Re: openconnect and tpm2
On Tue, 2020-03-03 at 13:11 +0200, David Woodhouse wrote: > On Tue, 2020-03-03 at 09:02 +0100, Grant Williamson wrote: > > In our use case. We are provided a p12 file. > > We are testing om RHEL 8. > > Where improvement could take place, my thoughts. > > > > - instructions on how to extract the private key and the certs from > > the p12(see below) > > I'm definitely going for the "if it needs documenting, fix it first" > approach on that one. > > I don't want to tell users how to convert between different file > formats. I want software just to silently *accept* the sensible file > formats instead. > > So this really ends up being a feature request for James: the > create_tpm2_key tool ought to support importing keys from PKCS#12 > files. OK, this one looks like a fairly easy one: pkcs12 can have multiple certificates but only one key, so I just have to extract it. It's a der file, so it's fairly easy to distinguish from a PEM private key which is what we currently accept, so I think I can simply add it to the current options. I'll cook up a patch and send it to the list with you on the cc. James signature.asc Description: This is a digitally signed message part ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
On Tue, 2020-03-03 at 09:02 +0100, Grant Williamson wrote: > In our use case. We are provided a p12 file. > We are testing om RHEL 8. > Where improvement could take place, my thoughts. > > - instructions on how to extract the private key and the certs from > the p12(see below) I'm definitely going for the "if it needs documenting, fix it first" approach on that one. I don't want to tell users how to convert between different file formats. I want software just to silently *accept* the sensible file formats instead. So this really ends up being a feature request for James: the create_tpm2_key tool ought to support importing keys from PKCS#12 files. > - offer openssl_tpm2_engine ibmtss(ibmtss-devel, libibmtss0) packages in epel > 8 > - build the openconnect epel package against ibmtss for TPMv2 support. Those are distro-specific requests; please could you file them in Red Hat bugzilla and Cc me? We could do with SoftHSM in EPEL8 too, as the tests currently require it. Note that there is an open feature request against the TCG engine to support wrapping existing keys: https://github.com/tpm2-software/tpm2-tss-engine/issues/39 > The steps I am using are as follows. Password etc have been removed. > > PKCS="file.p12" > MY_P12_PASSWORD="MyPassw0rd!!" > TPM_LOCK_PASSWORD="MyPassw0rd!!" > VPN_SERVER="myserver.ibm.com" > # > openssl pkcs12 -in ${PKCS} -nocerts -nodes -passin > pass:${MY_P12_PASSWORD} | openssl rsa -out private.pem > openssl pkcs12 -in ${PKCS} -clcerts -nokeys -chain -passin > pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END > CERTIFICATE-/p' > user_cert.crt > openssl pkcs12 -in ${PKCS} -cacerts -nokeys -chain -passin > pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END > CERTIFICATE-/p' > ca_cert.crt > # > create_tpm2_key -w private.pem private-key-tpm-wrapped.pem > # > sudo openconnect > --csd-wrapper=/usr/share/ibm-config-NetworkManager-openconnect/csd.sh > --sslkey=private-key-tpm-wrapped.pem --certificate=user_cert.crt > --cafile=ca_cert.crt https://${VPN_SERVER} -v > We are also using the following csd wrapper. Hm, is that notably different to the one in trojans/csd-wrapper.sh ? I'd also be interested to know if the one in trojans/csd-post.sh (in git master; it's been updated) works for you. > On Tue, Mar 3, 2020 at 8:29 AM David Woodhouse wrote: > > > > On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote: > > > Thank you. Sorry I intended to reply sooner. > > > > That's good to know; thanks. > > > > Next question: Now you've worked it out, could the documentation be > > improved in any way? What was missing? > > > > Better still, what should be fixed in the code (or tools/helpers > > provided) so that we don't *have* to document it? > > > > ___ > openconnect-devel mailing list > openconnect-devel@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/openconnect-devel smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
