Hi,

On Wed, Apr 21, 2021 at 6:32 AM Jan Just Keijser <janj...@nikhef.nl> wrote:
>
> Hi,
>
> On 20/04/21 20:05, Selva Nair wrote:
> > On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser <janj...@nikhef.nl> wrote:
> >> [...]
>
> >> This is surprising. SoftHSM would support raw RSA signatures and hence
> >> should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS
> >> 1.3 and PSS signatures.  The problem should arise only for tokens that
> >> insist on doing the padding internally.
> >>
> >> By any chance, are you using an older pkcs11-helper library?
> >>
> >>
>
> I was using the "default" pkcs11-helper library from Fedora Core 32,
> which is still at version 1.22; note that Fedora 33 *also* uses
> pkcs11-helper 1.22 (the upcoming Fedora 34 will include v1.27).
>
> I grabbed pkcs11-helper from github and compiled it then recompiled
> OpenVPN 2.5.1 with it. Now, when using softhsm, I get
>
> 2021-04-21 10:12:01 us=639135 PKCS#11: Adding PKCS#11 provider
> '/usr/lib64/libsofthsm2.so'
> 2021-04-21 10:12:01 us=640607 PKCS#11: Cannot deserialize id
> 19-'CKR_ATTRIBUTE_VALUE_INVALID'
> 2021-04-21 10:12:01 us=640614 Cannot load certificate
> "pkcs11:model=SoftHSM%20v2;token=SoftToken1;..." using PKCS#11 interface

The deserialize error seems to indicate it's not able to parse the id.
What does openvpn --show-pkcs11-ids /usr/lib64/libsoftshsm2.so.

To use the id like "pkcs11:....." you would need the RFC7512 patch
which we apply in our Windows builds. Or use the old style id like:

pkcs11-id 
'SoftHSM\x20project/SoftHSM\x20v2/serial-goes-here/SoftToken1/20210420'

I think that patch is still not applied upstream. I tested softhsm
using your instructions and it works for TlS 1.3 and PSS -- softhsm2
gets request to sign pre-padded PSS data as Raw RSA and it seems to
handle that.

I can understand some hardware tokens may refuse to sign pre-padded
data, so we need to find a fix for this.

Selva


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to