.c": Calculating the base64_encode of the hash of the EndorsementPublic Key:
INFO on line: "266" in file: "tools/tpm2_getekcertificate.c": R0IR6lUKieCG8GgMCXWFUKhleel4FoUERTnIRrTEJ-0%3D
* Trying 18.65.3.68:443...
* TCP_NODELAY set
* Connected to ekop.intel.com (18.65.3.68) port 443 (#0)
* found 384 certificates in /etc/ssl/certs
* ALPN, offering h2
* ALPN, offering http/1.1
* SSL connection using TLS1.3 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: proserv.intel.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Folsom,O=Intel Corporation,CN=proserv.intel.com
* start date: Thu, 20 Jan 2022 00:00:00 GMT
* expire date: Fri, 20 Jan 2023 23:59:59 GMT
* issuer: C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Organization Validation Secure Server CA
* ALPN, server accepted to use h2
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x555976c87de0)
> GET /ekcertservice/R0IR6lUKieCG8GgMCXWFUKhleel4FoUERTnIRrTEJ-0%3D HTTP/2
Host: ekop.intel.com
accept: */*

* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< content-type: application/json
< content-length: 1447
< date: Fri, 26 Aug 2022 19:56:46 GMT
< x-amzn-requestid: 407023e5-e18a-43f2-8e77-832fca400de3
< strict-transport-security: max-age=63072000;includeSubDomains
< x-amz-apigw-id: XfLLtElJvHcFaJQ=
< x-amzn-trace-id: Root=1-6309257d-2a24a9b65b31e80a0654f5c2;Sampled=0
< x-cache: Miss from cloudfront
< via: 1.1 182ea9f21966934f3add343ba3d9678a.cloudfront.net (CloudFront)
< x-amz-cf-pop: LAX50-P1
< x-amz-cf-id: EAWnstw5gH328vYhwA-ywZ2TkHy72Z5F6NozS2aKq8UwP7THg2cP3A==
<
* Connection #0 to host ekop.intel.com left intact
root@lubuntu:~# cat ecc.out
{"pubhash":"R0IR6lUKieCG8GgMCXWFUKhleel4FoUERTnIRrTEJ-0%3D","certificate":"MIID_TCCA6OgAwIBAgIULozL7W_rTv1T0AOQQGPKJBd8HiIwCgYIKoZIzj0EAwIwgZoxCzAJBgNVBAYMAlVTMQswCQYDVQQIDAJDQTEUMBIGA1UEBwwLU2FudGEgQ2xhcmExGjAYBgNVBAoMEUludGVsIENvcnBvcmF0aW9uMTQwMgYDVQQLDCtUUE0gRUsgaW50ZXJtZWRpYXRlIGZvciBHTEtfRVBJRF9QUk9EIHBpZDo3MRYwFAYDVQQDDA13d3cuaW50ZWwuY29tMB4XDTIwMDgyNzAwMDAwMFoXDTQ5MTIzMTIzNTk1OVowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEW7lWH0UiIZAE49srrEx_G-F1pi2MELDO9W1QeQttRyPMViNtQF1RkGD-eKu1xHqNskrLE_PIrZUrL_viBAqzSjggJeMIICWjAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEB_wQEAwIFIDAQBgNVHSUECTAHBgVngQUIATAkBgNVHQkBAQAEGjAYMBYGBWeBBQIQMQ0wCwwDMi4wAgEAAgFnMFAGA1UdEQEB_wRGMESkQjBAMRYwFAYFZ4EFAgEMC2lkOjQ5NEU1NDQzMQ4wDAYFZ4EFAgIMA0dMSzEWMBQGBWeBBQIDDAtpZDowMDAyMDAwMDAfBgNVHSMEGDAWgBRRxzy838mQqmd0F81feLo31KjXMTBfBgNVHR8EWDBWMFSgUqBQhk5odHRwczovL3RydXN0ZWRzZXJ2aWNlcy5pbnRlbC5jb20vY29udGVudC9DUkwvZWtjZXJ0L0dMS0VQSURQUk9EX0VLX0RldmljZS5jcmwwdwYIKwYBBQUHAQEEazBpMGcGCCsGAQUFBzAChltodHRwczovL3RydXN0ZWRzZXJ2aWNlcy5pbnRlbC5jb20vY29udGVudC9DUkwvZWtjZXJ0L0dMS0VQSURQUk9EX0VLX1BsYXRmb3JtX1B1YmxpY19LZXkuY2VyMIGxBgNVHSAEgakwgaYwgaMGCiqGSIb4TQEFAgEwgZQwWgYIKwYBBQUHAgEWTmh0dHBzOi8vdHJ1c3RlZHNlcnZpY2VzLmludGVsLmNvbS9jb250ZW50L0NSTC9la2NlcnQvRUtjZXJ0UG9saWN5U3RhdGVtZW50LnBkZjA2BggrBgEFBQcCAjAqDChUQ1BBIFRydXN0ZWQgUGxhdGZvcm0gTW9kdWxlIEVuZG9yc2VtZW50MAoGCCqGSM49BAMCA0gAMEUCIQDsxX1DpnHUD20khVT-9u_IpLfzKrBzx1WRiTBwVe_TQgIgSbypdQdfBSKAAv8BAY92g35bl3RaAku-1boaBT4YxFw%3D"}

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.