Version 31 - History - Trusted Platform Module 2.0 - strongSwan

Trusted Platform Module 2.0 » History » Version 31

Andreas Steffen, 19.02.2017 10:43

-Andreas Steffen
+h1. Trusted Platform Module 2.0
 Andreas Steffen
-Andreas Steffen
+{{>toc}}
 Andreas Steffen
-Andreas Steffen
+h2. Connect to a TPM 2.0 device
 Andreas Steffen
-Andreas Steffen
+In order to connect to a TPM 2.0 hardware or firmware device, the TSS2 software stack developed by Intel is needed. Because the official Ubuntu *tpm2-tss* package is rather outdated (e.g. since version 0.98 the TCTI interface to the TPM 2.0 resource manager has changed several times), strongSwan is currently based on a recent version directly drawn from the TPM2-TSS git repository https://github.com/01org/TPM2.0-TSS. Avoid any TCTI interface incompatibilities by fetching the latest *tpm2-tools* version from https://github.com/01org/tpm2.0-tools as well.
 Andreas Steffen
-Andreas Steffen
+Build and install both the *tpm2-tss* stack and the *tpm2.0-tools*, start the *tpm2-resourcemgr* as a service in the background and try to connect to the TPM 2.0 by listing e.g. the contents of the SHA-1 bank of PCR registers
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+ tpm2_listpcrs -g 0x0004
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+Bank/Algorithm: TPM_ALG_SHA1(0x0004)
-Andreas Steffen
+PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_10: a9 45 e7 0f 42 a2 79 f0 78 ca d4 64 60 39 39 da 9d 6a d1 a5
-Andreas Steffen
+PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-Andreas Steffen
+PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+A manual showing all *tpm2-tools* functions with their arguments can be found "here":https://github.com/01org/tpm2.0-tools/blob/master/manual.
 Andreas Steffen
-Andreas Steffen
+h2. TPM 2.0 Algorithm IDs
 Andreas Steffen
-Andreas Steffen
+h3. Hash Algorithms
 Andreas Steffen
-Andreas Steffen
+|0x0004 |SHA-1     |
-Andreas Steffen
+|0x000B |SHA-2_256 |
-Andreas Steffen
+|0x000C |SHA-2_384 |
-Andreas Steffen
+|0x000D |SHA-2_512 |
 Andreas Steffen
-Andreas Steffen
+Currently available TPM 2.0 devices like the Infineon *Optiga SLB 9670 VQ2.0* hardware TPM or Intel's *PTT* firmware TPM integrated into the Management Engine starting with the 4th generation (Haswell) of the *Core* processor family, support the *SHA-1* and *SHA-2_256* algorithms.
 Andreas Steffen
-Andreas Steffen
+h3. Public Key Types
 Andreas Steffen
-Andreas Steffen
+|0x0001 |RSA |
-Andreas Steffen
+|0x0023 |ECC |
 Andreas Steffen
-Andreas Steffen
+Currently RSA keys have a modulus size of 2048 bits and ECC keys are based on the 256 bit NIST curve.
 Andreas Steffen
-Andreas Steffen
+h3. Signature Schemes
 Andreas Steffen
-Andreas Steffen
+|0x0014 |RSASSA |
-Andreas Steffen
+|0x0016 |RSAPSS |
-Andreas Steffen
+|0x0018 |ECDSA  |
 Andreas Steffen
-Andreas Steffen
+h2. Derive a Persistent RSA Endorsement Key
 Andreas Steffen
-Andreas Steffen
+The following tpm2-tools command derives a 2048 bit RSA Endorsement Key (EK) in a deterministic way from the secret _Endorsement Primary Seed_ *unique* to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010001
 Andreas Steffen
-Andreas Steffen
+ tpm2_getpubek -H 0x81010001 -g 0x0001 -f ek_rsa.pub
 Andreas Steffen
-Andreas Steffen
+The EK public key stored in the ek_rsa.pub file is encoded in a TPM 2.0 proprietary format but the key can be exported from the TPM in the regular PKCS#1 format using the *pki* tool
 Andreas Steffen
-Andreas Steffen
+ pki --pub --keyid 81010001 --outform pem > ek_rsa_pub.pem
 Andreas Steffen
-Andreas Steffen
+The fingerprint of the RSA EK public key can be displayed with the command
 Andreas Steffen
-Andreas Steffen
+ pki --print --type pub --in ek_rsa_pub.pem
-Andreas Steffen
+  pubkey:    RSA 2048 bits
-Andreas Steffen
+  keyid:     d1:f1:49:84:36:44:e6:8c:d2:a6:69:ee:fd:b5:7d:56:2f:39:ff:58
-Andreas Steffen
+  subjkey:   c1:1b:8e:f1:c7:f8:8a:1e:9a:dd:7e:82:2f:7a:a3:f5:c0:e2:4d:7d
 Andreas Steffen
-Andreas Steffen
+h2. Generate a Persistent RSA Attestation Key
 Andreas Steffen
