Hi, As per the logs its requesting unpadded signature of size 256 (padding = 3) which is expected with OpenSSL 1.1.1 and TLS 1.2 or 1.3 as the it requires PSS padded signature and OpenSSL provides the padded data to sign with padding = NONE. My guess would be that your hardware token doesn't support signing pre-padded data.
In case cryptoapi, we pass in the unpadded data and the padding type, so that both padding and signing is handled by the cryptography provider (token's dll through Windows). 2.4.7 is built with older OpenSSL that does not support TLS 1.3 and doe snot use PSS padding by default. For newer releases, there is a work around like use TLS1.2 and configure OpenSSL to not negotiate PSS padding with the server[1], but why not use cryptoapi as it works? Selva [1] https://community.openvpn.net/openvpn/ticket/1296#comment:12 On Wed, Apr 14, 2021 at 6:03 PM mike tancsa <m...@sentex.net> wrote: > > Trying out a newer version of OpenVPN community edition (latest from the > website) on windows 10 and running into problems with a config that > works from 2.4.7. If I use the token with OpenVPN 2.4.7 it works as > expected. On 2.5.1, I get a series of errors when using the pkcs11 > method. The token works fine with cryptoapicert as the interface to the > eToken. > > cryptoapicert "SUBJ:officeVPN" > > However, if I use > > pkcs11-providers eTpkcs11.dll > pkcs11-id 'pkcs11:model=eToken;token=..... > > (i.e the output of --show-pkcs11-ids) > > > I enter the PIN, and its the right PIN as the fail count on the token > doesn't go down. It just fails and asks for the PIN again. The pkcs11 > fail bits from the log are below. Like I said, this same token works > with the same config under 2.4.7 and works with 2.5.1 if I use it via > cryptoapcicert. Any idea where / why I am getting those 2 errors using > the pkcs11 method under 2.5.1 ? > > > > 2021-04-14 17:24:36 us=284747 SSL state (connect): TLSv1.3 read server > certificate verify > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS read finished > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > change cipher spec > 2021-04-14 17:24:36 us=284747 SSL state (connect): SSLv3/TLS write > client certificate > 2021-04-14 17:24:36 us=284747 PKCS#11: __pkcs11h_openssl_rsa_enc entered > - flen=256, from=00000000007968E0, to=0000000000795B10, > rsa=000000000075EEE0, padding=3 > 2021-04-14 17:24:36 us=284747 PKCS#11: Performing signature > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signAny entry > certificate=00000000007586B0, mech_type=3, source=00000000007968E0, > source_size=0000000000000100, target=0000000000795B10, > *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: Getting key attributes > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes entry certificate=00000000007586B0 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry attrs=000000000072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: Get private key attributes > failed: 130:'CKR_OBJECT_HANDLE_INVALID' > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession > entry certificate=00000000007586B0, public_only=0, session_mutex_locked=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > entry session=0000000000759C40, class=3, id=000000000075F4A0, > id_size=0000000000000008, p_handle=00000000007586C8 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1618435476 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate return > rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > entry session=0000000000759C40, filter=000000000072E0C0, filter_attrs=2, > p_objects=000000000072E0B8, p_objects_found=000000000072E0B4 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_findObjects > return rv=0-'CKR_OK', *p_objects_found=1 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_getObjectById > return rv=0-'CKR_OK', *p_handle=02970005 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_certificate_resetSession > return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: Key attributes enforced by > provider (00000002) > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes entry attrs=000000000072E140, count=4 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_session_freeObjectAttributes return > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_getKeyAttributes return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: pkcs11h_certificate_signRecover > entry certificate=00000000007586B0, mech_type=3, > source=00000000007968E0, source_size=0000000000000100, > target=0000000000795B10, *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: > __pkcs11h_certificate_doPrivateOperation entry > certificate=00000000007586B0, op=1, mech_type=3, > source=00000000007968E0, source_size=0000000000000100, > target=0000000000795B10, *p_target_size=0000000000000100 > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_validateSession entry certificate=00000000007586B0 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1618435476 > 2021-04-14 17:24:36 us=284747 PKCS#11: _pkcs11h_session_validate return > rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=284747 PKCS#11: > _pkcs11h_certificate_validateSession return rv=0-'CKR_OK' > 2021-04-14 17:24:36 us=300419 PKCS#11: > __pkcs11h_certificate_doPrivateOperation init rv=112 > 2021-04-14 17:24:36 us=300419 PKCS#11: Private key operation failed > rv=112-'CKR_MECHANISM_INVALID' > 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_certificate_resetSession > entry certificate=00000000007586B0, public_only=0, session_mutex_locked=1 > 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_login entry > session=0000000000759C40, is_publicOnly=0, readonly=1, > user_data=0000000000000000, mask_prompt=00000003 > 2021-04-14 17:24:36 us=300419 PKCS#11: _pkcs11h_session_logout entry > session=0000000000759C40 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_logout return > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset entry > session=0000000000759C40, user_data=0000000000000000, > mask_prompt=00000003, p_slot=000000000072DC3C > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_reset Expected > token manufacturerID='SafeNet, Inc.' model='eToken', > serialNumber='021c49f5', label='officetoken2b' > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList > entry provider=000000000088D1A0, token_present=1, > pSlotList=000000000072DAE0, pulCount=000000000072DADC > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_session_getSlotList > return rv=0-'CKR_OK' *pulCount=1 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId entry > p_token_id=000000000072DAE8 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId entry > p_token_id=000000000072DA40 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_newTokenId return > rv=0-'CKR_OK', *p_token_id=00000000007D5120 > 2021-04-14 17:24:36 us=316078 PKCS#11: _pkcs11h_token_getTokenId return > rv=0-'CKR_OK', *p_token_id=00000000007D5120 > 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset Found > token manufacturerID='SafeNet, Inc.' model='eToken', > serialNumber='021c49f5', label='officetoken2b' > 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId entry > certificate_id=00000000007D5120 > 2021-04-14 17:24:36 us=331784 PKCS#11: pkcs11h_token_freeTokenId return > 2021-04-14 17:24:36 us=331784 PKCS#11: _pkcs11h_session_reset return > rv=0-'CKR_OK', *p_slot=0 > 2021-04-14 17:24:36 us=331784 PKCS#11: Calling pin_prompt hook for '' > Enter officetoken2b token Password: > > > > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
