On 18 February 2020 15:49:41 CET, Grant Williamson <traxtopel@xxxxxxxxx> wrote: >Hi, looking for guidance on how to use openconnect in conjunction with >a private key stored in the tpm. > >- RHEL 8.1 >- UEFI and Secure Boot are enabled. >- Upstream packages:- > tpm2-abrmd-2.3.1-1.el8.x86_64.rpm > tpm2-abrmd-selinux-2.3.1-2.el8.noarch.rpm > tpm2-tools-4.1-2.el8.x86_64.rpm > tpm2-tss-2.3.2-2.el8.x86_64.rpm > (tpm2_import was not part of what was shipped in el8 tpm-tools) >- openconnect-8.05-3.el8.x86_64.rpm has been rebuilt with tpm2 support. > > >1) extract private key >openssl pkcs12 -in vpn.p12 -nocerts -nodes -passin pass:MYPASSWORD | >openssl rsa -out private.pem > >2) Import private key to tpm. >tpm2_createprimary -C o -c parent.ctx -G rsa2048:null:aes128cfb >tpm2_evictcontrol -c parent.ctx > >tpm2_import -i private.pem -r private_key.tss -u public_key.tss -Grsa >-C parent.ctx >tpm2_load -C parent.ctx -u public_key.tss -r private_key.tss -c key.ctx >tpm2_evictcontrol -c key.ctx > >3) Using tpm2-asn-packer-master to create TSS2 PRIVATE KEY >(https://github.com/rpofuk/tpm2-asn-packer/blob/master/README.md). >Perhaps there is a different/better approach. >npx @rpofuk/tpm2-asn-packer p 81800001 private_key.tss public_key.tss >out.key > >4) Use openconnect with "-k out.key" to connect? > >Is this the correct approach, or am I totally off track? Ditch steps 2 and 3, and instead use the "wrap" operation from James Bottomley's openssl_tpm2_engine. Not sure if tpm2-tss-engine supports that yet. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