-Andreas Steffen
+A 2048 bit RSA Attestation Key (AK) bound to the EK with handle 0x81010001 can be created and made persistent under the handle 0x81010002 with the following tpm2-tools command
 Andreas Steffen
-Andreas Steffen
+ tpm2_getpubak -E 0x81010001 -g 0x0001 -D 0x000B -s 0x0014 -k 0x81010002 -f ak_rsa2.pub -n ak_rsa2.name
 Andreas Steffen
-Andreas Steffen
+The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool
 Andreas Steffen
-Andreas Steffen
+ pki --pub --keyid 81010002 --outform pem > ak_rsa_pub.pem
 Andreas Steffen
-Andreas Steffen
+The fingerprint of the RSA AK public key can be displayed with the command
 Andreas Steffen
-Andreas Steffen
+ pki --print --type pub --in ak_rsa_pub.pem
-Andreas Steffen
+  pubkey:    RSA 2048 bits
-Andreas Steffen
+  keyid:     71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
-Andreas Steffen
+  subjkey:   f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66
 Andreas Steffen
-Andreas Steffen
+h2. Derive a Persistent ECC Endorsement Key
 Andreas Steffen
-Andreas Steffen
+The following tpm2-tools command derives a 256 bit ECC Endorsement Key (EK) in a deterministic way from the secret _Endorsement Primary Seed_ *unique* to each TPM device and makes the key persistent in the non-volatile memory of the TPM under the object handle 0x81010003:
 Andreas Steffen
-Andreas Steffen
+ tpm2_getpubek -H 0x81010003 -g 0x0023 -f ek_ecc.pub
 Andreas Steffen
-Andreas Steffen
+The EK public key can be exported in PKCS#1 format from the TPM using the *pki* tool:
 Andreas Steffen
-Andreas Steffen
+  pki --pub --keyid 81010003 > ek_ecc_pub.der
 Andreas Steffen
-Andreas Steffen
+The fingerprint of the ECC EK public key can be displayed with the command
 Andreas Steffen
-Andreas Steffen
+ pki --print --type pub --in ek_ecc_pub.der
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     7f:39:ca:e6:83:9b:a9:06:97:40:27:6a:e1:bf:8f:f5:9f:d3:a5:31
-Andreas Steffen
+  subjkey:   8b:43:4d:5e:5e:7b:ff:c2:54:4d:ef:88:cb:0c:7c:47:75:28:4d:09
 Andreas Steffen
-Andreas Steffen
+h2. Generate a Persistent ECC Attestation Key
 Andreas Steffen
-Andreas Steffen
+A 256 bit ECC Attestation Key (AK) bound to the EK with handle 0x81010003 can be created and made persistent under the handle 0x81010004 with the following tpm2-tools command
 Andreas Steffen
-Andreas Steffen
+ tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010004 -f ak_ecc4.pub -n ak_ecc4.name
 Andreas Steffen
-Andreas Steffen
+The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool
 Andreas Steffen
-Andreas Steffen
+ pki --pub --keyid 81010004 > ak_ecc_pub.der
 Andreas Steffen
-Andreas Steffen
+The fingerprint of the RSA AK public key can be displayed with the command
 Andreas Steffen
-Andreas Steffen
+ pki --print --type pub --in ak_ecc_pub.der
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
-Andreas Steffen
+  subjkey:   c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13
 Andreas Steffen
-Andreas Steffen
+h2. Generate Another ECC Attestation Key
 Andreas Steffen
-Andreas Steffen
+Multiple AK keys bound to a common EK key can be generated
 Andreas Steffen
-Andreas Steffen
+ tpm2_getpubak -E 0x81010003 -g 0x0023 -D 0x000B -s 0x0018 -k 0x81010005 -f ak_ecc5.pub -n ak_ecc5.name
 Andreas Steffen
-Andreas Steffen
+The AK public key can be exported in PKCS#1 format from the TPM using the *pki* tool
 Andreas Steffen
-Andreas Steffen
+ pki --pub --keyid 81010005 > ak_ecc5_pub.der
 Andreas Steffen
-Andreas Steffen
+The fingerprint of the second ECC AK public key can be displayed with the command
 Andreas Steffen
-Andreas Steffen
+ pki --print --type pub --in ak_ecc5_pub.der
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     c4:b4:9c:95:27:9e:ce:81:2f:98:42:c8:1b:f0:54:ff:d4:d1:24:34
-Andreas Steffen
+  subjkey:   cf:44:f4:f7:9d:97:09:ad:b1:09:3a:8e:6f:23:eb:9f:2c:35:94:c9
 Andreas Steffen
-Andreas Steffen
+h2. Remove a Persistent Key Object
 Andreas Steffen
-Andreas Steffen
+Since the non-volatile memory of the TPM is limited any persistent key object can be removed to free storage space.
