Re: openconnect and tpm2

[David Woodhouse <dwmw2@xxxxxxxxxxxxx>]

On Tue, 2020-02-18 at 15:49 +0100, Grant Williamson wrote:
> Hi, looking for guidance on how to use openconnect in conjunction
> with
> a private key stored in the tpm.
> 
> - RHEL 8.1
> - UEFI and Secure Boot are enabled.
> - Upstream packages:-
>     tpm2-abrmd-2.3.1-1.el8.x86_64.rpm
>     tpm2-abrmd-selinux-2.3.1-2.el8.noarch.rpm
>     tpm2-tools-4.1-2.el8.x86_64.rpm
>     tpm2-tss-2.3.2-2.el8.x86_64.rpm
>     (tpm2_import was not part of what was shipped in el8 tpm-tools)
> - openconnect-8.05-3.el8.x86_64.rpm has been rebuilt with tpm2
> support.
> 
> 
> 1) extract private key
> openssl pkcs12 -in vpn.p12  -nocerts -nodes -passin pass:MYPASSWORD |
> openssl rsa -out private.pem
> 
> 2) Import private key to tpm.
> tpm2_createprimary -C o -c parent.ctx -G rsa2048:null:aes128cfb
> tpm2_evictcontrol -c parent.ctx
> 
> tpm2_import -i private.pem -r private_key.tss -u public_key.tss -Grsa
> -C parent.ctx
> tpm2_load -C parent.ctx -u public_key.tss -r private_key.tss -c
> key.ctx
> tpm2_evictcontrol -c key.ctx
> 
> 3) Using tpm2-asn-packer-master to create TSS2 PRIVATE KEY
> (https://github.com/rpofuk/tpm2-asn-packer/blob/master/README.md).
> Perhaps there is a different/better approach.
> npx @rpofuk/tpm2-asn-packer p 81800001 private_key.tss public_key.tss
> out.key
> 
> 4) Use openconnect with "-k out.key" to connect?
> 
> Is this the correct approach, or am I totally off track?

Did you get this working?

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel