Closed kuba00739 closed 3 years ago
Hi,
I see this is a patched pkcs11-helper which I do not support. But please provide debug log so I can see if something in the core went wrong.
Please also provide the output of:
pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-token-slots
Alon
Hi,
thank you for your reply.
Here's the output:
pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-token-slots
ERROR: Listing FAPI token objects failed.
Cryptoki version 2.40
Manufacturer tpm2-software.github.io
Library TPM2.0 Cryptoki (ver 0.0)
Available slots:
Slot 0 (0x1): tpm2_test
token label : tpm2_test
token manufacturer : STMicro
token model :
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.16
firmware version : 71.12
serial num : 0000000000000000
pin min/max : 0/128
Slot 1 (0x2):
token state: uninitialized
Using slot 0 with a present token (0x1)
After some debugging I have found out that:
Curl seems to work fine with this certificate
pkcs11-tool can export this certificate without any form of authentication
Passing --pkcs11-cert-private 1
doesn't change much
I use standard fedora pkcs11-helper-1.27.0-3.fc34.rpm package because all the issues from https://github.com/tpm2-software/tpm2-pkcs11/blob/master/docs/OPENVPN.md seem to be patched. Maybe this is my mistake?
Indeed model is empty, while well behaved provider should have something to tell. But I do not think this is the problem.
I believe fedora patches my library with some pkcs11 uri support which is buggy.
Please send me the debug log of the openvpn.
Here it comes:
openvpn --config client.conf --verb 10
2021-10-15 22:04:08 us=718471 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-10-15 22:04:08 us=719380 Current Parameter Settings:
2021-10-15 22:04:08 us=719466 config = 'client.conf'
2021-10-15 22:04:08 us=719506 mode = 0
2021-10-15 22:04:08 us=719531 persist_config = DISABLED
2021-10-15 22:04:08 us=719554 persist_mode = 1
2021-10-15 22:04:08 us=719576 show_ciphers = DISABLED
2021-10-15 22:04:08 us=719598 show_digests = DISABLED
2021-10-15 22:04:08 us=719619 show_engines = DISABLED
2021-10-15 22:04:08 us=719639 genkey = DISABLED
2021-10-15 22:04:08 us=719660 genkey_filename = '[UNDEF]'
2021-10-15 22:04:08 us=719680 key_pass_file = '[UNDEF]'
2021-10-15 22:04:08 us=719699 show_tls_ciphers = DISABLED
2021-10-15 22:04:08 us=719719 connect_retry_max = 0
2021-10-15 22:04:08 us=719742 Connection profiles [0]:
2021-10-15 22:04:08 us=719765 proto = udp
2021-10-15 22:04:08 us=719794 local = '[UNDEF]'
2021-10-15 22:04:08 us=719823 local_port = '[UNDEF]'
2021-10-15 22:04:08 us=719856 remote = 'cyber-mapper'
2021-10-15 22:04:08 us=719910 remote_port = '1194'
2021-10-15 22:04:08 us=719942 remote_float = DISABLED
2021-10-15 22:04:08 us=719962 bind_defined = DISABLED
2021-10-15 22:04:08 us=719983 bind_local = DISABLED
2021-10-15 22:04:08 us=720008 bind_ipv6_only = DISABLED
2021-10-15 22:04:08 us=720075 connect_retry_seconds = 5
2021-10-15 22:04:08 us=720105 connect_timeout = 120
2021-10-15 22:04:08 us=720133 socks_proxy_server = '[UNDEF]'
2021-10-15 22:04:08 us=720159 socks_proxy_port = '[UNDEF]'
2021-10-15 22:04:08 us=720190 tun_mtu = 1500
2021-10-15 22:04:08 us=720231 tun_mtu_defined = ENABLED
2021-10-15 22:04:08 us=720273 link_mtu = 1500
2021-10-15 22:04:08 us=720296 link_mtu_defined = DISABLED
2021-10-15 22:04:08 us=720316 tun_mtu_extra = 0
2021-10-15 22:04:08 us=720336 tun_mtu_extra_defined = DISABLED
2021-10-15 22:04:08 us=720356 mtu_discover_type = -1
2021-10-15 22:04:08 us=720374 fragment = 0
2021-10-15 22:04:08 us=720393 mssfix = 1450
2021-10-15 22:04:08 us=720413 explicit_exit_notification = 0
2021-10-15 22:04:08 us=720432 tls_auth_file = '[INLINE]'
2021-10-15 22:04:08 us=720451 key_direction = 1
2021-10-15 22:04:08 us=720470 tls_crypt_file = '[UNDEF]'
