OpenSC / pkcs11-helper

Library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API and optional OpenSSL engine
Other
66 stars 43 forks source link

Cannot load certificate when module name is missing #47

Closed kuba00739 closed 3 years ago

kuba00739 commented 3 years ago

Hello,

I have tried to use TPM2.0 to ensure that only some PC's can connect to VPN.

Using openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so i get this output:

ERROR: Listing FAPI token objects failed.

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             My cert data
       Serial:         My cert serial
       Serialized id:  pkcs11:model=;token=tpm2_ecc;manufacturer=STMicro;serial=0000000000000000;id=d8bc0f69db86ae61

I have tried to configure it in my config using these options:

pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
pkcs11-id 'pkcs11:model=;token=tpm2_ecc;manufacturer=STMicro;serial=0000000000000000;id=d8bc0f69db86ae61

and

pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
pkcs11-id 'STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61'

The first one results with

2021-10-14 14:47:02 PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-10-14 14:47:02 Cannot load certificate "pkcs11:model=;token=tpm2_ecc;manufacturer=STMicro;serial=0000000000000000;id=d8bc0f69db86ae61" using PKCS#11 interface
2021-10-14 14:47:02 Error: private key password verification failed
2021-10-14 14:47:02 Exiting due to fatal error

I have tried second format because pkcs11-helper had problems with parsing in previous versions. When I use pkcs11-id 'STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61':

2021-10-14 14:49:05 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
ERROR: Listing FAPI token objects failed.
2021-10-14 14:49:05 PKCS#11: Cannot get certificate object
2021-10-14 14:49:05 PKCS#11: Cannot get certificate object
2021-10-14 14:49:05 PKCS#11: Unable get evp object
2021-10-14 14:49:05 Cannot load certificate "STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61" using PKCS#11 interface
2021-10-14 14:49:05 Error: private key password verification failed
2021-10-14 14:49:05 Exiting due to fatal error

When I provide this with any model (i.e. STMicro/test/0000000000000000/tpm2_ecc/d8bc0f69db86ae61) result looks like this:

2021-10-14 14:49:43 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
ERROR: Listing FAPI token objects failed.
🔐 NEED-OK|token-insertion-request|Please insert tpm2_ecc token: ****                    
2021-10-14 14:49:47 PKCS#11: Cannot get certificate object
2021-10-14 14:49:47 PKCS#11: Cannot get certificate object
2021-10-14 14:49:47 PKCS#11: Unable get evp object
2021-10-14 14:49:47 Cannot load certificate "STMicro/test/0000000000000000/tpm2_ecc/d8bc0f69db86ae61" using PKCS#11 interface
2021-10-14 14:49:47 Error: private key password verification failed
2021-10-14 14:49:47 Exiting due to fatal error

My TPM sadly does not contain any information regarding model:

TPM2_PT_VENDOR_STRING_1:
  raw: 0x0
  value: ""
TPM2_PT_VENDOR_STRING_2:
  raw: 0x0
  value: ""
TPM2_PT_VENDOR_STRING_3:
  raw: 0x0
  value: ""
TPM2_PT_VENDOR_STRING_4:
  raw: 0x0
  value: ""

Do you know any solution or workaround when model name is missing?

Thank you for your help. Jakub

alonbl commented 3 years ago

Hi,

I see this is a patched pkcs11-helper which I do not support. But please provide debug log so I can see if something in the core went wrong.

Please also provide the output of:

pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-token-slots

Alon

kuba00739 commented 3 years ago

Hi,

thank you for your reply.

Here's the output: pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-token-slots

ERROR: Listing FAPI token objects failed.
Cryptoki version 2.40
Manufacturer     tpm2-software.github.io
Library          TPM2.0 Cryptoki (ver 0.0)
Available slots:
Slot 0 (0x1): tpm2_test                       
  token label        : tpm2_test
  token manufacturer : STMicro
  token model        : 
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 1.16
  firmware version   : 71.12
  serial num         : 0000000000000000
  pin min/max        : 0/128
Slot 1 (0x2):                                 
  token state:   uninitialized
Using slot 0 with a present token (0x1)

After some debugging I have found out that:

Curl seems to work fine with this certificate pkcs11-tool can export this certificate without any form of authentication Passing --pkcs11-cert-private 1 doesn't change much

I use standard fedora pkcs11-helper-1.27.0-3.fc34.rpm package because all the issues from https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/OPENVPN.md seem to be patched. Maybe this is my mistake?

alonbl commented 3 years ago

Indeed model is empty, while well behaved provider should have something to tell. But I do not think this is the problem.

I believe fedora patches my library with some pkcs11 uri support which is buggy.

