I am attempting to transition our existing environment of signed Digicert certificates from RSA4096 to ECC256.
The digicert one signing process appears to work i.e. a csr generated using a tpm private key. Then a certificate request made to digicert using this csr. Same process I used before with RSA4096. Different algorithm..
Whe using a RSA4096 generated certificate using either Hardware and Software TPM, I can connect using openconnect .
When using a ecc256 generated certificate and software-emulated TPM, the openconnect connection is succesful.
When using a ecc256 generated certificate and hardware tpm(3 laptops) I encounter the folowing problem
ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size
SSL connection failure: PKCS #11 error.
I have tried generating the csr to be signed using egines tpm2-openssl and pkcs11-provider, same result.
Assuming that the following are being used :
Hardware
RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify
ECDSA, keySize={256,384}, hw, sign, verify
For software tpm I also see a different keysize range i.e. keySize={192,638} instead of hardware tpm keySize={256,384}. The RSA 4096 supports encryption, decryption, signing, and verification, while ECDSA only supports signing and verification.
Could these differences between RSA and ECDSA be a reason for the SSL connection failure. Trying to narrow down the issue. Any ideas?
I can provide more details of key creation etc if required.
I am attempting to transition our existing environment of signed Digicert certificates from RSA4096 to ECC256. The digicert one signing process appears to work i.e. a csr generated using a tpm private key. Then a certificate request made to digicert using this csr. Same process I used before with RSA4096. Different algorithm..
Whe using a RSA4096 generated certificate using either Hardware and Software TPM, I can connect using openconnect . When using a ecc256 generated certificate and software-emulated TPM, the openconnect connection is succesful.
When using a ecc256 generated certificate and hardware tpm(3 laptops) I encounter the folowing problem ERROR: Esys_Sign: tpm:parameter(1):structure is the wrong size SSL connection failure: PKCS #11 error.
I have tried generating the csr to be signed using egines tpm2-openssl and pkcs11-provider, same result.
Maybe the following gives a clue. Any ideas? (openconnect with --gnutls-debug=99 -v) https://pastebin.com/d2gT4t6q
Running the command on my hardware TPM, I see pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so -M
Supported mechanisms: RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, hw, generate_key_pair RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify RSA-PKCS, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify RSA-PKCS-OAEP, keySize={1024,3072}, hw, encrypt, decrypt SHA1-RSA-PKCS, keySize={1024,3072}, hw, sign, verify SHA256-RSA-PKCS, keySize={1024,3072}, hw, sign, verify SHA384-RSA-PKCS, keySize={1024,3072}, hw, sign, verify SHA1-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify SHA256-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify SHA384-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify SHA512-RSA-PKCS-PSS, keySize={1024,3072}, hw, sign, verify ECDSA-KEY-PAIR-GEN, keySize={256,384}, hw, generate_key_pair ECDSA, keySize={256,384}, hw, sign, verify ECDSA-SHA1, keySize={256,384}, hw, sign, verify ECDSA-SHA256, keySize={256,384}, hw, sign, verify ECDSA-SHA384, keySize={256,384}, hw, sign, verify ECDSA-SHA512, keySize={256,384}, hw, sign, verify AES-KEY-GEN, keySize={16,32}, hw, generate AES-CBC, keySize={16,32}, hw, encrypt, decrypt AES-CBC-PAD, keySize={16,32}, hw, encrypt, decrypt mechtype-0x2107, keySize={16,32}, hw, encrypt, decrypt AES-ECB, keySize={16,32}, hw, encrypt, decrypt AES-CTR, keySize={16,32}, hw, encrypt, decrypt SHA-1, digest SHA256, digest SHA384, digest SHA512, digest SHA-1-HMAC, keySize={20,20}, hw, sign, verify SHA256-HMAC, keySize={32,32}, hw, sign, verify SHA384-HMAC, keySize={48,48}, hw, sign, verify
Assuming that the following are being used : Hardware RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify ECDSA, keySize={256,384}, hw, sign, verify
Software RSA-X-509, keySize={1024,3072}, hw, encrypt, decrypt, sign, verify ECDSA, keySize={192,638}, hw, sign, verify
For software tpm I also see a different keysize range i.e. keySize={192,638} instead of hardware tpm keySize={256,384}. The RSA 4096 supports encryption, decryption, signing, and verification, while ECDSA only supports signing and verification.
Could these differences between RSA and ECDSA be a reason for the SSL connection failure. Trying to narrow down the issue. Any ideas?
I can provide more details of key creation etc if required.