2021-10-15 22:04:08 us=720489 tls_crypt_v2_file = '[UNDEF]'
2021-10-15 22:04:08 us=720509 Connection profiles END
2021-10-15 22:04:08 us=720529 remote_random = DISABLED
2021-10-15 22:04:08 us=720559 ipchange = '[UNDEF]'
2021-10-15 22:04:08 us=720592 dev = 'tun'
2021-10-15 22:04:08 us=720612 dev_type = '[UNDEF]'
2021-10-15 22:04:08 us=720632 dev_node = '[UNDEF]'
2021-10-15 22:04:08 us=720651 lladdr = '[UNDEF]'
2021-10-15 22:04:08 us=720670 topology = 1
2021-10-15 22:04:08 us=720689 ifconfig_local = '[UNDEF]'
2021-10-15 22:04:08 us=720708 ifconfig_remote_netmask = '[UNDEF]'
2021-10-15 22:04:08 us=720727 ifconfig_noexec = DISABLED
2021-10-15 22:04:08 us=720746 ifconfig_nowarn = DISABLED
2021-10-15 22:04:08 us=720764 ifconfig_ipv6_local = '[UNDEF]'
2021-10-15 22:04:08 us=720783 ifconfig_ipv6_netbits = 0
2021-10-15 22:04:08 us=720801 ifconfig_ipv6_remote = '[UNDEF]'
2021-10-15 22:04:08 us=720819 shaper = 0
2021-10-15 22:04:08 us=720838 mtu_test = 0
2021-10-15 22:04:08 us=720857 mlock = DISABLED
2021-10-15 22:04:08 us=720885 keepalive_ping = 0
2021-10-15 22:04:08 us=720915 keepalive_timeout = 0
2021-10-15 22:04:08 us=720936 inactivity_timeout = 0
2021-10-15 22:04:08 us=720955 ping_send_timeout = 0
2021-10-15 22:04:08 us=720974 ping_rec_timeout = 0
2021-10-15 22:04:08 us=720992 ping_rec_timeout_action = 0
2021-10-15 22:04:08 us=721011 ping_timer_remote = DISABLED
2021-10-15 22:04:08 us=721058 remap_sigusr1 = 0
2021-10-15 22:04:08 us=721087 persist_tun = ENABLED
2021-10-15 22:04:08 us=721112 persist_local_ip = DISABLED
2021-10-15 22:04:08 us=721136 persist_remote_ip = DISABLED
2021-10-15 22:04:08 us=721160 persist_key = ENABLED
2021-10-15 22:04:08 us=721183 passtos = DISABLED
2021-10-15 22:04:08 us=721216 resolve_retry_seconds = 1000000000
2021-10-15 22:04:08 us=721243 resolve_in_advance = DISABLED
2021-10-15 22:04:08 us=721262 username = '[UNDEF]'
2021-10-15 22:04:08 us=721281 groupname = '[UNDEF]'
2021-10-15 22:04:08 us=721299 chroot_dir = '[UNDEF]'
2021-10-15 22:04:08 us=721318 cd_dir = '[UNDEF]'
2021-10-15 22:04:08 us=721336 selinux_context = '[UNDEF]'
2021-10-15 22:04:08 us=721354 writepid = '[UNDEF]'
2021-10-15 22:04:08 us=721373 up_script = '[UNDEF]'
2021-10-15 22:04:08 us=721391 down_script = '[UNDEF]'
2021-10-15 22:04:08 us=721409 down_pre = DISABLED
2021-10-15 22:04:08 us=721428 up_restart = DISABLED
2021-10-15 22:04:08 us=721447 up_delay = DISABLED
2021-10-15 22:04:08 us=721466 daemon = DISABLED
2021-10-15 22:04:08 us=721485 inetd = 0
2021-10-15 22:04:08 us=721503 log = DISABLED
2021-10-15 22:04:08 us=721532 suppress_timestamps = DISABLED
2021-10-15 22:04:08 us=721559 machine_readable_output = DISABLED
2021-10-15 22:04:08 us=721579 nice = 0
2021-10-15 22:04:08 us=721598 verbosity = 10
2021-10-15 22:04:08 us=721617 mute = 0
2021-10-15 22:04:08 us=721636 gremlin = 0
2021-10-15 22:04:08 us=721654 status_file = '[UNDEF]'
2021-10-15 22:04:08 us=721673 status_file_version = 1
2021-10-15 22:04:08 us=721692 status_file_update_freq = 60
2021-10-15 22:04:08 us=721710 occ = ENABLED
2021-10-15 22:04:08 us=721730 rcvbuf = 0
2021-10-15 22:04:08 us=721748 sndbuf = 0
2021-10-15 22:04:08 us=721767 mark = 0
2021-10-15 22:04:08 us=721786 sockflags = 0
2021-10-15 22:04:08 us=721805 fast_io = DISABLED
2021-10-15 22:04:08 us=721825 comp.alg = 0
2021-10-15 22:04:08 us=721855 comp.flags = 0
2021-10-15 22:04:08 us=721880 route_script = '[UNDEF]'
2021-10-15 22:04:08 us=721900 route_default_gateway = '[UNDEF]'
2021-10-15 22:04:08 us=721918 route_default_metric = 0
2021-10-15 22:04:08 us=721937 route_noexec = DISABLED
2021-10-15 22:04:08 us=721955 route_delay = 0
2021-10-15 22:04:08 us=721974 route_delay_window = 30
2021-10-15 22:04:08 us=721993 route_delay_defined = DISABLED
2021-10-15 22:04:08 us=722012 route_nopull = DISABLED