-Andreas Steffen
+The following tpm2-tools command removes the ECC AK key with persistent handle 0x81010005
 Andreas Steffen
-Andreas Steffen
+ tpm2_evictcontrol -A o -H 0x81010005 -S 0x81010005
 Andreas Steffen
-Andreas Steffen
+h2. List Persistent Objects
 Andreas Steffen
-Andreas Steffen
+The following tpm2-tools command lists all persistent objects stored by the TPM in non-volatile memory
 Andreas Steffen
-Andreas Steffen
+ tpm2_listpersistent
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+persistent objects defined.
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81000001
 Andreas Steffen
-Andreas Steffen
+        Type: 0x23
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x30072
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81000002
 Andreas Steffen
-Andreas Steffen
+        Type: 0x23
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x60072
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81010001
 Andreas Steffen
-Andreas Steffen
+        Type: 0x1
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x300b2
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81010002
 Andreas Steffen
-Andreas Steffen
+        Type: 0x1
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x50072
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81010003
 Andreas Steffen
-Andreas Steffen
+        Type: 0x23
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x300b2
 Andreas Steffen
-Andreas Steffen
+. Persistent handle: 0x81010004
 Andreas Steffen
-Andreas Steffen
+        Type: 0x23
-Andreas Steffen
+        Hash algorithm(nameAlg): 0xb
-Andreas Steffen
+        Attributes: 0x50072
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Configure TPM Private Key Access via VICI Interface
 Andreas Steffen
-Andreas Steffen
+Configuration of TPM private key access as tokens in the secrets section of *swanctl.conf*
 Andreas Steffen
-Andreas Steffen
+ secrets {
-Andreas Steffen
+    token_ak_rsa {
-Andreas Steffen
+       handle = 81010002
 Andreas Steffen
-Andreas Steffen
+    token_ak_ecc {
-Andreas Steffen
+       handle = 81010004
 Andreas Steffen
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+h2. Define IPsec Connection with RSA AK Client Key
 Andreas Steffen
-Andreas Steffen
+This connection configuration in *swanctl.conf* uses the RSA AK certificate for client authentication
-Andreas Steffen
+<pre>
-Andreas Steffen
+connections {
-Andreas Steffen
+   rsa {
-Andreas Steffen
+      local_addrs  = 10.10.0.105
-Andreas Steffen
+      remote_addrs = 10.10.0.104
 Andreas Steffen
-Andreas Steffen
+      local {
-Andreas Steffen
+         auth = pubkey
-Andreas Steffen
+         certs = raspi5_ak_rsa_Cert.der
 Andreas Steffen
-Andreas Steffen
+      remote {
-Andreas Steffen
+         auth = pubkey
-Andreas Steffen
+         id = raspi4.example.com
 Andreas Steffen
-Andreas Steffen
+      children {
-Andreas Steffen
+         rsa {
-Andreas Steffen
+            mode = transport
-Andreas Steffen
+            esp_proposals = aes128-sha256-curve25519
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+      version = 2
-Andreas Steffen
+      proposals = aes128-sha256-curve25519
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Define IPsec Connection with ECC AK Client Key
 Andreas Steffen
-Andreas Steffen
+This connection configuration in *swanctl.conf* uses the ECC AK certificate for client authentication
-Andreas Steffen
+<pre>
-Andreas Steffen
+connections {
-Andreas Steffen
+   ecc {
-Andreas Steffen
+      local_addrs  = 10.10.0.105
-Andreas Steffen
+      remote_addrs = 10.10.0.104
 Andreas Steffen
-Andreas Steffen
+      local {
-Andreas Steffen
+         auth = pubkey
-Andreas Steffen
+         certs = raspi5_ak_ecc_Cert.der
 Andreas Steffen
-Andreas Steffen
+      remote {
-Andreas Steffen
+         auth = pubkey
-Andreas Steffen
+         id = raspi4.example.com
 Andreas Steffen
-Andreas Steffen
+      children {