Please send me the debug log of the openvpn.

kuba00739 commented 3 years ago

Here it comes: openvpn --config client.conf --verb 10

2021-10-15 22:04:08 us=718471 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-15 22:04:08 us=719380 Current Parameter Settings:
2021-10-15 22:04:08 us=719466   config = 'client.conf'
2021-10-15 22:04:08 us=719506   mode = 0
2021-10-15 22:04:08 us=719531   persist_config = DISABLED
2021-10-15 22:04:08 us=719554   persist_mode = 1
2021-10-15 22:04:08 us=719576   show_ciphers = DISABLED
2021-10-15 22:04:08 us=719598   show_digests = DISABLED
2021-10-15 22:04:08 us=719619   show_engines = DISABLED
2021-10-15 22:04:08 us=719639   genkey = DISABLED
2021-10-15 22:04:08 us=719660   genkey_filename = '[UNDEF]'
2021-10-15 22:04:08 us=719680   key_pass_file = '[UNDEF]'
2021-10-15 22:04:08 us=719699   show_tls_ciphers = DISABLED
2021-10-15 22:04:08 us=719719   connect_retry_max = 0
2021-10-15 22:04:08 us=719742 Connection profiles [0]:
2021-10-15 22:04:08 us=719765   proto = udp
2021-10-15 22:04:08 us=719794   local = '[UNDEF]'
2021-10-15 22:04:08 us=719823   local_port = '[UNDEF]'
2021-10-15 22:04:08 us=719856   remote = 'cyber-mapper'
2021-10-15 22:04:08 us=719910   remote_port = '1194'
2021-10-15 22:04:08 us=719942   remote_float = DISABLED
2021-10-15 22:04:08 us=719962   bind_defined = DISABLED
2021-10-15 22:04:08 us=719983   bind_local = DISABLED
2021-10-15 22:04:08 us=720008   bind_ipv6_only = DISABLED
2021-10-15 22:04:08 us=720075   connect_retry_seconds = 5
2021-10-15 22:04:08 us=720105   connect_timeout = 120
2021-10-15 22:04:08 us=720133   socks_proxy_server = '[UNDEF]'
2021-10-15 22:04:08 us=720159   socks_proxy_port = '[UNDEF]'
2021-10-15 22:04:08 us=720190   tun_mtu = 1500
2021-10-15 22:04:08 us=720231   tun_mtu_defined = ENABLED
2021-10-15 22:04:08 us=720273   link_mtu = 1500
2021-10-15 22:04:08 us=720296   link_mtu_defined = DISABLED
2021-10-15 22:04:08 us=720316   tun_mtu_extra = 0
2021-10-15 22:04:08 us=720336   tun_mtu_extra_defined = DISABLED
2021-10-15 22:04:08 us=720356   mtu_discover_type = -1
2021-10-15 22:04:08 us=720374   fragment = 0
2021-10-15 22:04:08 us=720393   mssfix = 1450
2021-10-15 22:04:08 us=720413   explicit_exit_notification = 0
2021-10-15 22:04:08 us=720432   tls_auth_file = '[INLINE]'
2021-10-15 22:04:08 us=720451   key_direction = 1
2021-10-15 22:04:08 us=720470   tls_crypt_file = '[UNDEF]'
2021-10-15 22:04:08 us=720489   tls_crypt_v2_file = '[UNDEF]'
2021-10-15 22:04:08 us=720509 Connection profiles END
2021-10-15 22:04:08 us=720529   remote_random = DISABLED
2021-10-15 22:04:08 us=720559   ipchange = '[UNDEF]'
2021-10-15 22:04:08 us=720592   dev = 'tun'
2021-10-15 22:04:08 us=720612   dev_type = '[UNDEF]'
2021-10-15 22:04:08 us=720632   dev_node = '[UNDEF]'
2021-10-15 22:04:08 us=720651   lladdr = '[UNDEF]'
2021-10-15 22:04:08 us=720670   topology = 1
2021-10-15 22:04:08 us=720689   ifconfig_local = '[UNDEF]'
2021-10-15 22:04:08 us=720708   ifconfig_remote_netmask = '[UNDEF]'
2021-10-15 22:04:08 us=720727   ifconfig_noexec = DISABLED
2021-10-15 22:04:08 us=720746   ifconfig_nowarn = DISABLED
2021-10-15 22:04:08 us=720764   ifconfig_ipv6_local = '[UNDEF]'
2021-10-15 22:04:08 us=720783   ifconfig_ipv6_netbits = 0
2021-10-15 22:04:08 us=720801   ifconfig_ipv6_remote = '[UNDEF]'
2021-10-15 22:04:08 us=720819   shaper = 0
2021-10-15 22:04:08 us=720838   mtu_test = 0
2021-10-15 22:04:08 us=720857   mlock = DISABLED
2021-10-15 22:04:08 us=720885   keepalive_ping = 0
2021-10-15 22:04:08 us=720915   keepalive_timeout = 0
2021-10-15 22:04:08 us=720936   inactivity_timeout = 0
2021-10-15 22:04:08 us=720955   ping_send_timeout = 0
2021-10-15 22:04:08 us=720974   ping_rec_timeout = 0
2021-10-15 22:04:08 us=720992   ping_rec_timeout_action = 0
2021-10-15 22:04:08 us=721011   ping_timer_remote = DISABLED
2021-10-15 22:04:08 us=721058   remap_sigusr1 = 0
2021-10-15 22:04:08 us=721087   persist_tun = ENABLED
2021-10-15 22:04:08 us=721112   persist_local_ip = DISABLED
2021-10-15 22:04:08 us=721136   persist_remote_ip = DISABLED
2021-10-15 22:04:08 us=721160   persist_key = ENABLED
2021-10-15 22:04:08 us=721183   passtos = DISABLED
2021-10-15 22:04:08 us=721216   resolve_retry_seconds = 1000000000
2021-10-15 22:04:08 us=721243   resolve_in_advance = DISABLED
2021-10-15 22:04:08 us=721262   username = '[UNDEF]'
2021-10-15 22:04:08 us=721281   groupname = '[UNDEF]'
2021-10-15 22:04:08 us=721299   chroot_dir = '[UNDEF]'
2021-10-15 22:04:08 us=721318   cd_dir = '[UNDEF]'
2021-10-15 22:04:08 us=721336   selinux_context = '[UNDEF]'
2021-10-15 22:04:08 us=721354   writepid = '[UNDEF]'
2021-10-15 22:04:08 us=721373   up_script = '[UNDEF]'
2021-10-15 22:04:08 us=721391   down_script = '[UNDEF]'
2021-10-15 22:04:08 us=721409   down_pre = DISABLED
2021-10-15 22:04:08 us=721428   up_restart = DISABLED
2021-10-15 22:04:08 us=721447   up_delay = DISABLED
2021-10-15 22:04:08 us=721466   daemon = DISABLED
2021-10-15 22:04:08 us=721485   inetd = 0
2021-10-15 22:04:08 us=721503   log = DISABLED
2021-10-15 22:04:08 us=721532   suppress_timestamps = DISABLED
2021-10-15 22:04:08 us=721559   machine_readable_output = DISABLED
2021-10-15 22:04:08 us=721579   nice = 0
2021-10-15 22:04:08 us=721598   verbosity = 10
2021-10-15 22:04:08 us=721617   mute = 0
2021-10-15 22:04:08 us=721636   gremlin = 0