2021-10-15 22:04:08 us=722051 route_gateway_via_dhcp = DISABLED
2021-10-15 22:04:08 us=722073 allow_pull_fqdn = DISABLED
2021-10-15 22:04:08 us=722092 management_addr = '[UNDEF]'
2021-10-15 22:04:08 us=722111 management_port = '[UNDEF]'
2021-10-15 22:04:08 us=722130 management_user_pass = '[UNDEF]'
2021-10-15 22:04:08 us=722151 management_log_history_cache = 250
2021-10-15 22:04:08 us=722184 management_echo_buffer_size = 100
2021-10-15 22:04:08 us=722208 management_write_peer_info_file = '[UNDEF]'
2021-10-15 22:04:08 us=722227 management_client_user = '[UNDEF]'
2021-10-15 22:04:08 us=722246 management_client_group = '[UNDEF]'
2021-10-15 22:04:08 us=722265 management_flags = 0
2021-10-15 22:04:08 us=722284 shared_secret_file = '[UNDEF]'
2021-10-15 22:04:08 us=722303 key_direction = 1
2021-10-15 22:04:08 us=722322 ciphername = 'AES-256-CBC'
2021-10-15 22:04:08 us=722341 ncp_enabled = ENABLED
2021-10-15 22:04:08 us=722360 ncp_ciphers = 'AES-256-GCM:AES-128-GCM:AES-256-CBC'
2021-10-15 22:04:08 us=722380 authname = 'SHA1'
2021-10-15 22:04:08 us=722399 prng_hash = 'SHA1'
2021-10-15 22:04:08 us=722418 prng_nonce_secret_len = 16
2021-10-15 22:04:08 us=722437 keysize = 0
2021-10-15 22:04:08 us=722456 engine = DISABLED
2021-10-15 22:04:08 us=722479 replay = ENABLED
2021-10-15 22:04:08 us=722512 mute_replay_warnings = DISABLED
2021-10-15 22:04:08 us=722534 replay_window = 64
2021-10-15 22:04:08 us=722553 replay_time = 15
2021-10-15 22:04:08 us=722572 packet_id_file = '[UNDEF]'
2021-10-15 22:04:08 us=722591 test_crypto = DISABLED
2021-10-15 22:04:08 us=722609 tls_server = DISABLED
2021-10-15 22:04:08 us=722628 tls_client = ENABLED
2021-10-15 22:04:08 us=722647 ca_file = 'ca.crt'
2021-10-15 22:04:08 us=722667 ca_path = '[UNDEF]'
2021-10-15 22:04:08 us=722686 dh_file = '[UNDEF]'
2021-10-15 22:04:08 us=722705 cert_file = '[UNDEF]'
2021-10-15 22:04:08 us=722724 extra_certs_file = '[UNDEF]'
2021-10-15 22:04:08 us=722743 priv_key_file = '[UNDEF]'
2021-10-15 22:04:08 us=722762 pkcs12_file = '[UNDEF]'
2021-10-15 22:04:08 us=722782 cipher_list = '[UNDEF]'
2021-10-15 22:04:08 us=722806 cipher_list_tls13 = '[UNDEF]'
2021-10-15 22:04:08 us=722837 tls_cert_profile = '[UNDEF]'
2021-10-15 22:04:08 us=722859 tls_verify = '[UNDEF]'
2021-10-15 22:04:08 us=722877 tls_export_cert = '[UNDEF]'
2021-10-15 22:04:08 us=722896 verify_x509_type = 0
2021-10-15 22:04:08 us=722915 verify_x509_name = '[UNDEF]'
2021-10-15 22:04:08 us=722934 crl_file = '[UNDEF]'
2021-10-15 22:04:08 us=722952 ns_cert_type = 0
2021-10-15 22:04:08 us=722971 remote_cert_ku[i] = 65535
2021-10-15 22:04:08 us=722990 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723009 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723042 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723073 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723102 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723132 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723165 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723186 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723205 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723223 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723242 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723262 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723290 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723320 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723348 remote_cert_ku[i] = 0
2021-10-15 22:04:08 us=723368 remote_cert_eku = 'TLS Web Server Authentication'
2021-10-15 22:04:08 us=723388 ssl_flags = 16384
2021-10-15 22:04:08 us=723406 tls_timeout = 2
2021-10-15 22:04:08 us=723425 renegotiate_bytes = -1
2021-10-15 22:04:08 us=723447 renegotiate_packets = 0
2021-10-15 22:04:08 us=723481 renegotiate_seconds = 3600
2021-10-15 22:04:08 us=723506 handshake_window = 60