-Andreas Steffen
+         ecc {
-Andreas Steffen
+            mode = transport
-Andreas Steffen
+            esp_proposals = aes128-sha256-curve25519
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+      version = 2
-Andreas Steffen
+      proposals = aes128-sha256-curve25519
 Andreas Steffen
 Andreas Steffen
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+h2. Starting the strongSwan Daemon
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+systemctl start strongswan-swanctl
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+Feb 19 09:35:14 raspi5 systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The RSA AK private key is attached via the TPM 2.0 resource manager
-Andreas Steffen
+<pre>
-Andreas Steffen
+Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xa
-Andreas Steffen
+Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
-Andreas Steffen
+Feb 19 09:35:14 raspi5 resourcemgr[531]: Accept socket:  0xb
-Andreas Steffen
+Feb 19 09:35:14 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
-Andreas Steffen
+Feb 19 09:35:14 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is RSASSA with SHA256 hash
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The ECC AK private key is attached via the TPM 2.0 resource manager
-Andreas Steffen
+<pre>
-Andreas Steffen
+Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x6
-Andreas Steffen
+Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager Other CMD Server accepted client
-Andreas Steffen
+Feb 19 09:35:15 raspi5 resourcemgr[531]: Accept socket:  0x7
-Andreas Steffen
+Feb 19 09:35:15 raspi5 resourcemgr[531]: Resource Manager TPM CMD Server accepted client
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - algorithms: RSA SHA1 HMAC AES KEYEDHASH XOR SHA256 RSASSA RSAES RSAPSS OAEP ECDSA ECDH SM2 KDF1_SP800_56A KDF1_SP800_108 ECC SYMCIPHER CFB
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 - ECC curves: NIST_P256 BN_P256
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: TPM 2.0 via TSS2 available
-Andreas Steffen
+Feb 19 09:35:15 raspi5 charon-systemd[20831]: AIK signature algorithm is ECDSA with SHA256 hash
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The *swanctl* command line tool loads the RSA and ECC AK certificates as well as the demoCA root certificate and connects to the RSA and ECC private keys residing in the TPM
-Andreas Steffen
+<pre>
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_rsa_Cert.der'
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509/raspi5_ak_ecc_Cert.der'
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded certificate from '/etc/swanctl/x509ca/demoCaCert.pem'
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_rsa from token [keyid: f49e857dde4e67f5fb870398673f207cf33f2b66]
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded key token_ak_ecc from token [keyid: c70e63f87f6ff65500e5057f5a3e6b6ce7d2d513]
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'rsa'
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: loaded connection 'ecc'
-Andreas Steffen
+Feb 19 09:35:15 raspi5 swanctl[20849]: successfully loaded 2 connections, 0 unloaded
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+Feb 19 09:35:15 raspi5 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The following *swanctl* command shows the two loaded connections
-Andreas Steffen
+<pre>
-Andreas Steffen
+swanctl --list-conns
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+rsa: IKEv2, reauthentication every 10800s, no rekeying
-Andreas Steffen
+  local:  10.10.0.105
-Andreas Steffen
+  remote: 10.10.0.104
-Andreas Steffen
+  local public key authentication:
-Andreas Steffen
+    id: C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com
-Andreas Steffen
+    certs: C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com
-Andreas Steffen
+  remote public key authentication:
-Andreas Steffen
+    id: raspi4.example.com
