another way to get this working would be to avoid tpm2-pkcs11 entirely.
Both wpa_supplicant and NetworkManager have versions working with
For NetworkManager that should be any version > 1.20 and for
wpa_supplicant, its in the current development branch.
Although that might be no fun at all as well with older Ubuntu versions.
On 1/22/20 7:35 PM, Ignacio Jaureguiberry wrote:
I was trying to make wpa_supplicant use a tpm2-pkcs11 stored private
key to authenticate against a RADIUS server, I mentioned about it on this discussion:
With some fixes on tpm2-pkcs11, TLS is working and there is an integration test for that
I wasn't able to reproduce this on Ubuntu 18, and noted that the test cases ran on
top of an Ubuntu 16.04 image. I tried Ubuntu 16.04 and TLS works as in the integration
test. I also checked that using latest version of wpa_supplicant, it does work with
tpm2-pkcs11 and creates an EAP-TLS connection using the TPM.
I've debugged a bit in both OS versions and found that openssl is calling
pkey_rsa_sign with different padding modes: RSA_PKCS1_PADDING in Ubuntu 16, and
RSA_PKCS1_PSS_PADDING in Ubuntu 18. The consequence is that in tpm2-pkcs11, sign_init is
being called using CKM_RSA_PKCS as mechanism on Ubuntu 16, but in Ubuntu 18 it is being
called with CKM_RSA_X_509, which is not supported.
I think I have to file a bug to OpenSSL, but I don't know too much about the PKCS11
specs to support the claims. I'd appreciate any help to file a decent issue. Also, any
workaround is welcome, as replacing OpenSSL in any distribution is very hard given all the
software that depends on it.
tpm2 mailing list -- tpm2(a)lists.01.org
To unsubscribe send an email to tpm2-leave(a)lists.01.org
Firmensitz und Sitz der Gesellschaft:
HRB: AG Friedberg, 7780
Dr. Thomas Licht, t.licht(a)uvensys.de
Volker Lieder, v.lieder(a)uvensys.de
Durchwahl: 06403 - 789 3622
Hotline: 06403 - 789 3688
Zentrale: 06403- 789 360
Fax: 06403 - 789 3699
Jegliche Stellungnahmen und Meinungen dieser E-Mail sind
alleine die des Autors und nicht notwendigerweise die der
Firma. Falls erforderlich, können Sie eine gesonderte
schriftliche Bestätigung anfordern.
Any views or opinions presented in this email are solely
those of the author and do not necessarily represent those
of the company. If verification is required please request
a hard-copy version.