2021-10-15 22:04:08 us=723525 transition_window = 3600
2021-10-15 22:04:08 us=723545 single_session = DISABLED
2021-10-15 22:04:08 us=723564 push_peer_info = DISABLED
2021-10-15 22:04:08 us=723583 tls_exit = DISABLED
2021-10-15 22:04:08 us=723601 tls_crypt_v2_metadata = '[UNDEF]'
2021-10-15 22:04:08 us=723620 pkcs11_providers = /usr/lib64/pkcs11/libtpm2_pkcs11.so.0
2021-10-15 22:04:08 us=723640 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723659 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723678 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723696 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723715 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723733 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723753 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723775 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723807 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723830 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723849 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723867 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723887 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723905 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723922 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723938 pkcs11_protected_authentication = DISABLED
2021-10-15 22:04:08 us=723958 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=723977 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=723996 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724016 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724054 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724072 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724088 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724114 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724140 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724158 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724173 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724190 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724205 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724222 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724237 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724253 pkcs11_private_mode = 00000000
2021-10-15 22:04:08 us=724269 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724285 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724301 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724317 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724334 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724349 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724365 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724382 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724398 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724418 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724451 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724484 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724510 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724535 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724561 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724585 pkcs11_cert_private = DISABLED
2021-10-15 22:04:08 us=724609 pkcs11_pin_cache_period = -1
2021-10-15 22:04:08 us=724635 pkcs11_id = 'STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=724660 pkcs11_id_management = DISABLED
2021-10-15 22:04:08 us=724703 server_network = 0.0.0.0
2021-10-15 22:04:08 us=724720 server_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724750 server_network_ipv6 = ::
2021-10-15 22:04:08 us=724774 server_netbits_ipv6 = 0
2021-10-15 22:04:08 us=724791 server_bridge_ip = 0.0.0.0
