[tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking

[tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking

[Roberts, William C]

[-- Attachment #1: Type: text/plain, Size: 2102 bytes --]



> -----Original Message-----
> From: Steffen Schwebel [mailto:s.schwebel(a)uvensys.de]
> Sent: Thursday, January 16, 2020 1:02 PM
> To: tpm2(a)lists.01.org >> tpm2 <tpm2(a)lists.01.org>
> Subject: [tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking
> 
> Hi,
> 
> I managed to get that working as well.
> 
> I also asked at NetworkManager and wpa_supplicant mailing list.
> 
> Seems that NM has support for tpm2-tss at versions > 1.20 Not sure yet about
> wpa_supplicant.
> 
> Since I couldnt store the client cert via PKCS11, I point wpa_supplicant to a file on
> disk

You should be able to now via tpm2_ptool addcert on the master branch. I have that
Feature heading for v1.1.

> 
> client_cert="/home/steffenschwebel/Projects/PKI_network/hardware.crt"
> private_key="pkcs11:model=;manufacturer=STMicro;serial=0000000000000000;t
> oken=soveryimportant;id=%F2%BE%D0%AB%C3%81%72%8A%B5%40%69%31%D
> 1%38%28%8C%9D%BB%EE%9E;object=klarna;type=private"
> pin="456456"
> 
> regards,
> Steffen
> 
> 
> On 1/16/20 7:49 PM, nicolasoliver03(a)gmail.com wrote:
> > Hi Steffen,
> >
> > In our side, we were able to get wpa_supplicant, tpm2_pkcs11, and EAP-TLS to
> authenticate a device in a corporate network.
> > It requires a wireless AP or router that supports EAP-TLS, and a Radius server
> for auth.
> >
> > There is a thread in this mailing list about that here
> > https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/AYUBCAFC
> > CXITEVSWA4IFC466LYS6ZIYX/ There are also commits in tpm2-pkcs11 to
> > enable support for wpa_supplicant
> > https://github.com/tpm2-software/tpm2-pkcs11/pull/366
> > _______________________________________________
> > tpm2 mailing list -- tpm2(a)lists.01.org To unsubscribe send an email to
> > tpm2-leave(a)lists.01.org
> > %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
> 
> 
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking

[s.schwebel]

[-- Attachment #1: Type: text/plain, Size: 567 bytes --]

Hello,

yes, "should" :)

I was just about to open an issue on github when I tried it again this morning.

For some reason it worked

steffenschwebel(a)ubuntu:/opt/tpm2-pkcs11/tools$ ./tpm2_ptool addcert --label soveryimportant /home/steffenschwebel/Projects/PKI_network/hardware.crt --key-label soveryimportant
action: add
cert:
  CKA_ID: f2bed0abc381728ab5406931d138288c9dbbee9e


But I have other problems with that now. If I try to list-all I just hangs.
And I cant use the certificate URL via wpa_supplicant

Not sure how to debug this further..

[tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking

[Steffen Schwebel]

[-- Attachment #1: Type: text/plain, Size: 1415 bytes --]

Hi,

I managed to get that working as well.

I also asked at NetworkManager and wpa_supplicant mailing list.

Seems that NM has support for tpm2-tss at versions > 1.20
Not sure yet about wpa_supplicant.

Since I couldnt store the client cert via PKCS11, I point wpa_supplicant
to a file on disk

client_cert="/home/steffenschwebel/Projects/PKI_network/hardware.crt"
private_key="pkcs11:model=;manufacturer=STMicro;serial=0000000000000000;token=soveryimportant;id=%F2%BE%D0%AB%C3%81%72%8A%B5%40%69%31%D1%38%28%8C%9D%BB%EE%9E;object=klarna;type=private"
pin="456456"
				
regards,
Steffen	
				

On 1/16/20 7:49 PM, nicolasoliver03(a)gmail.com wrote:
> Hi Steffen,
>
> In our side, we were able to get wpa_supplicant, tpm2_pkcs11, and EAP-TLS to authenticate a device in a corporate network.
> It requires a wireless AP or router that supports EAP-TLS, and a Radius server for auth. 
>
> There is a thread in this mailing list about that here https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/AYUBCAFCCXITEVSWA4IFC466LYS6ZIYX/
> There are also commits in tpm2-pkcs11 to enable support for wpa_supplicant https://github.com/tpm2-software/tpm2-pkcs11/pull/366
> _______________________________________________
> tpm2 mailing list -- tpm2(a)lists.01.org
> To unsubscribe send an email to tpm2-leave(a)lists.01.org
> %(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tpm2] Re: tpm2-pkcs11 and certificates, also Linux Networking

[nicolasoliver03]

[-- Attachment #1: Type: text/plain, Size: 514 bytes --]

Hi Steffen,

In our side, we were able to get wpa_supplicant, tpm2_pkcs11, and EAP-TLS to authenticate a device in a corporate network.
It requires a wireless AP or router that supports EAP-TLS, and a Radius server for auth. 

There is a thread in this mailing list about that here https://lists.01.org/hyperkitty/list/tpm2(a)lists.01.org/thread/AYUBCAFCCXITEVSWA4IFC466LYS6ZIYX/
There are also commits in tpm2-pkcs11 to enable support for wpa_supplicant https://github.com/tpm2-software/tpm2-pkcs11/pull/366