-Andreas Steffen
+  rsa: TRANSPORT, rekeying every 3600s or 300000000 bytes or 500000 packets
-Andreas Steffen
+    local:  dynamic
-Andreas Steffen
+    remote: dynamic
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+ecc: IKEv2, reauthentication every 10800s, no rekeying
-Andreas Steffen
+  local:  10.10.0.105
-Andreas Steffen
+  remote: 10.10.0.104
-Andreas Steffen
+  local public key authentication:
-Andreas Steffen
+    id: C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com
-Andreas Steffen
+    certs: C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com
-Andreas Steffen
+  remote public key authentication:
-Andreas Steffen
+    id: raspi4.example.com
-Andreas Steffen
+  ecc: TRANSPORT, rekeying every 3600s or 300000000 bytes or 500000 packets
-Andreas Steffen
+    local:  dynamic
-Andreas Steffen
+    remote: dynamic
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+The loaded certificates can also be displayed
-Andreas Steffen
+<pre>
-Andreas Steffen
+swanctl --list-certs
-Andreas Steffen
+</pre>
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+List of X.509 End Entity Certificates
 Andreas Steffen
-Andreas Steffen
+  subject:  "C=US, O=TNC Demo, OU=AIK RSA, CN=raspi5.example.com"
-Andreas Steffen
+  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA"
-Andreas Steffen
+  validity:  not before Feb 19 09:33:43 2017, ok
-Andreas Steffen
+             not after  Aug 29 10:33:43 2026, ok (expires in 3477 days)
-Andreas Steffen
+  serial:    11:57:33:3e:2a:8e:8a:32
-Andreas Steffen
+  altNames:  raspi5.example.com
-Andreas Steffen
+  authkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
-Andreas Steffen
+  subjkeyId: f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66
-Andreas Steffen
+  pubkey:    RSA 2048 bits, has private key
-Andreas Steffen
+  keyid:     71:21:f5:d4:7e:59:4a:88:16:ca:57:85:98:3d:36:a7:b1:d5:75:fa
-Andreas Steffen
+  subjkey:   f4:9e:85:7d:de:4e:67:f5:fb:87:03:98:67:3f:20:7c:f3:3f:2b:66
 Andreas Steffen
-Andreas Steffen
+  subject:  "C=US, O=TNC Demo, OU=AIK ECC, CN=raspi5.example.com"
-Andreas Steffen
+  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA"
-Andreas Steffen
+  validity:  not before Feb 17 23:17:19 2017, ok
-Andreas Steffen
+             not after  Aug 30 00:17:19 2026, ok (expires in 3478 days)
-Andreas Steffen
+  serial:    52:9d:3e:42:6f:71:63:3d
-Andreas Steffen
+  altNames:  raspi5.example.com
-Andreas Steffen
+  authkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
-Andreas Steffen
+  subjkeyId: c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13
-Andreas Steffen
+  pubkey:    ECDSA 256 bits, has private key
-Andreas Steffen
+  keyid:     71:49:7c:42:41:e7:c6:81:bc:31:73:f0:0f:7e:4a:e1:2d:53:00:38
-Andreas Steffen
+  subjkey:   c7:0e:63:f8:7f:6f:f6:55:00:e5:05:7f:5a:3e:6b:6c:e7:d2:d5:13
-Andreas Steffen
+</pre>
-Andreas Steffen
+You can clearly see that the connection between AK certificates and the matching AK private key has been established.
 Andreas Steffen
-Andreas Steffen
+<pre>
-Andreas Steffen
+List of X.509 CA Certificates
 Andreas Steffen
-Andreas Steffen
+  subject:  "C=US, O=TNC Demo, CN=TNC Demo CA"
-Andreas Steffen
+  issuer:   "C=US, O=TNC Demo, CN=TNC Demo CA"
-Andreas Steffen
+  validity:  not before Aug 31 10:29:27 2016, ok
-Andreas Steffen
+             not after  Aug 31 10:29:27 2026, ok (expires in 3479 days)
-Andreas Steffen
+  serial:    02:c8:85:e1:ef:fa:8f:20
-Andreas Steffen
+  flags:     CA CRLSign self-signed
-Andreas Steffen
+  subjkeyId: 21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
-Andreas Steffen
+  pubkey:    ECDSA 256 bits
-Andreas Steffen
+  keyid:     a1:b5:e0:29:d0:4c:a7:62:bd:ca:a3:b4:af:18:42:2c:4a:01:55:9a
-Andreas Steffen
+  subjkey:   21:02:7e:2d:de:8b:77:48:75:de:56:2f:b5:d4:62:ec:c3:09:15:f2
-Andreas Steffen
+</pre>

Project

General

Profile

strongSwan

Trusted Platform Module 2.0 » History » Version 31