<html><body><div style="color: rgb(33, 33, 33); background-color: rgb(255, 255, 255);" dir="auto"><br></div><div id="mail-editor-reference-message-container" dir="auto"><br>
<div class="elementToProof" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hello,
<div><br>
</div>
<div><br>
</div>
<div>i try to use TPM2.0 to store my private key. This key exists and have to be stored into the TPM.</div>
<div><br>
</div>
<div>So with tpm2-tools i have the sequence :</div>
<div><br>
</div>
<div>>> tpm2_createprimary -Q -G rsa2048 -g sha256 -C o -c parent.ctx</div>
<div>>> tpm2_import -G rsa2048:rsassa-sha256 -g sha256 -i ${PRIVATE_PEM} -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv</div>
<div>>> tpm2_load -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv -c key.ctx</div>
<div>>> tpm2_evictcontrol -C o -c key.ctx 0x81000002</div>
<div><br>
</div>
<div>With current version of tpm-tools the command :</div>
<div>>> pki --print --type priv --keyid 0x81000002</div>
<div>TPM 2.0 via TSS2 v2 available</div>
<div>signature algorithm is NULL with ERROR hash</div>
<div> privkey: RSA 2048 bits</div>
<div> keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b</div>
<div> subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e</div>
<div><br>
</div>
<div><br>
</div>
<div>But with the pull request from the tpm2-tools team : https://github.com/tpm2-software/tpm2-tools/pull/2999</div>
<div><br>
</div>
<div><br>
</div>
<div>>> pki --print --type priv --keyid 0x81000002</div>
<div>TPM 2.0 via TSS2 v2 available</div>
<div>signature algorithm is RSASSA with SHA256 hash</div>
<div> privkey: RSA 2048 bits</div>
<div> keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b</div>
<div> subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e</div>
<div><br>
</div>
<div><br>
</div>
<div>My reflexion at this moment is that if pki works the StrongSwan will detect the right signature scheme but,</div>
<div><br>
</div>
<div><br>
</div>
<div>when i do :</div>
<div>>> systemctl restart strongswan</div>
<div>i got :</div>
<div>May 24 09:48:47 15[PTS] TPM 2.0 via TSS2 v2 available</div>
<div>May 24 09:48:47 15[PTS] signature algorithm is RSASSA with SHA256 hash</div>
<div>May 24 09:48:47 15[CFG] loaded RSA private key from token</div>
<div>May 24 09:48:47 09[PTS] TPM 2.0 via TSS2 v2 available</div>
<div>May 24 09:48:47 09[LIB] loaded certificate from TPM NV index 0x01800004</div>
<div><br>
</div>
<div>but later when i do :</div>
<div>>> swanctl --initiate --child host</div>
<div><br>
</div>
<div>i get a :</div>
<div><br>
</div>
<div>[PTS] TPM 2.0 - unknown hash algorithm not supported by TPM</div>
<div>[IKE] authentication of 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-XXXXXX' (myself) failed</div>
<div>[ENC] generating INFORMATIONAL_V1 request 2432046849 [ HASH N(AUTH_FAILED) ]</div>
<div>[NET] sending packet: from 172.16.40.134[4500] to 192.168.42.254[4500] (108 bytes)</div>
<div>initiate failed: establishing CHILD_SA 'host' failed</div>
<div><br>
</div>
<div><br>
</div>
<div>I added some DEBUG to StrongSwan :</div>
<div><br>
</div>
<div><br>
</div>
<div>[PTS] TPM 2.0 - [hash_alg=0x400, key_type=0x1, scheme=0x1]</div>
<div>[PTS] TPM 2.0 - unknown hash algorithm not supported by TPM [hash_alg=0x400, alg_id=(nil)]</div>
<div><br>
</div>
<div>It seems that hash_alg is unknown (1024)</div>
<div>The key type is RSA 0x1</div>
<div>And the scheme detected is SIGN_RSA_EMSA_PKCS1_NULL 0x1</div>
<div>alg_id is 0 --> alg_id is the result of hash_alg_to_tpm_alg_id(hash_alg) with hash_alg unknown</div>
<div><br>
</div>
<div><br>
</div>
<div>Thank you for help</div>
<div><br>
</div>
<div><br>
</div>
<div>Regards</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<br>
</div>
<br></div></body></html>