2021-10-15 22:04:08 us=724806 server_bridge_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724820 server_bridge_pool_start = 0.0.0.0
2021-10-15 22:04:08 us=724851 server_bridge_pool_end = 0.0.0.0
2021-10-15 22:04:08 us=724868 ifconfig_pool_defined = DISABLED
2021-10-15 22:04:08 us=724888 ifconfig_pool_start = 0.0.0.0
2021-10-15 22:04:08 us=724906 ifconfig_pool_end = 0.0.0.0
2021-10-15 22:04:08 us=724924 ifconfig_pool_netmask = 0.0.0.0
2021-10-15 22:04:08 us=724940 ifconfig_pool_persist_filename = '[UNDEF]'
2021-10-15 22:04:08 us=724957 ifconfig_pool_persist_refresh_freq = 600
2021-10-15 22:04:08 us=724973 ifconfig_ipv6_pool_defined = DISABLED
2021-10-15 22:04:08 us=724991 ifconfig_ipv6_pool_base = ::
2021-10-15 22:04:08 us=725007 ifconfig_ipv6_pool_netbits = 0
2021-10-15 22:04:08 us=725039 n_bcast_buf = 256
2021-10-15 22:04:08 us=725062 tcp_queue_limit = 64
2021-10-15 22:04:08 us=725079 real_hash_size = 256
2021-10-15 22:04:08 us=725099 virtual_hash_size = 256
2021-10-15 22:04:08 us=725135 client_connect_script = '[UNDEF]'
2021-10-15 22:04:08 us=725164 learn_address_script = '[UNDEF]'
2021-10-15 22:04:08 us=725187 client_disconnect_script = '[UNDEF]'
2021-10-15 22:04:08 us=725204 client_config_dir = '[UNDEF]'
2021-10-15 22:04:08 us=725221 ccd_exclusive = DISABLED
2021-10-15 22:04:08 us=725237 tmp_dir = '/tmp'
2021-10-15 22:04:08 us=725253 push_ifconfig_defined = DISABLED
2021-10-15 22:04:08 us=725272 push_ifconfig_local = 0.0.0.0
2021-10-15 22:04:08 us=725289 push_ifconfig_remote_netmask = 0.0.0.0
2021-10-15 22:04:08 us=725305 push_ifconfig_ipv6_defined = DISABLED
2021-10-15 22:04:08 us=725324 push_ifconfig_ipv6_local = ::/0
2021-10-15 22:04:08 us=725340 push_ifconfig_ipv6_remote = ::
2021-10-15 22:04:08 us=725372 enable_c2c = DISABLED
2021-10-15 22:04:08 us=725393 duplicate_cn = DISABLED
2021-10-15 22:04:08 us=725407 cf_max = 0
2021-10-15 22:04:08 us=725420 cf_per = 0
2021-10-15 22:04:08 us=725433 max_clients = 1024
2021-10-15 22:04:08 us=725446 max_routes_per_client = 256
2021-10-15 22:04:08 us=725459 auth_user_pass_verify_script = '[UNDEF]'
2021-10-15 22:04:08 us=725472 auth_user_pass_verify_script_via_file = DISABLED
2021-10-15 22:04:08 us=725486 auth_token_generate = DISABLED
2021-10-15 22:04:08 us=725499 auth_token_lifetime = 0
2021-10-15 22:04:08 us=725511 auth_token_secret_file = '[UNDEF]'
2021-10-15 22:04:08 us=725525 port_share_host = '[UNDEF]'
2021-10-15 22:04:08 us=725537 port_share_port = '[UNDEF]'
2021-10-15 22:04:08 us=725550 vlan_tagging = DISABLED
2021-10-15 22:04:08 us=725563 vlan_accept = all
2021-10-15 22:04:08 us=725576 vlan_pvid = 1
2021-10-15 22:04:08 us=725589 client = ENABLED
2021-10-15 22:04:08 us=725601 pull = ENABLED
2021-10-15 22:04:08 us=725614 auth_user_pass_file = '[UNDEF]'
2021-10-15 22:04:08 us=725630 OpenVPN 2.5.4 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Oct 5 2021
2021-10-15 22:04:08 us=725658 library versions: OpenSSL 1.1.1l FIPS 24 Aug 2021, LZO 2.10
2021-10-15 22:04:08 us=725739 PKCS#11: pkcs11_initialize - entered
2021-10-15 22:04:08 us=725775 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
2021-10-15 22:04:08 us=725790 PKCS#11: pkcs11_addProvider - entered - provider='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', private_mode=00000000
2021-10-15 22:04:08 us=725804 PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
2021-10-15 22:04:08 us=725836 PKCS#11: pkcs11h_addProvider entry version='1.27.0', pid=30916, reference='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', provider_location='/usr/lib64/pkcs11/libtpm2_pkcs11.so.0', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
2021-10-15 22:04:08 us=731037 PKCS#11: Adding provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'-'/usr/lib64/pkcs11/libtpm2_pkcs11.so.0'
ERROR: Listing FAPI token objects failed.
