Hello,
i try to use TPM2.0 to store my private key. This key exists and have to be stored into the TPM.
So with tpm2-tools i have the sequence :
>> tpm2_createprimary -Q -G rsa2048 -g sha256 -C o -c parent.ctx
>> tpm2_import -G rsa2048:rsassa-sha256 -g sha256 -i ${PRIVATE_PEM} -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv
>> tpm2_load -C parent.ctx -u import_rsa_key.pub -r import_rsa_key.priv -c key.ctx
>> tpm2_evictcontrol -C o -c key.ctx 0x81000002
With current version of tpm-tools the command :
>> pki --print --type priv --keyid 0x81000002
TPM 2.0 via TSS2 v2 available
signature algorithm is NULL with ERROR hash
privkey: RSA 2048 bits
keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b
subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e
But with the pull request from the tpm2-tools team : https://github.com/tpm2-software/tpm2-tools/pull/2999
>> pki --print --type priv --keyid 0x81000002
TPM 2.0 via TSS2 v2 available
signature algorithm is RSASSA with SHA256 hash
privkey: RSA 2048 bits
keyid: 42:e7:94:da:9b:07:40:01:8e:40:e5:51:35:fc:10:da:8f:2c:61:3b
subjkey: f8:4e:a2:ae:5c:3a:1b:40:7a:6a:19:04:38:32:05:62:db:f0:d5:9e
My reflexion at this moment is that if pki works the StrongSwan will detect the right signature scheme but,
when i do :
>> systemctl restart strongswan
i got :
May 24 09:48:47 15[PTS] TPM 2.0 via TSS2 v2 available
May 24 09:48:47 15[PTS] signature algorithm is RSASSA with SHA256 hash
May 24 09:48:47 15[CFG] loaded RSA private key from token
May 24 09:48:47 09[PTS] TPM 2.0 via TSS2 v2 available
May 24 09:48:47 09[LIB] loaded certificate from TPM NV index 0x01800004
but later when i do :
>> swanctl --initiate --child host
i get a :
[PTS] TPM 2.0 - unknown hash algorithm not supported by TPM
[IKE] authentication of 'C=FR, O=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, OU=0002 12000601000025, CN=poste-XXXXXX' (myself) failed
[ENC] generating INFORMATIONAL_V1 request 2432046849 [ HASH N(AUTH_FAILED) ]
[NET] sending packet: from 172.16.40.134[4500] to 192.168.42.254[4500] (108 bytes)
initiate failed: establishing CHILD_SA 'host' failed
I added some DEBUG to StrongSwan :
[PTS] TPM 2.0 - [hash_alg=0x400, key_type=0x1, scheme=0x1]
[PTS] TPM 2.0 - unknown hash algorithm not supported by TPM [hash_alg=0x400, alg_id=(nil)]
It seems that hash_alg is unknown (1024)
The key type is RSA 0x1
And the scheme detected is SIGN_RSA_EMSA_PKCS1_NULL 0x1
alg_id is 0 --> alg_id is the result of hash_alg_to_tpm_alg_id(hash_alg) with hash_alg unknown
Thank you for help
Regards
