On Fri, Nov 22, 2019 at 06:08:01PM +0100, Didier 'OdyX' Raboud wrote: > For some time now, ssh (openssh-client) unnecessarily warns for: > > > invalid attribute length > > failed to fetch key > > when SSH'ing to a host with libsimple-tpm-pk11.so as PKCS11Provider. > > Relevant lines from a verbose connection: > > $ ssh -vvv -oPKCS11Provider=libsimple-tpm-pk11.so ssh.example.com > … > debug1: Connecting to (…) > debug1: Connection established. > debug1: provider libsimple-tpm-pk11.so: manufacturerID <simple-tpm-pk11 > manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 > library> libraryVersion 0.1 > debug1: provider libsimple-tpm-pk11.so slot 0: label <Simple-TPM-PK11 token> > manufacturerID <manuf id> model <model> serial <serial> flags 0x400 > debug1: have 1 keys > invalid attribute length > failed to fetch key > … > debug1: Will attempt key: libsimple-tpm-pk11.so RSA > SHA256:(xxx-hash-of-my-tpm-key-xxx) token > … > > This was initially reported at > https://github.com/ThomasHabets/simple-tpm-pk11/issues/48, > and brought to Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1710832, > which fixed it.
I haven't looked very far into this yet, but as far as I can tell that Fedora bug is *not* the same thing. Fedora carries a patch set that asks for the CKA_LABEL attribute, and that bug was because it was (apparently incorrectly) requiring that attribute to have non-zero length. However, Debian does not carry that patch. If you're seeing these errors in the RSA case, it's because at least one of CKA_MODULES or CKA_PUBLIC_EXPONENT is coming back as empty. -- Colin Watson [[email protected]]
