[strongSwan] Accepted types of TPM2.0 keys?

Petr Gotthard petr.gotthard at advantech.cz
Thu Nov 5 15:27:05 CET 2020


Could you please clarify a bit what types of TPM2.0 keys can be used with strongSwan?

The examples on the TpmPlugin wiki-page show an attestation (restricted signing) key with RSASSA scheme and SHA256 digest. Is this the only type of an RSA key that can be used? (Let's ignore ECC for now.) Because, for example, non-restricted combined (signing and decryption) keys, created by the OpenSSL engine, appear to fail. Do they fail because they are non-restricted, or because they have NULL scheme and digest? Or both? The TPM error message is kinda generic.

In an ideal world I'd like to use a sigle AIK as a device identity for both SSL and strongSwan, but that feels impossible for now. I know that it's most likely an OpenSSL's fault because they sign using the decrypt operation and thus require a non-restricted combined key (which shouldn't be needed), but I'd like to better understand also what key attributes, schemes and algorithms that are needed for strongSwan. Such information may be useful also for other people fighthing with the TPM.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20201105/005098ec/attachment.html>

More information about the Users mailing list