2021-10-15 22:04:08 us=849957 PKCS#11: pkcs11h_addProvider Provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0' manufacturerID 'tpm2-software.github.io'
2021-10-15 22:04:08 us=849994 PKCS#11: _pkcs11h_slotevent_notify entry
2021-10-15 22:04:08 us=850009 PKCS#11: _pkcs11h_slotevent_notify return
2021-10-15 22:04:08 us=850037 PKCS#11: Provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so.0' added rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850052 PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850066 PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=850103 PO_INIT maxevents=4 flags=0x00000002
2021-10-15 22:04:08 us=850899 PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=0x7ffdeeac20d0, pkcs11_id_management=0, pkcs11_id='STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=850918 PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=0x7ffdeeabef08, sz='STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
2021-10-15 22:04:08 us=850931 PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdeeabeeb8
2021-10-15 22:04:08 us=850946 PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x5607f064cc10
2021-10-15 22:04:08 us=850960 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x5607f064cc10
2021-10-15 22:04:08 us=850975 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064d040
2021-10-15 22:04:08 us=850991 PKCS#11: pkcs11h_token_deserializeTokenId entry p_token_id=0x5607f064cc10, sz='STMicro//0000000000000000/tpm2_test'
2021-10-15 22:04:08 us=851006 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdeeabee08
2021-10-15 22:04:08 us=851035 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064d4b0
2021-10-15 22:04:08 us=851054 PKCS#11: pkcs11h_token_deserializeTokenId return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851076 PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851093 PKCS#11: pkcs11h_certificate_create entry certificate_id=0x5607f064cc10, user_data=(nil), mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdeeabef00
2021-10-15 22:04:08 us=851109 PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5607f064d940 form=0x5607f064cc10
2021-10-15 22:04:08 us=851126 PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5607f064d9d0
2021-10-15 22:04:08 us=851141 PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x5607f064e210, p_session=0x5607f064d950
2021-10-15 22:04:08 us=851156 PKCS#11: Creating a new session
2021-10-15 22:04:08 us=851171 PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5607f064b758 form=0x5607f064e210
2021-10-15 22:04:08 us=851186 PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5607f064e680
2021-10-15 22:04:08 us=851202 PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5607f064b740
2021-10-15 22:04:08 us=851216 PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x5607f064d940
2021-10-15 22:04:08 us=851231 PKCS#11: pkcs11h_openssl_createSession - entry
2021-10-15 22:04:08 us=851245 PKCS#11: pkcs11h_openssl_createSession - return openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851260 PKCS#11: pkcs11h_openssl_session_getEVP - entry openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851275 PKCS#11: pkcs11h_openssl_session_getX509 - entry openssl_session=0x5607f0643920
2021-10-15 22:04:08 us=851289 PKCS#11: pkcs11h_openssl_getX509 - entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851321 PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5607f064d940, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
2021-10-15 22:04:08 us=851337 PKCS#11: __pkcs11h_certificate_loadCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851352 PKCS#11: _pkcs11h_session_validate entry session=0x5607f064b740
2021-10-15 22:04:08 us=851365 PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
2021-10-15 22:04:08 us=851379 PKCS#11: __pkcs11h_certificate_loadCertificate return rv=179-'CKR_SESSION_HANDLE_INVALID'
2021-10-15 22:04:08 us=851395 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=0x5607f064d940, public_only=1, session_mutex_locked=0
2021-10-15 22:04:08 us=851411 PKCS#11: _pkcs11h_session_login entry session=0x5607f064b740, is_publicOnly=1, readonly=1, user_data=(nil), mask_prompt=00000003
2021-10-15 22:04:08 us=851428 PKCS#11: _pkcs11h_session_logout entry session=0x5607f064b740
2021-10-15 22:04:08 us=851442 PKCS#11: _pkcs11h_session_logout return
2021-10-15 22:04:08 us=851457 PKCS#11: _pkcs11h_session_reset entry session=0x5607f064b740, user_data=(nil), mask_prompt=00000003, p_slot=0x7ffdeeabe8b8
