Hi,
On 20/04/21 20:05, Selva Nair wrote:
On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser <janj...@nikhef.nl> wrote:
[...]
This is surprising. SoftHSM would support raw RSA signatures and hence
should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS
1.3 and PSS signatures. The problem should arise only for tokens that
insist on doing the padding internally.
By any chance, are you using an older pkcs11-helper library?
I was using the "default" pkcs11-helper library from Fedora Core 32,
which is still at version 1.22; note that Fedora 33 *also* uses
pkcs11-helper 1.22 (the upcoming Fedora 34 will include v1.27).
I grabbed pkcs11-helper from github and compiled it then recompiled
OpenVPN 2.5.1 with it. Now, when using softhsm, I get
2021-04-21 10:12:01 us=639135 PKCS#11: Adding PKCS#11 provider
'/usr/lib64/libsofthsm2.so'
2021-04-21 10:12:01 us=640607 PKCS#11: Cannot deserialize id
19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-04-21 10:12:01 us=640614 Cannot load certificate
"pkcs11:model=SoftHSM%20v2;token=SoftToken1;..." using PKCS#11 interface
so no luck there; with my trusty old Aladdin/Safenet eToken I get the
same error, so I'm guessing there's something wrong with v1.27 as well...
JJK
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users