2021-10-15 22:04:08 us=721654   status_file = '[UNDEF]'
2021-10-15 22:04:08 us=721673   status_file_version = 1
2021-10-15 22:04:08 us=721692   status_file_update_freq = 60
2021-10-15 22:04:08 us=721710   occ = ENABLED
2021-10-15 22:04:08 us=721730   rcvbuf = 0
2021-10-15 22:04:08 us=721748   sndbuf = 0
2021-10-15 22:04:08 us=721767   mark = 0
2021-10-15 22:04:08 us=721786   sockflags = 0
2021-10-15 22:04:08 us=721805   fast_io = DISABLED
2021-10-15 22:04:08 us=721825   comp.alg = 0
2021-10-15 22:04:08 us=721855   comp.flags = 0
2021-10-15 22:04:08 us=721880   route_script = '[UNDEF]'
2021-10-15 22:04:08 us=721900   route_default_gateway = '[UNDEF]'
2021-10-15 22:04:08 us=721918   route_default_metric = 0
2021-10-15 22:04:08 us=721937   route_noexec = DISABLED
2021-10-15 22:04:08 us=721955   route_delay = 0
2021-10-15 22:04:08 us=721974   route_delay_window = 30
2021-10-15 22:04:08 us=721993   route_delay_defined = DISABLED
2021-10-15 22:04:08 us=722012   route_nopull = DISABLED
2021-10-15 22:04:08 us=722051   route_gateway_via_dhcp = DISABLED
2021-10-15 22:04:08 us=722073   allow_pull_fqdn = DISABLED
2021-10-15 22:04:08 us=722092   management_addr = '[UNDEF]'
2021-10-15 22:04:08 us=722111   management_port = '[UNDEF]'
2021-10-15 22:04:08 us=722130   management_user_pass = '[UNDEF]'
2021-10-15 22:04:08 us=722151   management_log_history_cache = 250
2021-10-15 22:04:08 us=722184   management_echo_buffer_size = 100
2021-10-15 22:04:08 us=722208   management_write_peer_info_file = '[UNDEF]'
2021-10-15 22:04:08 us=722227   management_client_user = '[UNDEF]'
2021-10-15 22:04:08 us=722246   management_client_group = '[UNDEF]'
2021-10-15 22:04:08 us=722265   management_flags = 0
2021-10-15 22:04:08 us=722284   shared_secret_file = '[UNDEF]'
2021-10-15 22:04:08 us=722303   key_direction = 1
2021-10-15 22:04:08 us=722322   ciphername = 'AES-256-CBC'
2021-10-15 22:04:08 us=722341   ncp_enabled = ENABLED
2021-10-15 22:04:08 us=722360   ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2021-10-15 22:04:08 us=722380   authname = 'SHA1'
2021-10-15 22:04:08 us=722399   prng_hash = 'SHA1'
2021-10-15 22:04:08 us=722418   prng_nonce_secret_len = 16
2021-10-15 22:04:08 us=722437   keysize = 0
2021-10-15 22:04:08 us=722456   engine = DISABLED
2021-10-15 22:04:08 us=722479   replay = ENABLED
2021-10-15 22:04:08 us=722512   mute_replay_warnings = DISABLED
2021-10-15 22:04:08 us=722534   replay_window = 64
2021-10-15 22:04:08 us=722553   replay_time = 15
2021-10-15 22:04:08 us=722572   packet_id_file = '[UNDEF]'
2021-10-15 22:04:08 us=722591   test_crypto = DISABLED
2021-10-15 22:04:08 us=722609   tls_server = DISABLED
2021-10-15 22:04:08 us=722628   tls_client = ENABLED
2021-10-15 22:04:08 us=722647   ca_file = 'ca.crt'
2021-10-15 22:04:08 us=722667   ca_path = '[UNDEF]'
2021-10-15 22:04:08 us=722686   dh_file = '[UNDEF]'
2021-10-15 22:04:08 us=722705   cert_file = '[UNDEF]'
2021-10-15 22:04:08 us=722724   extra_certs_file = '[UNDEF]'
2021-10-15 22:04:08 us=722743   priv_key_file = '[UNDEF]'
2021-10-15 22:04:08 us=722762   pkcs12_file = '[UNDEF]'
2021-10-15 22:04:08 us=722782   cipher_list = '[UNDEF]'
2021-10-15 22:04:08 us=722806   cipher_list_tls13 = '[UNDEF]'
2021-10-15 22:04:08 us=722837   tls_cert_profile = '[UNDEF]'
2021-10-15 22:04:08 us=722859   tls_verify = '[UNDEF]'
2021-10-15 22:04:08 us=722877   tls_export_cert = '[UNDEF]'
2021-10-15 22:04:08 us=722896   verify_x509_type = 0
2021-10-15 22:04:08 us=722915   verify_x509_name = '[UNDEF]'
2021-10-15 22:04:08 us=722934   crl_file = '[UNDEF]'
2021-10-15 22:04:08 us=722952   ns_cert_type = 0
2021-10-15 22:04:08 us=722971   remote_cert_ku[i] = 65535
2021-10-15 22:04:08 us=722990   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723009   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723042   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723073   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723102   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723132   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723165   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723186   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723205   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723223   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723242   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723262   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723290   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723320   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723348   remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723368   remote_cert_eku = 'TLS Web Server Authentication'
2021-10-15 22:04:08 us=723388   ssl_flags = 16384
2021-10-15 22:04:08 us=723406   tls_timeout = 2
2021-10-15 22:04:08 us=723425   renegotiate_bytes = -1
2021-10-15 22:04:08 us=723447   renegotiate_packets = 0
2021-10-15 22:04:08 us=723481   renegotiate_seconds = 3600
2021-10-15 22:04:08 us=723506   handshake_window = 60
2021-10-15 22:04:08 us=723525   transition_window = 3600
2021-10-15 22:04:08 us=723545   single_session = DISABLED
2021-10-15 22:04:08 us=723564   push_peer_info = DISABLED
2021-10-15 22:04:08 us=723583   tls_exit = DISABLED
2021-10-15 22:04:08 us=723601   tls_crypt_v2_metadata = '[UNDEF]'
2021-10-15 22:04:08 us=723620   pkcs11_providers = /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