2021-10-15 22:04:08 us=851472 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='STMicro' model='', serialNumber='0000000000000000', label='tpm2_test'
2021-10-15 22:04:08 us=851486 PKCS#11: _pkcs11h_session_getSlotList entry provider=0x5607f05eeb70, token_present=1, pSlotList=0x7ffdeeabe770, pulCount=0x7ffdeeabe768
2021-10-15 22:04:08 us=851503 PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
2021-10-15 22:04:08 us=851524 PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdeeabe778
2021-10-15 22:04:08 us=851539 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdeeabe700
2021-10-15 22:04:08 us=851559 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064ec40
2021-10-15 22:04:08 us=851574 PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5607f064ec40
2021-10-15 22:04:08 us=851589 PKCS#11: _pkcs11h_session_reset Found token manufacturerID='STMicro' model='', serialNumber='0000000000000000', label='tpm2_test'
2021-10-15 22:04:08 us=851604 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064ec40
2021-10-15 22:04:08 us=851618 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=851631 PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1
2021-10-15 22:04:08 us=851646 PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851659 PKCS#11: _pkcs11h_certificate_resetSession return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851672 PKCS#11: __pkcs11h_certificate_loadCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851686 PKCS#11: _pkcs11h_session_validate entry session=0x5607f064b740
2021-10-15 22:04:08 us=851700 PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1634328248
2021-10-15 22:04:08 us=851714 PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851728 PKCS#11: _pkcs11h_session_findObjects entry session=0x5607f064b740, filter=0x7ffdeeabede0, filter_attrs=2, p_objects=0x7ffdeeabeda0, p_objects_found=0x7ffdeeabeda8
2021-10-15 22:04:08 us=851747 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0
2021-10-15 22:04:08 us=851763 PKCS#11: __pkcs11h_certificate_loadCertificate return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-10-15 22:04:08 us=851777 PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
2021-10-15 22:04:08 us=851800 PKCS#11: pkcs11h_openssl_getX509 - return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID', x509=(nil)
2021-10-15 22:04:08 us=851815 PKCS#11: Cannot get certificate object
2021-10-15 22:04:08 us=851828 PKCS#11: pkcs11h_openssl_session_getX509 - return x509=(nil)
2021-10-15 22:04:08 us=851841 PKCS#11: Cannot get certificate object
2021-10-15 22:04:08 us=851855 PKCS#11: pkcs11h_openssl_session_getEVP - return ret=(nil)
2021-10-15 22:04:08 us=851868 PKCS#11: Unable get evp object
2021-10-15 22:04:08 us=851881 PKCS#11: pkcs11h_openssl_freeSession - entry openssl_session=0x5607f0643920, count=1
2021-10-15 22:04:08 us=851896 PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x5607f064d940
2021-10-15 22:04:08 us=851910 PKCS#11: _pkcs11h_session_release entry session=0x5607f064b740
2021-10-15 22:04:08 us=851923 PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
2021-10-15 22:04:08 us=851937 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5607f064d9d0
2021-10-15 22:04:08 us=851950 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064e210
2021-10-15 22:04:08 us=851963 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=851977 PKCS#11: pkcs11h_certificate_freeCertificateId return
2021-10-15 22:04:08 us=851990 PKCS#11: pkcs11h_certificate_freeCertificate return
2021-10-15 22:04:08 us=852003 PKCS#11: pkcs11h_openssl_freeSession - return
2021-10-15 22:04:08 us=852017 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5607f064cc10
2021-10-15 22:04:08 us=852038 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5607f064d4b0
2021-10-15 22:04:08 us=852052 PKCS#11: pkcs11h_token_freeTokenId return
2021-10-15 22:04:08 us=852066 PKCS#11: pkcs11h_certificate_freeCertificateId return
2021-10-15 22:04:08 us=852079 PKCS#11: tls_ctx_use_pkcs11 - return ok=0, rv=0
2021-10-15 22:04:08 us=852093 Cannot load certificate "STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420" using PKCS#11 interface
2021-10-15 22:04:08 us=852115 Error: private key password verification failed
2021-10-15 22:04:08 us=852141 Exiting due to fatal error
The problem is not with the id but with the structure of the token.
