certtool creating authentication failures with TPM 1.2 when TPM SRK uses a password

tpmtool currently requires that a user has a TPM 1.2 SRK password set since it doesn't support the 'well known' SRK password of 20 zero bytes. So if one sets the TPM 1.2 SRK password to a 'string' password, certtool will cause unnecessary authentication failures when trying to talk to the TPM via the tcsd since it will be using the well know SRK password of 20 zero bytes first (certtool seems to support this). The problem with the TPM 1.2 is that it locks down after too many authentication failures and the owner has to send a command to reset it. While we cannot prevent the lock-down entirely (user can always pass a wrong password), we could at least try to minimize the number of failures. So at the moment certtool seems to first try the 'well known' password (which causes an authentication failure) and then prompt the user for the SRK password.

Suggestion for forcing certtool to use the SRK password given by user:

GNUTLS_SRK_PASSWORD=foo certtool ... # use foo as SRK password on first try

For reference, I posted a patch to the TPM 1.2 Trousers mailing list here that describes the issue and fixes a similar issue in tcsd client: https://sourceforge.net/p/trousers/mailman/message/36444514/