Hi all! Using either GnuTLS or one of the TPM2 engines for OpenSSL, it's possible to use keyfiles that are encrypted with a wrapping key from a TPM2 device. Implementations have started to use special PEM headers for these files. If openconnect it can automatically invoke the necessary magic to unwrap the key without any user interaction. A similar patch for wpa_supplicant can be found at http://lists.infradead.org/pipermail/hostap/2019-July/040318.html. Alas, these PEM files currently fail NM's header validation. The attached patch just accepts these keys in NM, assuming further support is present in the backend tools. Kind regards, Daniel -- Daniel Kobras Principal Architect Puzzle ITC Deutschland +49 7071 14316 0 www.puzzle-itc.de -- Puzzle ITC Deutschland GmbH Sitz der Gesellschaft: Jurastr. 27/1, 72072 Tübingen Eingetragen am Amtsgericht Stuttgart HRB 765802 Geschäftsführer: Lukas Kallies, Daniel Kobras, Mark Pröhl
Attachment:
0001-libnm-crypto-accept-TPM2-wrapped-PEM-keys.patch
Description: Text Data