Hi, On Wed, Apr 21, 2021 at 6:32 AM Jan Just Keijser <janj...@nikhef.nl> wrote: > > Hi, > > On 20/04/21 20:05, Selva Nair wrote: > > On Tue, Apr 20, 2021 at 6:47 AM Jan Just Keijser <janj...@nikhef.nl> wrote: > >> [...] > > >> This is surprising. SoftHSM would support raw RSA signatures and hence > >> should work with OpenVPN + pkcs11-helper 1.26 and later even with TLS > >> 1.3 and PSS signatures. The problem should arise only for tokens that > >> insist on doing the padding internally. > >> > >> By any chance, are you using an older pkcs11-helper library? > >> > >> > > I was using the "default" pkcs11-helper library from Fedora Core 32, > which is still at version 1.22; note that Fedora 33 *also* uses > pkcs11-helper 1.22 (the upcoming Fedora 34 will include v1.27). > > I grabbed pkcs11-helper from github and compiled it then recompiled > OpenVPN 2.5.1 with it. Now, when using softhsm, I get > > 2021-04-21 10:12:01 us=639135 PKCS#11: Adding PKCS#11 provider > '/usr/lib64/libsofthsm2.so' > 2021-04-21 10:12:01 us=640607 PKCS#11: Cannot deserialize id > 19-'CKR_ATTRIBUTE_VALUE_INVALID' > 2021-04-21 10:12:01 us=640614 Cannot load certificate > "pkcs11:model=SoftHSM%20v2;token=SoftToken1;..." using PKCS#11 interface
The deserialize error seems to indicate it's not able to parse the id. What does openvpn --show-pkcs11-ids /usr/lib64/libsoftshsm2.so. To use the id like "pkcs11:....." you would need the RFC7512 patch which we apply in our Windows builds. Or use the old style id like: pkcs11-id 'SoftHSM\x20project/SoftHSM\x20v2/serial-goes-here/SoftToken1/20210420' I think that patch is still not applied upstream. I tested softhsm using your instructions and it works for TlS 1.3 and PSS -- softhsm2 gets request to sign pre-padded PSS data as Raw RSA and it seems to handle that. I can understand some hardware tokens may refuse to sign pre-padded data, so we need to find a fix for this. Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
