From: Roberts, William C <william.c.roberts at intel.com>
To: tpm2@lists.01.org
Subject: [tpm2] Re: tpm2_import is modifying the keyid of my private key
Date: Fri, 20 May 2022 14:14:11 +0000 [thread overview]
Message-ID: <SN6PR11MB3437148E2AF64352B333DA3EB8D39@SN6PR11MB3437.namprd11.prod.outlook.com> (raw)
In-Reply-To: 20220513125254.1878.24023@ml01.vlan13.01.org
[-- Attachment #1: Type: text/plain, Size: 3929 bytes --]
I'm not sure if anyone here can help you, you should go talk to strongswan:
-https://www.strongswan.org/support.html
________________________________
From: rodolphe.averty(a)free.fr <rodolphe.averty(a)free.fr>
Sent: Friday, May 13, 2022 7:52 AM
To: tpm2(a)lists.01.org <tpm2(a)lists.01.org>
Subject: [tpm2] Re: tpm2_import is modifying the keyid of my private key
Hello,
i am trying to use TPM 2.0 device and StrongSwan 5.9.6. I had to recompil StrongSwan to have desired options.
>> systemctl restart strongswan
May 13 11:51:39 00[LIB] loaded plugins: charon-systemd tpm aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem pkcs8 fips-prf gmp curve25519 xcbc cmac hmac kdf drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
May 13 11:51:39 00[JOB] spawning 16 worker threads
May 13 11:51:39 01[PTS] TPM 2.0 via TSS2 v2 available
May 13 11:51:39 01[PTS] encryption algorithm is AES-CFB with 128 bits
May 13 11:51:39 01[CFG] loaded RSA private key from token
May 13 11:51:39 11[PTS] TPM 2.0 via TSS2 v2 available
May 13 11:51:39 11[LIB] loaded certificate from TPM NV index 0x01800004
May 13 11:51:39 11[CFG] id not specified, defaulting to cert subject 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-YYYYY'
>> swanctl --initiate --child host
[IKE] initiating Main Mode IKE_SA connection1[1] to 192.168.42.254
[IKE] no private key found for 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-YYYYY'
[CFG] configuration uses unsupported authentication
initiate failed: establishing CHILD_SA 'host' failed
>> swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=itineo-0334991"
issuer: "C=FAC_DEVNG_INFRASTRUCTURE/AC_DEVNG_INFRASTRUCTURER, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, CN=AC DEV INFRA,"
validity: not before Mar 24 13:44:22 2022, ok
not after Mar 24 13:44:22 2023, ok (expires in 315 days)
serial: 08:28
flags:
CRL URIs: http://www.google.fr/my.crl
certificatePolicies:
1.2.250.1.214.69.3.1.1.21.1
authkeyId: c4:52:c7:7c:40:41:b9:eb:ab:db:df:f4:b7:be:f7:b2:bf:61:57:a0
subjkeyId: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e
pubkey: RSA 2048 bits
keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b
subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e
------------------------------------
The key id needed starts with 42:e7
------------------------------------
The private key was imported into the TPM 2.0 device :
>> tpm2_createprimary -Q -G rsa -g sha256 -C o -c parent.ctx
>> tpm2_import -G rsa -g sha256 -i ${PRIVATE_PEM} -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv
When i look at the key stored :
>> pki --print --keyid 0x81000001 --type priv
TPM 2.0 via TSS2 v2 available
encryption algorithm is AES-CFB with 128 bits
privkey: RSA 2048 bits
keyid: b3:ca:e7:cf:c4:c3:f9:37:0f:d5:85:b1:44:8e:68:fb:6d:eb:bc:a3
subjkey: c1:d1:31:8c:fc:69:31:26:a2:73:21:d2:d0:d9:a1:f1:b5:e5:55:9d
key id starts with b3:ca ??
>> pki --print --type priv --in ${PRIVATE_PEM}
privkey: RSA 2048 bits
keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b
subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e
In the first case we saw a key with bad keyid. When key is taken from file the keyid is good and is equal to the certificate key id
I am surely doing something wrong. Any help will be appreciated.
Thx
_______________________________________________
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5618 bytes --]
next reply other threads:[~2022-05-20 14:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-20 14:14 Roberts, William C [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-05-13 12:52 [tpm2] Re: tpm2_import is modifying the keyid of my private key - -
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=SN6PR11MB3437148E2AF64352B333DA3EB8D39@SN6PR11MB3437.namprd11.prod.outlook.com \
--to=tpm2@lists.01.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.