<html><body><div style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);" dir="auto"><br></div><div id="mail-editor-reference-message-container" dir="auto"><br><div dir="auto" style="color:rgb(33,33,33); background-color:rgb(255,255,255)"><span style="font-size:12pt">hello,</span><br></div><div dir="auto" id="mail-editor-reference-message-container"><div dir="auto"><br>i am trying to use TPM 2.0 device and StrongSwan 5.9.6. I had to recompil StrongSwan to have desired options.<br><br>>> systemctl restart strongswan<br>May 13 11:51:39 00[LIB] loaded plugins: charon-systemd tpm aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem pkcs8 fips-prf gmp curve25519 xcbc cmac hmac kdf drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters<br>May 13 11:51:39 00[JOB] spawning 16 worker threads<br>May 13 11:51:39 01[PTS] TPM 2.0 via TSS2 v2 available<br>May 13 11:51:39 01[PTS] encryption algorithm is AES-CFB with 128 bits<br>May 13 11:51:39 01[CFG] loaded RSA private key from token<br>May 13 11:51:39 11[PTS] TPM 2.0 via TSS2 v2 available<br>May 13 11:51:39 11[LIB] loaded certificate from TPM NV index 0x01800004<br>May 13 11:51:39 11[CFG] id not specified, defaulting to cert subject 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-YYYYY'<br><br>>> swanctl --initiate --child host<br>[IKE] initiating Main Mode IKE_SA connection1[1] to 192.168.42.254<br>[IKE] no private key found for 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-YYYYY'<br>[CFG] configuration uses unsupported authentication<br>initiate failed: establishing CHILD_SA 'host' failed<br><br>>> swanctl --list-certs<br>List of X.509 End Entity Certificates<br><br> subject: "C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=itineo-0334991"<br> issuer: "C=FAC_DEVNG_INFRASTRUCTURE/AC_DEVNG_INFRASTRUCTURER, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, CN=AC DEV INFRA,"<br> validity: not before Mar 24 13:44:22 2022, ok<br> not after Mar 24 13:44:22 2023, ok (expires in 315 days)<br> serial: 08:28<br> flags: <br> CRL URIs: <a href="http://www.google.fr/my.crl">http://www.google.fr/my.crl</a><br> certificatePolicies:<br> 1.2250.1.214.69.3.1.1.21.1<br> authkeyId: c4:52:c7:7c:40:41:b9:eb:ab:db:df:f4:b7:be:f7:b2:bf:61:57:a0<br> subjkeyId: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e<br> pubkey: RSA 2048 bits<br> keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b<br> subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e<br><br><br>------------------------------------<br>The key id needed starts with 42:e7<br>------------------------------------<br><br>The private key was imported into the TPM 2.0 device :<br><br>>> tpm2_createprimary -Q -G rsa -g sha256 -C o -c parent.ctx<br>>> tpm2_import -G rsa -g sha256 -i ${PRIVATE_PEM} -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv<br><br>When i look at the key stored :<br><br>>> pki --print --keyid 0x81000001 --type priv<br>TPM 2.0 via TSS2 v2 available<br>encryption algorithm is AES-CFB with 128 bits<br> privkey: RSA 2048 bits<br> keyid: b3:ca:e7:cf:c4:c3:f9:37:0f:d5:85:b1:44:8e:68:fb:6d:eb:bc:a3<br> subjkey: c1:d1:31:8c:fc:69:31:26:a2:73:21:d2:d0:d9:a1:f1:b5:e5:55:9d<br><br>key id starts with b3:ca ??<br><br>>> pki --print --type priv --in ${PRIVATE_PEM} <br>privkey: RSA 2048 bits<br>keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b<br>subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e<br><br>In the first case we saw a key with bad keyid. When key is taken from file the keyid is good and is equal to the certificate key id<br><br><br>This information is important, i got the private key and a certificat from outside. <br><br>I am surely doing something wrong. Any help will be appreciated.<br><br><br>Thx<br></div>
<br></div><br></div></body></html>