Environment: Custom PTXdist based distribution running on an Intel Atom(R) x6211E
Libraries involved:
- p11-kit - 0.23.15
- tpm2-pkcs11 - 1.9.2
- tpm2-tss - 4.1.3
I believe the problem in the title is best understood by going through the log step by step.
Step 1: Enumerate token and objects
Logging: logging_1.txt
Pretty printed token state
Token #1:
initialized: Y
label: nx
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
Token #1 contains 6 matching objects:
Object #1:
type: public
size: -1
label:
id: 010201
Object #2:
type: private
size: -1
label:
id: 010201
Object #3:
type: cert
size: -1
label:
id: 010201
subject: CN=device-122-32.devices.local
issuer: CN=SUB CA SOFT
begin: 2026-04-30T22:23:54
end: 2027-04-30T22:23:53
hash: 24713201D2702FCE2B6C192C3D8C39CC15EC8B8B
Object #4:
type: public
size: -1
label:
id: 010200
Object #5:
type: private
size: -1
label:
id: 010200
Object #6:
type: cert
size: -1
label:
id: 010200
subject: CN=device-122-32.devices.local
issuer: CN=SUB CA SOFT
begin: 2026-04-30T22:41:26
end: 2027-04-30T22:41:25
hash: AEDD09FE1E6C17E3252D79FB3D61223994662778
Token #2:
initialized: N
label:
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
The important part is the C_FindObject call:
C_FindObjects
IN: hSession = S72057594037927938
IN: max_object_count = 16
INFO on line: "494" in file: "src/pkcs11.c": enter "C_FindObjects"
INFO on line: "494" in file: "src/pkcs11.c": return "C_FindObjects" value: 0
OUT: object = (6) [ H1, H2, H3, H4, H5, H6 ]
C_FindObjects = CKR_OK
Step 2: Delete objects with id 010201 and create new RSA pair with the same id
Logging: logging_2.txt
We can see that objects H1, H2 and H3 are deleted, then the new key pair is generated.
The important part are the last lines where we can see that the new public and private keys are both listed object H4. So for some reason they are the same object and worse, they alias the existing public key with id 010200.
Step 3: Enumerate token and objects again
Logging: logging_3.txt
Pretty printed token state
Token #1:
initialized: Y
label: nx
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
Token #1 contains 5 matching objects:
Object #1:
type: public
size: -1
label:
id: 010200
Object #2:
type: private
size: -1
label:
id: 010200
Object #3:
type: cert
size: -1
label:
id: 010200
subject: CN=device-122-32.devices.local
issuer: CN=SUB CA SOFT
begin: 2026-04-30T22:41:26
end: 2027-04-30T22:41:25
hash: AEDD09FE1E6C17E3252D79FB3D61223994662778
Object #4:
type: public
size: -1
label:
id: 010200
Object #5:
type: public
size: -1
label:
id: 010200
Token #2:
initialized: N
label:
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
Here the incorrect aliasing can be observed as well. After restarting the application I see the expected token state:
Pretty printed token state
Token #1:
initialized: Y
label: nx
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
Token #1 contains 5 matching objects:
Object #1:
type: public
size: -1
label:
id: 010200
Object #2:
type: private
size: -1
label:
id: 010200
Object #3:
type: cert
size: -1
label:
id: 010200
subject: CN=device-122-32.devices.local
issuer: CN=SUB CA SOFT
begin: 2026-04-30T22:41:26
end: 2027-04-30T22:41:25
hash: AEDD09FE1E6C17E3252D79FB3D61223994662778
Object #4:
type: public
size: -1
label:
id: 010201
Object #5:
type: private
size: -1
label:
id: 010201
Token #2:
initialized: N
label:
manufacturer: Intel
model: MCC
serial no: 0000000000000000
PIN length: 0 - 128
So it seems that the creation of the RSA key pair succeeded and also the book keeping in the DB is correct. Only the runtime state is incorrect.
Let me know if I should provide additional information.
Thank you for reading this far and for maintaining this great project 🙂
Environment: Custom PTXdist based distribution running on an Intel Atom(R) x6211E
Libraries involved:
I believe the problem in the title is best understood by going through the log step by step.
Step 1: Enumerate token and objects
Logging: logging_1.txt
Pretty printed token state
The important part is the
C_FindObjectcall:Step 2: Delete objects with id 010201 and create new RSA pair with the same id
Logging: logging_2.txt
We can see that objects
H1,H2andH3are deleted, then the new key pair is generated.The important part are the last lines where we can see that the new public and private keys are both listed object
H4. So for some reason they are the same object and worse, they alias the existing public key with id 010200.Step 3: Enumerate token and objects again
Logging: logging_3.txt
Pretty printed token state
Here the incorrect aliasing can be observed as well. After restarting the application I see the expected token state:
Pretty printed token state
So it seems that the creation of the RSA key pair succeeded and also the book keeping in the DB is correct. Only the runtime state is incorrect.
Let me know if I should provide additional information.
Thank you for reading this far and for maintaining this great project 🙂