Hi,
On Wed, Apr 10, 2019 at 10:11 AM Francois Gelis <francois.gelis@xxxxxxxxx> wrote:
Hi all,I have a working openvpn setup with client certificate and private key stored on my laptop. Then, I have loaded them into a smartcard (Yubico 5 NFC), and modified accordingly the openvpn client config. But running the openvpn client now fails with an error that seems to originate inside openssl. Here is a verbose openvpn log (only the portion that seems relevant for this error, but I have the full log if useful):Sat Apr 6 15:57:20 2019 us=467260 Incoming Ciphertext -> TLSSat Apr 6 15:57:20 2019 us=467271 SSL state (connect): SSLv3/TLS read server helloSat Apr 6 15:57:20 2019 us=467468 VERIFY OK: depth=1, CN=FG-CASat Apr 6 15:57:20 2019 us=467598 VERIFY KU OKSat Apr 6 15:57:20 2019 us=467609 Validating certificate extended key usageSat Apr 6 15:57:20 2019 us=467615 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server AuthenticationSat Apr 6 15:57:20 2019 us=467620 VERIFY EKU OKSat Apr 6 15:57:20 2019 us=467625 VERIFY OK: depth=0, CN=tx2Sat Apr 6 15:57:20 2019 us=467650 SSL state (connect): SSLv3/TLS read server certificateSat Apr 6 15:57:20 2019 us=467735 SSL state (connect): SSLv3/TLS read server key exchangeSat Apr 6 15:57:20 2019 us=467763 SSL state (connect): SSLv3/TLS read server certificate requestSat Apr 6 15:57:20 2019 us=467771 SSL state (connect): SSLv3/TLS read server doneSat Apr 6 15:57:20 2019 us=467845 SSL state (connect): SSLv3/TLS write client certificateSat Apr 6 15:57:20 2019 us=468012 SSL state (connect): SSLv3/TLS write client key exchangeSat Apr 6 15:57:20 2019 us=468053 PKCS#11: __pkcs11h_openssl_rsa_enc entered - flen=256, from=0x559d078d6e70, to=0x559d078d6bc0, rsa=0x559d078b3630, padding=3
padding = 3 means "no padding" indicating that the data for signature is already padded. That's why the data size (flen) is 256 (hashed data padded to the rsa key size of 2048 bits, I guess). If you are using OpenSSL 1.1.1, this could be due to PSS padding in which case current implementation passes pre-padded data for raw signature to the callback. AFAIK, pkcs11-helper only handles PKCS1 padding (CKM_RSA_PKCS) though pkcs11 standard does support raw signatures.
A work around may be to restrict TLS version to 1.1 which is not ideal. Not sure whether openssl has any config options to restrict signature algorithms.
A work around may be to restrict TLS version to 1.1 which is not ideal. Not sure whether openssl has any config options to restrict signature algorithms.
Sat Apr 6 15:57:20 2019 us=468060 PKCS#11: __pkcs11h_openssl_rsa_enc - return rv=112-'CKR_MECHANISM_INVALID'
Sat Apr 6 15:57:20 2019 us=468070 SSL alert (write): fatal: internal errorSat Apr 6 15:57:20 2019 us=468085 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP libSat Apr 6 15:57:20 2019 us=468092 TLS_ERROR: BIO read tls_read_plaintext errorSat Apr 6 15:57:20 2019 us=468097 TLS Error: TLS object -> incoming plaintext read errorSat Apr 6 15:57:20 2019 us=468101 TLS Error: TLS handshake failedSomehow, it seems that __pkcs11h_openssl_rsa_enc was called with an unexpected padding. Any ideas on what might be the cause of this?
pkcs11-helper needs to be patched to support raw signatures.
Selva