In our use case. We are provided a p12 file. We are testing om RHEL 8. Where improvement could take place, my thoughts. - instructions on how to extract the private key and the certs from the p12(see below) - offer openssl_tpm2_engine ibmtss(ibmtss-devel, libibmtss0) packages in epel 8 - build the openconnect epel package against ibmtss for TPMv2 support. The steps I am using are as follows. Password etc have been removed. PKCS="file.p12" MY_P12_PASSWORD="MyPassw0rd!!" TPM_LOCK_PASSWORD="MyPassw0rd!!" VPN_SERVER="myserver.ibm.com" # openssl pkcs12 -in ${PKCS} -nocerts -nodes -passin pass:${MY_P12_PASSWORD} | openssl rsa -out private.pem openssl pkcs12 -in ${PKCS} -clcerts -nokeys -chain -passin pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > user_cert.crt openssl pkcs12 -in ${PKCS} -cacerts -nokeys -chain -passin pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca_cert.crt # create_tpm2_key -w private.pem private-key-tpm-wrapped.pem # sudo openconnect --csd-wrapper=/usr/share/ibm-config-NetworkManager-openconnect/csd.sh --sslkey=private-key-tpm-wrapped.pem --certificate=user_cert.crt --cafile=ca_cert.crt https://${VPN_SERVER} -v We are also using the following csd wrapper. On Tue, Mar 3, 2020 at 8:29 AM David Woodhouse wrote: > > On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote: > > Thank you. Sorry I intended to reply sooner. > > That's good to know; thanks. > > Next question: Now you've worked it out, could the documentation be > improved in any way? What was missing? > > Better still, what should be fixed in the code (or tools/helpers > provided) so that we don't *have* to document it? > csd.sh Description: application/shellscript ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote: > Thank you. Sorry I intended to reply sooner. That's good to know; thanks. Next question: Now you've worked it out, could the documentation be improved in any way? What was missing? Better still, what should be fixed in the code (or tools/helpers provided) so that we don't *have* to document it? smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
Thank you. Sorry I intended to reply sooner. This works. On Mon, Mar 2, 2020 at 6:04 PM David Woodhouse wrote: > > On Tue, 2020-02-18 at 15:49 +0100, Grant Williamson wrote: > > Hi, looking for guidance on how to use openconnect in conjunction > > with > > a private key stored in the tpm. > > > > - RHEL 8.1 > > - UEFI and Secure Boot are enabled. > > - Upstream packages:- > > tpm2-abrmd-2.3.1-1.el8.x86_64.rpm > > tpm2-abrmd-selinux-2.3.1-2.el8.noarch.rpm > > tpm2-tools-4.1-2.el8.x86_64.rpm > > tpm2-tss-2.3.2-2.el8.x86_64.rpm > > (tpm2_import was not part of what was shipped in el8 tpm-tools) > > - openconnect-8.05-3.el8.x86_64.rpm has been rebuilt with tpm2 > > support. > > > > > > 1) extract private key > > openssl pkcs12 -in vpn.p12 -nocerts -nodes -passin pass:MYPASSWORD | > > openssl rsa -out private.pem > > > > 2) Import private key to tpm. > > tpm2_createprimary -C o -c parent.ctx -G rsa2048:null:aes128cfb > > tpm2_evictcontrol -c parent.ctx > > > > tpm2_import -i private.pem -r private_key.tss -u public_key.tss -Grsa > > -C parent.ctx > > tpm2_load -C parent.ctx -u public_key.tss -r private_key.tss -c > > key.ctx > > tpm2_evictcontrol -c key.ctx > > > > 3) Using tpm2-asn-packer-master to create TSS2 PRIVATE KEY > > (https://github.com/rpofuk/tpm2-asn-packer/blob/master/README.md). > > Perhaps there is a different/better approach. > > npx @rpofuk/tpm2-asn-packer p 8181 private_key.tss public_key.tss > > out.key > > > > 4) Use openconnect with "-k out.key" to connect? > > > > Is this the correct approach, or am I totally off track? > > Did you get this working? > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
On Tue, 2020-02-18 at 15:49 +0100, Grant Williamson wrote: > Hi, looking for guidance on how to use openconnect in conjunction > with > a private key stored in the tpm. > > - RHEL 8.1 > - UEFI and Secure Boot are enabled. > - Upstream packages:- > tpm2-abrmd-2.3.1-1.el8.x86_64.rpm > tpm2-abrmd-selinux-2.3.1-2.el8.noarch.rpm > tpm2-tools-4.1-2.el8.x86_64.rpm > tpm2-tss-2.3.2-2.el8.x86_64.rpm > (tpm2_import was not part of what was shipped in el8 tpm-tools) > - openconnect-8.05-3.el8.x86_64.rpm has been rebuilt with tpm2 > support. > > > 1) extract private key > openssl pkcs12 -in vpn.p12 -nocerts -nodes -passin pass:MYPASSWORD | > openssl rsa -out private.pem > > 2) Import private key to tpm. > tpm2_createprimary -C o -c parent.ctx -G rsa2048:null:aes128cfb > tpm2_evictcontrol -c parent.ctx > > tpm2_import -i private.pem -r private_key.tss -u public_key.tss -Grsa > -C parent.ctx > tpm2_load -C parent.ctx -u public_key.tss -r private_key.tss -c > key.ctx > tpm2_evictcontrol -c key.ctx > > 3) Using tpm2-asn-packer-master to create TSS2 PRIVATE KEY > (https://github.com/rpofuk/tpm2-asn-packer/blob/master/README.md). > Perhaps there is a different/better approach. > npx @rpofuk/tpm2-asn-packer p 8181 private_key.tss public_key.tss > out.key > > 4) Use openconnect with "-k out.key" to connect? > > Is this the correct approach, or am I totally off track? Did you get this working? smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect and tpm2
On 18 February 2020 15:49:41 CET, Grant Williamson wrote: >Hi, looking for guidance on how to use openconnect in conjunction with >a private key stored in the tpm. > >- RHEL 8.1 >- UEFI and Secure Boot are enabled. >- Upstream packages:- >tpm2-abrmd-2.3.1-1.el8.x86_64.rpm >tpm2-abrmd-selinux-2.3.1-2.el8.noarch.rpm >tpm2-tools-4.1-2.el8.x86_64.rpm >tpm2-tss-2.3.2-2.el8.x86_64.rpm >(tpm2_import was not part of what was shipped in el8 tpm-tools) >- openconnect-8.05-3.el8.x86_64.rpm has been rebuilt with tpm2 support. > > >1) extract private key >openssl pkcs12 -in vpn.p12 -nocerts -nodes -passin pass:MYPASSWORD | >openssl rsa -out private.pem > >2) Import private key to tpm. >tpm2_createprimary -C o -c parent.ctx -G rsa2048:null:aes128cfb >tpm2_evictcontrol -c parent.ctx > >tpm2_import -i private.pem -r private_key.tss -u public_key.tss -Grsa >-C parent.ctx >tpm2_load -C parent.ctx -u public_key.tss -r private_key.tss -c key.ctx >tpm2_evictcontrol -c key.ctx > >3) Using tpm2-asn-packer-master to create TSS2 PRIVATE KEY >(https://github.com/rpofuk/tpm2-asn-packer/blob/master/README.md). >Perhaps there is a different/better approach. >npx @rpofuk/tpm2-asn-packer p 8181 private_key.tss public_key.tss >out.key > >4) Use openconnect with "-k out.key" to connect? > >Is this the correct approach, or am I totally off track? Ditch steps 2 and 3, and instead use the "wrap" operation from James Bottomley's openssl_tpm2_engine. Not sure if tpm2-tss-engine supports that yet. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel