Unable to connect using PKCS#11 interface
Posted: Tue Jan 31, 2023 12:10 pm
Hello!
I want to use keys generated with the TPM 2.0 hardware security module for user authentication when connecting to the OpenVPN server.
I am generating key pair and importing signed certificate with use of tpm2-pkcs11 1.8.0 (https://github.com/tpm2-software/tpm2-pkcs11) compiled form source.
On Fedora 36 (OpenVPN 2.5.7; OpenSSL 3.0.5) everything works fine, but on Ubuntu 22.10 (OpenVPN 2.6; OpenSSL 3.0.5) on different machine it is not working (same with 22.04 LTS and older version of OpenVPN).
When I try to connect to the VPN server, it asks for the token password (as if it found it) but then these logs appears:
The only difference I spot between Ubuntu and Fedora is that syntax of returned pkcs11-id is different.
Under both distributions for ovpn config file I am using pkcs11-ids returned by command openvpn --show-pkcs11-ids:
Ubuntu:
Fedora:
Corresponding lines in configuration files:
Ubuntu:
Fedora:
OpenVPN on Fedora seems to create a valid RFC 7512 ID and using it in ovpn config file works fine. But on Ubuntu I get logs as showed above so I cannot connect to the server.
I am quite sure that key pair was generated properly on both systems and the certificate was imported right too, because both Chrome and Firefox can recognize it and I can use this certificate to succesfully perform client SSL auth on both browsers. Also by use of PKCS#11 interface creating (and then verifying) digital signatures with these keys works too.
Any clues? Thank you.
I want to use keys generated with the TPM 2.0 hardware security module for user authentication when connecting to the OpenVPN server.
I am generating key pair and importing signed certificate with use of tpm2-pkcs11 1.8.0 (https://github.com/tpm2-software/tpm2-pkcs11) compiled form source.
On Fedora 36 (OpenVPN 2.5.7; OpenSSL 3.0.5) everything works fine, but on Ubuntu 22.10 (OpenVPN 2.6; OpenSSL 3.0.5) on different machine it is not working (same with 22.04 LTS and older version of OpenVPN).
When I try to connect to the VPN server, it asks for the token password (as if it found it) but then these logs appears:
Code: Select all
2023-01-16 14:20:00: PKCS#11: Cannot get certificate object
2023-01-16 14:20:00: PKCS#11: Cannot get certificate object
2023-01-16 14:20:00: PKCS#11: Unable get evp objectUnder both distributions for ovpn config file I am using pkcs11-ids returned by command openvpn --show-pkcs11-ids:
Ubuntu:
Code: Select all
DN: C=PL, O=TEST, CN=Test Test
Serial: 034E
Serialized id: Nuvoton/rls/0000000000000000/test_tpm/3039303736316330313964396361613Code: Select all
DN: C=PL, O=TEST, CN=Test Test
Serial: 034D
Serialized id: pkcs11:model=SLB9670;token=test_tpm;manufacturer=Infineon;serial=0000000000000000;id=22ab4f2e7acf600bUbuntu:
Code: Select all
pkcs11-id 'Nuvoton/rls/0000000000000000/test_tpm/30393037363163303139643963616132'
Code: Select all
pkcs11-id 'pkcs11:model=SLB9670;token=test_tpm;manufacturer=Infineon;serial=0000000000000000;id=22ab4f2e7acf600b'
I am quite sure that key pair was generated properly on both systems and the certificate was imported right too, because both Chrome and Firefox can recognize it and I can use this certificate to succesfully perform client SSL auth on both browsers. Also by use of PKCS#11 interface creating (and then verifying) digital signatures with these keys works too.
Any clues? Thank you.