2021-10-15 22:04:08 us=723640   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723659   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723678   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723696   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723715   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723733   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723753   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723775   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723807   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723830   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723849   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723867   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723887   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723905   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723922   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723938   pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723958   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=723977   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=723996   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724016   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724054   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724072   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724088   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724114   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724140   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724158   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724173   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724190   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724205   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724222   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724237   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724253   pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724269   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724285   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724301   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724317   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724334   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724349   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724365   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724382   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724398   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724418   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724451   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724484   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724510   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724535   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724561   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724585   pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724609   pkcs11_pin_cache_period = -1
2021-10-15 22:04:08 us=724635   pkcs11_id = 'STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=724660   pkcs11_id_management = DISABLED
2021-10-15 22:04:08 us=724703   server_network = 0.0.0.0
2021-10-15 22:04:08 us=724720   server_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724750   server_network_ipv6 = ::
2021-10-15 22:04:08 us=724774   server_netbits_ipv6 = 0
2021-10-15 22:04:08 us=724791   server_bridge_ip = 0.0.0.0
2021-10-15 22:04:08 us=724806   server_bridge_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724820   server_bridge_pool_start = 0.0.0.0
2021-10-15 22:04:08 us=724851   server_bridge_pool_end = 0.0.0.0
2021-10-15 22:04:08 us=724868   ifconfig_pool_defined = DISABLED
2021-10-15 22:04:08 us=724888   ifconfig_pool_start = 0.0.0.0
2021-10-15 22:04:08 us=724906   ifconfig_pool_end = 0.0.0.0
2021-10-15 22:04:08 us=724924   ifconfig_pool_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724940   ifconfig_pool_persist_filename = '[UNDEF]'
2021-10-15 22:04:08 us=724957   ifconfig_pool_persist_refresh_freq = 600
2021-10-15 22:04:08 us=724973   ifconfig_ipv6_pool_defined = DISABLED
2021-10-15 22:04:08 us=724991   ifconfig_ipv6_pool_base = ::
2021-10-15 22:04:08 us=725007   ifconfig_ipv6_pool_netbits = 0
2021-10-15 22:04:08 us=725039   n_bcast_buf = 256
2021-10-15 22:04:08 us=725062   tcp_queue_limit = 64
2021-10-15 22:04:08 us=725079   real_hash_size = 256
2021-10-15 22:04:08 us=725099   virtual_hash_size = 256
2021-10-15 22:04:08 us=725135   client_connect_script = '[UNDEF]'
2021-10-15 22:04:08 us=725164   learn_address_script = '[UNDEF]'
2021-10-15 22:04:08 us=725187   client_disconnect_script = '[UNDEF]'
2021-10-15 22:04:08 us=725204   client_config_dir = '[UNDEF]'
2021-10-15 22:04:08 us=725221   ccd_exclusive = DISABLED
2021-10-15 22:04:08 us=725237   tmp_dir = '/tmp'
2021-10-15 22:04:08 us=725253   push_ifconfig_defined = DISABLED
2021-10-15 22:04:08 us=725272   push_ifconfig_local = 0.0.0.0
2021-10-15 22:04:08 us=725289   push_ifconfig_remote_netmask = 0.0.0.0
2021-10-15 22:04:08 us=725305   push_ifconfig_ipv6_defined = DISABLED
2021-10-15 22:04:08 us=725324   push_ifconfig_ipv6_local = ::/0
2021-10-15 22:04:08 us=725340   push_ifconfig_ipv6_remote = ::
2021-10-15 22:04:08 us=725372   enable_c2c = DISABLED
