On Tue, 2020-03-03 at 09:02 +0100, Grant Williamson wrote: > In our use case. We are provided a p12 file. > We are testing om RHEL 8. > Where improvement could take place, my thoughts. > > - instructions on how to extract the private key and the certs from > the p12(see below) I'm definitely going for the "if it needs documenting, fix it first" approach on that one. I don't want to tell users how to convert between different file formats. I want software just to silently *accept* the sensible file formats instead. So this really ends up being a feature request for James: the create_tpm2_key tool ought to support importing keys from PKCS#12 files. > - offer openssl_tpm2_engine ibmtss(ibmtss-devel, libibmtss0) packages in epel 8 > - build the openconnect epel package against ibmtss for TPMv2 support. Those are distro-specific requests; please could you file them in Red Hat bugzilla and Cc me? We could do with SoftHSM in EPEL8 too, as the tests currently require it. Note that there is an open feature request against the TCG engine to support wrapping existing keys: https://github.com/tpm2-software/tpm2-tss-engine/issues/39 > The steps I am using are as follows. Password etc have been removed. > > PKCS="file.p12" > MY_P12_PASSWORD="MyPassw0rd!!" > TPM_LOCK_PASSWORD="MyPassw0rd!!" > VPN_SERVER="myserver.ibm.com" > # > openssl pkcs12 -in ${PKCS} -nocerts -nodes -passin > pass:${MY_P12_PASSWORD} | openssl rsa -out private.pem > openssl pkcs12 -in ${PKCS} -clcerts -nokeys -chain -passin > pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END > CERTIFICATE-/p' > user_cert.crt > openssl pkcs12 -in ${PKCS} -cacerts -nokeys -chain -passin > pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END > CERTIFICATE-/p' > ca_cert.crt > # > create_tpm2_key -w private.pem private-key-tpm-wrapped.pem > # > sudo openconnect > --csd-wrapper=/usr/share/ibm-config-NetworkManager-openconnect/csd.sh > --sslkey=private-key-tpm-wrapped.pem --certificate=user_cert.crt > --cafile=ca_cert.crt https://${VPN_SERVER} -v > We are also using the following csd wrapper. Hm, is that notably different to the one in trojans/csd-wrapper.sh ? I'd also be interested to know if the one in trojans/csd-post.sh (in git master; it's been updated) works for you. > On Tue, Mar 3, 2020 at 8:29 AM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > > > On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote: > > > Thank you. Sorry I intended to reply sooner. > > > > That's good to know; thanks. > > > > Next question: Now you've worked it out, could the documentation be > > improved in any way? What was missing? > > > > Better still, what should be fixed in the code (or tools/helpers > > provided) so that we don't *have* to document it? > > > > _______________________________________________ > openconnect-devel mailing list > openconnect-devel@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/openconnect-devel
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
