Hi,
On Wed, Apr 10, 2019 at 6:00 PM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 10/04/2019 17:58, Selva Nair wrote: > > > > As I replied to the openssl-users list[*], pkcs11-helper only supports > PKCS1 > > signatures, not raw signature needed in this case. > > > > We have to either patch pkcs11-helper or switch to something else. > > It would be wonderful to switch it for something else. Unfortunately, it > does > a lot of gluing between the lower-level operations (similarly available via > p11-kit) and the interfaces implemented in OpenVPN is fairly high-level. > So > this "glue code" which pkcs11-helper is, is not that trivial and last time > I > checked the alternatives were scarce :( > > Is this a Windows only issue? Or is it present on other platforms as well? > If it's Windows only, I think we can get around it by patching it and > ensuring > upstream is aware of this. But if it is more platforms, patching > pkcs11-helper gets nasty quickly. > This has nothing to do with Windows. This is a limitation of pkcs11-helper no matter what OS its used in. In fact on Windows we have an alternative option to use hardware tokens through cryptoapicert, but on other OSes we are dependent on pkcs11-helper. So this has everything non-Windows written on it. Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