2021-10-15 22:04:08 us=725393   duplicate_cn = DISABLED
2021-10-15 22:04:08 us=725407   cf_max = 0
2021-10-15 22:04:08 us=725420   cf_per = 0
2021-10-15 22:04:08 us=725433   max_clients = 1024
2021-10-15 22:04:08 us=725446   max_routes_per_client = 256
2021-10-15 22:04:08 us=725459   auth_user_pass_verify_script = '[UNDEF]'
2021-10-15 22:04:08 us=725472   auth_user_pass_verify_script_via_file = DISABLED
2021-10-15 22:04:08 us=725486   auth_token_generate = DISABLED
2021-10-15 22:04:08 us=725499   auth_token_lifetime = 0
2021-10-15 22:04:08 us=725511   auth_token_secret_file = '[UNDEF]'
2021-10-15 22:04:08 us=725525   port_share_host = '[UNDEF]'
2021-10-15 22:04:08 us=725537   port_share_port = '[UNDEF]'
2021-10-15 22:04:08 us=725550   vlan_tagging = DISABLED
2021-10-15 22:04:08 us=725563   vlan_accept = all
2021-10-15 22:04:08 us=725576   vlan_pvid = 1
2021-10-15 22:04:08 us=725589   client = ENABLED
2021-10-15 22:04:08 us=725601   pull = ENABLED
2021-10-15 22:04:08 us=725614   auth_user_pass_file = '[UNDEF]'
2021-10-15 22:04:08 us=725630 OpenVPN 2.5.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct  5 2021
2021-10-15 22:04:08 us=725658 library versions: OpenSSL 1.1.1l  FIPS 24 Aug 2021, LZO 2.10
2021-10-15 22:04:08 us=725739 PKCS#11: pkcs11_initialize - entered
2021-10-15 22:04:08 us=725775 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
2021-10-15 22:04:08 us=725790 PKCS#11: pkcs11_addProvider - entered - provider='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', private_mode=00000000
2021-10-15 22:04:08 us=725804 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
2021-10-15 22:04:08 us=725836 PKCS#11: pkcs11h_addProvider entry version='1.27.0', pid=30916, reference='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', provider_location='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
2021-10-15 22:04:08 us=731037 PKCS#11: Adding provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'-'/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
ERROR: Listing FAPI token objects failed.
2021-10-15 22:04:08 us=849957 PKCS#11: pkcs11h_addProvider Provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0' manufacturerID 'tpm2-software.github.io'
2021-10-15 22:04:08 us=849994 PKCS#11: _pkcs11h_slotevent_notify entry
2021-10-15 22:04:08 us=850009 PKCS#11: _pkcs11h_slotevent_notify return
2021-10-15 22:04:08 us=850037 PKCS#11: Provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0' added rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850052 PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850066 PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850103 PO_INIT maxevents=4 flags=0x00000002
2021-10-15 22:04:08 us=850899 PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=0x7ffdeeac20d0, pkcs11_id_management=0, pkcs11_id='STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=850918 PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=0x7ffdeeabef08, sz='STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=850931 PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdeeabeeb8
2021-10-15 22:04:08 us=850946 PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x5607f064cc10
2021-10-15 22:04:08 us=850960 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x5607f064cc10
2021-10-15 22:04:08 us=850975 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064d040
2021-10-15 22:04:08 us=850991 PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=0x5607f064cc10, sz='STMicro//0000000000000000/tpm2_test'
2021-10-15 22:04:08 us=851006 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdeeabee08
2021-10-15 22:04:08 us=851035 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064d4b0
2021-10-15 22:04:08 us=851054 PKCS#11: pkcs11h_token_deserializeTokenId return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851076 PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851093 PKCS#11: pkcs11h_certificate_create entry certificate_id=0x5607f064cc10, user_data=(nil), mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdeeabef00
2021-10-15 22:04:08 us=851109 PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5607f064d940 form=0x5607f064cc10
2021-10-15 22:04:08 us=851126 PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5607f064d9d0
2021-10-15 22:04:08 us=851141 PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x5607f064e210, p_session=0x5607f064d950
2021-10-15 22:04:08 us=851156 PKCS#11: Creating a new session
2021-10-15 22:04:08 us=851171 PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5607f064b758 form=0x5607f064e210
2021-10-15 22:04:08 us=851186 PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5607f064e680
2021-10-15 22:04:08 us=851202 PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5607f064b740
2021-10-15 22:04:08 us=851216 PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x5607f064d940
2021-10-15 22:04:08 us=851231 PKCS#11: pkcs11h_openssl_createSession - entry
2021-10-15 22:04:08 us=851245 PKCS#11: pkcs11h_openssl_createSession - return openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851260 PKCS#11: pkcs11h_openssl_session_getEVP - entry openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851275 PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851289 PKCS#11: pkcs11h_openssl_getX509 - entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851321 PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5607f064d940, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
