Re: [Openvpn-users] PKCS#11: Cannot get certificate object, PKCS#11: Unable get evp object

Thu, 14 Oct 2021 10:59:22 -0700 

On Thu, Oct 14, 2021 at 4:49 AM Jakub Niezabitowski <kuba.micha...@gmail.com>
wrote:

> Hello!
>
> Recently I have been working on authenticating users using TPM2. I am
> using tpm2-pkcs11 project.
>
> Sadly I can't get it to work with openvpn. I have tried changing format of
> pkcs11-id as suggested in different threads but with no success.
>
> openvpn package: 2.5.4-1.fc34
> pkcs11-helper: 1.27.0-3.fc34
>
> Output of `openvpn --show-pkcs11-ids
> /usr/lib64/pkcs11/libtpm2_pkcs11.so.0.0.0`
>
> Serialized id:
>  
> pkcs11:model=;token=tpm2_ecc;manufacturer=STMicro;serial=0000000000000000;id=d8bc0f69db86ae61
>
> I have tried both:
>
> pkcs11-id
> 'pkcs11:model=;token=tpm2_ecc;manufacturer=STMicro;serial=0000000000000000;id=d8bc0f69db86ae61'
> and
> pkcs11-id 'STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61'
>
> First one returns PKCS#11: Cannot deserialize id
> 19-'CKR_ATTRIBUTE_VALUE_INVALID'
>

Empty model may work with the old format but not with "pkcs11:"  Not sure
why it outputs "model=;"


> Second one returns:
>
> 2021-10-14 10:43:03 PKCS#11: Cannot get certificate object
> 2021-10-14 10:43:03 PKCS#11: Cannot get certificate object
> 2021-10-14 10:43:03 PKCS#11: Unable get evp object
>

In this case the deserialization appears to have succeeded but it can't
find the certificate. Is the certificate (not just the publickey loaded
into the emulated token? What does tpm2pkcs11-tool show with --list-objects?

Is your certificate private? If yes you will also need
'--pkcs11-cert-private 1'. For the private key it always prompts for
PIN but for certificate only if you set that option. See OpenVPN man page.


> 2021-10-14 10:43:03 Cannot load certificate
> "STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61" using PKCS#11
> interface
> 2021-10-14 10:43:03 Error: private key password verification failed
>

The password error may be a bogus -- something OpenVPN guesses on an
unsuccessful private key load.

Selva

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to