2021-10-15 22:04:08 us=851337 PKCS#11: __pkcs11h_certificate_loadCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851352 PKCS#11: _pkcs11h_session_validate entry session=0x5607f064b740
2021-10-15 22:04:08 us=851365 PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
2021-10-15 22:04:08 us=851379 PKCS#11: __pkcs11h_certificate_loadCertificate return rv=179-'CKR_SESSION_HANDLE_INVALID'
2021-10-15 22:04:08 us=851395 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=0x5607f064d940, public_only=1, session_mutex_locked=0
2021-10-15 22:04:08 us=851411 PKCS#11: _pkcs11h_session_login entry session=0x5607f064b740, is_publicOnly=1, readonly=1, user_data=(nil), mask_prompt=00000003
2021-10-15 22:04:08 us=851428 PKCS#11: _pkcs11h_session_logout entry session=0x5607f064b740
2021-10-15 22:04:08 us=851442 PKCS#11: _pkcs11h_session_logout return
2021-10-15 22:04:08 us=851457 PKCS#11: _pkcs11h_session_reset entry session=0x5607f064b740, user_data=(nil), mask_prompt=00000003, p_slot=0x7ffdeeabe8b8
2021-10-15 22:04:08 us=851472 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='STMicro' model='', serialNumber='0000000000000000', label='tpm2_test'
2021-10-15 22:04:08 us=851486 PKCS#11: _pkcs11h_session_getSlotList entry provider=0x5607f05eeb70, token_present=1, pSlotList=0x7ffdeeabe770, pulCount=0x7ffdeeabe768
2021-10-15 22:04:08 us=851503 PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
2021-10-15 22:04:08 us=851524 PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdeeabe778
2021-10-15 22:04:08 us=851539 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdeeabe700
2021-10-15 22:04:08 us=851559 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064ec40
2021-10-15 22:04:08 us=851574 PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064ec40
2021-10-15 22:04:08 us=851589 PKCS#11: _pkcs11h_session_reset Found token manufacturerID='STMicro' model='', serialNumber='0000000000000000', label='tpm2_test'
2021-10-15 22:04:08 us=851604 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064ec40
2021-10-15 22:04:08 us=851618 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=851631 PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1
2021-10-15 22:04:08 us=851646 PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851659 PKCS#11: _pkcs11h_certificate_resetSession return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851672 PKCS#11: __pkcs11h_certificate_loadCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851686 PKCS#11: _pkcs11h_session_validate entry session=0x5607f064b740
2021-10-15 22:04:08 us=851700 PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1634328248
2021-10-15 22:04:08 us=851714 PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851728 PKCS#11: _pkcs11h_session_findObjects entry session=0x5607f064b740, filter=0x7ffdeeabede0, filter_attrs=2, p_objects=0x7ffdeeabeda0, p_objects_found=0x7ffdeeabeda8
2021-10-15 22:04:08 us=851747 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0
2021-10-15 22:04:08 us=851763 PKCS#11: __pkcs11h_certificate_loadCertificate return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-10-15 22:04:08 us=851777 PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-10-15 22:04:08 us=851800 PKCS#11: pkcs11h_openssl_getX509 - return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID', x509=(nil)
2021-10-15 22:04:08 us=851815 PKCS#11: Cannot get certificate object
2021-10-15 22:04:08 us=851828 PKCS#11: pkcs11h_openssl_session_getX509 - return x509=(nil)
2021-10-15 22:04:08 us=851841 PKCS#11: Cannot get certificate object
2021-10-15 22:04:08 us=851855 PKCS#11: pkcs11h_openssl_session_getEVP - return ret=(nil)
2021-10-15 22:04:08 us=851868 PKCS#11: Unable get evp object
2021-10-15 22:04:08 us=851881 PKCS#11: pkcs11h_openssl_freeSession - entry openssl_session=0x5607f0643920, count=1
2021-10-15 22:04:08 us=851896 PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851910 PKCS#11: _pkcs11h_session_release entry session=0x5607f064b740
2021-10-15 22:04:08 us=851923 PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851937 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5607f064d9d0
2021-10-15 22:04:08 us=851950 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064e210
2021-10-15 22:04:08 us=851963 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=851977 PKCS#11: pkcs11h_certificate_freeCertificateId return
2021-10-15 22:04:08 us=851990 PKCS#11: pkcs11h_certificate_freeCertificate return
2021-10-15 22:04:08 us=852003 PKCS#11: pkcs11h_openssl_freeSession - return
2021-10-15 22:04:08 us=852017 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5607f064cc10
2021-10-15 22:04:08 us=852038 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064d4b0
2021-10-15 22:04:08 us=852052 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=852066 PKCS#11: pkcs11h_certificate_freeCertificateId return
2021-10-15 22:04:08 us=852079 PKCS#11: tls_ctx_use_pkcs11 - return ok=0, rv=0
2021-10-15 22:04:08 us=852093 Cannot load certificate "STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420" using PKCS#11 interface
2021-10-15 22:04:08 us=852115 Error: private key password verification failed
2021-10-15 22:04:08 us=852141 Exiting due to fatal error
alonbl commented 3 years ago

The problem is not with the id but with the structure of the token.

2021-10-15 22:04:08 us=851747 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0

Please send me the output of:

pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-objects --login
kuba00739 commented 3 years ago

pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-objects --login

ERROR: Listing FAPI token objects failed.
Cryptoki version 2.40
Manufacturer     tpm2-software.github.io
Library          TPM2.0 Cryptoki (ver 0.0)
Using slot 0 with a present token (0x1)
Logging in to "tpm2_test".
Please enter User PIN: 
Private Key Object; RSA 
  label:      
  ID:         66653033656635623035633335343230
  Usage:      decrypt, sign
  Access:     sensitive, always sensitive, never extractable, local
  Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS
Public Key Object; RSA 2048 bits
  label:      
  ID:         66653033656635623035633335343230
  Usage:      encrypt, verify
  Access:     local
Certificate Object; type = X.509 cert
  label:      
  subject:    DN: C=PL, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST/emailAddress=test@test.com
  ID:         66653033656635623035633335343230

I have run it before but nothing have risen my suspicion

alonbl commented 3 years ago

Where have you got the fe03ef5b05c35420 that you specify in the identity?

2021-10-15 22:04:08 us=724635   pkcs11_id = 'STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'

The certificate object is missing a label which is the attribute based on which the certificate is located.

kuba00739 commented 3 years ago

I have used openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so:

ERROR: Listing FAPI token objects failed.

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             C=PL, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST, emailAddress=test@test.com
       Serial:         9882C1C7D8B97B690E7E4F7AE2793158
       Serialized id:  pkcs11:model=;token=tpm2_test;manufacturer=STMicro;serial=0000000000000000;id=fe03ef5b05c35420

Using this format resulted in Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID' so I have switched to other one

kuba00739 commented 3 years ago

Maybe I can add label using tpm2_ptool objmod --id 3?

0: 1
1: true
2: false
3: ''
17: 308203a830820290a0030201020211009882c1c7d8b97b690e7e4f7ae2793158300d06092a864886f70d01010b0500300d310b300906035504030c02504c301e170d3231313031353138343432355a170d3234303131383138343432355a3076310b300906035504061302504c310d300b06035504080c0454455354310d300b06035504070c0454455354310d300b060355040a0c0454455354310d300b060355040b0c0454455354310d300b06035504030c0454455354311c301a06092a864886f70d010901160d7465737440746573742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba36b32be72c72c250ad947537e8df177c439ea374798f1c67f96b66e8c06fa83e55dc3ac79651095f9506b65e0cb05597c2c4ca3e3af1174701843e0b879e99272a8c03ef1c2905018f88ef60ddbbe4336d7f3ae41133f15bb87bb492a607e3295246e9b7e413f3bac8ab243f0f4aa686b81c97ad744341c1a87e0880455a760cf6b08a0fb8b747684313389aa1d40ad664237d8b16dbb7baa1de42c0825591bc3a760c25943ca035c5d2316377b9119f56dd6af38317bdb1a58bce20dc70e969c3fc6ccce76f9201347f150aae64fc16c88d66f14ab7e61d507868a923502a4958eaa9762be0dd5c142c99ceb3541ec91aebc6b7fce0f314a8d0d9dfbeda8f0203010001a3819930819630090603551d1304023000301d0603551d0e041604148bd3962ff024d3661460b2c7261da09e277c1dc330480603551d230441303f8014f4e9066d2ef63d1d6212abf2d4624f3e3e2e5f4ba111a40f300d310b300906035504030c02504c82147b60a7d9e45941d7cccb1846239416663769b0e330130603551d25040c300a06082b06010505070302300b0603551d0f040403020780300d06092a864886f70d01010b050003820101002661d252be17fcc1a7c7628a78eefc301f90c6052bcf4da8ae9d115392dd587172ee5d4525b924477e72434b5c66b5cbc856b9c4152f508d7e3151dab03d04a22d62f4caeb04eb27df633a9ceea8f306e6cd5475c12bc90e0dc6ef373e5f4f89c9e43b9555aed427a993ea69bec751620aaf979c5223c774cda18fe901a8684ef9c567ff62edc568ce6bb0cd8d65b5f45d4b3221f238b7a26199d06f6bf69667c0db497c6612c85a314bbfebd1ab812b5f06abb85cc1df1a962d2f49ea324efe08f0cd6c7358c1862aaf6eda127d0a60a663e2b82dcf5f72a6de6f2d992bdb46eea36641fb85c2ca6435632f4642ae624b76b8bc6ef7cfdc0639d6f2b9d40eff
128: 0
129: 300d310b300906035504030c02504c
130: 0211009882c1c7d8b97b690e7e4f7ae2793158
134: false
135: 0
136: 0
137: ''
138: ''
139: ''
140: 544
144: 78e29b
257: 3076310b300906035504061302504c310d300b06035504080c0454455354310d300b06035504070c0454455354310d300b060355040a0c0454455354310d300b060355040b0c0454455354310d300b06035504030c0454455354311c301a06092a864886f70d010901160d7465737440746573742e636f6d
258: '66653033656635623035633335343230'
272: ''
273: ''
297: ''
368: false
369: false
370: true
selvanair commented 3 years ago

It seems the serial and id printed by patched OpenVPN (with pcks11 uri) is wrong. Can you try with an unpatched pkcs11-helper library. Its most likely binary compatible, so rebuilding OpenVPN may not be required.

alonbl commented 3 years ago

This is the buggy patch of fedora, I do not know where they get this id from and what they are doing with it.

Please use vanilla pkcs11-helper if you want to see the real id.

You should try STMicro//0000000000000000/tpm2_test/66653033656635623035633335343230

The last part of the string is bin2hex of CKA_ID.

Or better is to execute openvpn with --show-pkcs11-ids and with debug and extract the real id from the debug log.

selvanair commented 3 years ago

Looks like the uri patch cannot handle such long ids -- strange that it converts that id to 'fe03ef5b05c35420'

kuba00739 commented 3 years ago

This is the buggy patch of fedora, I do not know where they get this id from and what they are doing with it.

Please use vanilla pkcs11-helper if you want to see the real id.

You should try STMicro//0000000000000000/tpm2_test/66653033656635623035633335343230

The last part of the string is bin2hex of CKA_ID.

Or better is to execute openvpn with --show-pkcs11-ids and with debug and extract the real id from the debug log.

Thank you! Now it does finally work (It errors on self-signed certificate on server side, so I think it works as intended)

Thank you for your help!

selvanair commented 3 years ago

Looks like the uri patch cannot handle such long ids -- strange that it converts that id to 'fe03ef5b05c35420'

FWIW, that ID is the same 16 byte value with each byte written in ascii (0x66='f', 0x65='e' ... 0x30='0'). But it fails to parse back the uri as model is empty. For some reason the uri patch wants all fields to be non-empty. Anyway, irrelevant here, just saying.