2021-10-15 22:04:08 us=851747 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0
Please send me the output of:
pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-objects --login
pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info --list-objects --login
ERROR: Listing FAPI token objects failed.
Cryptoki version 2.40
Manufacturer tpm2-software.github.io
Library TPM2.0 Cryptoki (ver 0.0)
Using slot 0 with a present token (0x1)
Logging in to "tpm2_test".
Please enter User PIN:
Private Key Object; RSA
label:
ID: 66653033656635623035633335343230
Usage: decrypt, sign
Access: sensitive, always sensitive, never extractable, local
Allowed mechanisms: RSA-X-509,RSA-PKCS-OAEP,RSA-PKCS,SHA256-RSA-PKCS,SHA384-RSA-PKCS,SHA512-RSA-PKCS,RSA-PKCS-PSS,SHA1-RSA-PKCS-PSS,SHA256-RSA-PKCS-PSS
Public Key Object; RSA 2048 bits
label:
ID: 66653033656635623035633335343230
Usage: encrypt, verify
Access: local
Certificate Object; type = X.509 cert
label:
subject: DN: C=PL, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST/emailAddress=test@test.com
ID: 66653033656635623035633335343230
I have run it before but nothing have risen my suspicion
Where have you got the fe03ef5b05c35420
that you specify in the identity?
2021-10-15 22:04:08 us=724635 pkcs11_id = 'STMicro//0000000000000000/tpm2_test/fe03ef5b05c35420'
The certificate object is missing a label which is the attribute based on which the certificate is located.
I have used openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so
:
ERROR: Listing FAPI token objects failed.
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Certificate
DN: C=PL, ST=TEST, L=TEST, O=TEST, OU=TEST, CN=TEST, emailAddress=test@test.com
Serial: 9882C1C7D8B97B690E7E4F7AE2793158
Serialized id: pkcs11:model=;token=tpm2_test;manufacturer=STMicro;serial=0000000000000000;id=fe03ef5b05c35420
Using this format resulted in Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID' so I have switched to other one
Maybe I can add label using tpm2_ptool objmod --id 3
?
0: 1
1: true
2: false
3: ''
17: 308203a830820290a0030201020211009882c1c7d8b97b690e7e4f7ae2793158300d06092a864886f70d01010b0500300d310b300906035504030c02504c301e170d3231313031353138343432355a170d3234303131383138343432355a3076310b300906035504061302504c310d300b06035504080c0454455354310d300b06035504070c0454455354310d300b060355040a0c0454455354310d300b060355040b0c0454455354310d300b06035504030c0454455354311c301a06092a864886f70d010901160d7465737440746573742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ba36b32be72c72c250ad947537e8df177c439ea374798f1c67f96b66e8c06fa83e55dc3ac79651095f9506b65e0cb05597c2c4ca3e3af1174701843e0b879e99272a8c03ef1c2905018f88ef60ddbbe4336d7f3ae41133f15bb87bb492a607e3295246e9b7e413f3bac8ab243f0f4aa686b81c97ad744341c1a87e0880455a760cf6b08a0fb8b747684313389aa1d40ad664237d8b16dbb7baa1de42c0825591bc3a760c25943ca035c5d2316377b9119f56dd6af38317bdb1a58bce20dc70e969c3fc6ccce76f9201347f150aae64fc16c88d66f14ab7e61d507868a923502a4958eaa9762be0dd5c142c99ceb3541ec91aebc6b7fce0f314a8d0d9dfbeda8f0203010001a3819930819630090603551d1304023000301d0603551d0e041604148bd3962ff024d3661460b2c7261da09e277c1dc330480603551d230441303f8014f4e9066d2ef63d1d6212abf2d4624f3e3e2e5f4ba111a40f300d310b300906035504030c02504c82147b60a7d9e45941d7cccb1846239416663769b0e330130603551d25040c300a06082b06010505070302300b0603551d0f040403020780300d06092a864886f70d01010b050003820101002661d252be17fcc1a7c7628a78eefc301f90c6052bcf4da8ae9d115392dd587172ee5d4525b924477e72434b5c66b5cbc856b9c4152f508d7e3151dab03d04a22d62f4caeb04eb27df633a9ceea8f306e6cd5475c12bc90e0dc6ef373e5f4f89c9e43b9555aed427a993ea69bec751620aaf979c5223c774cda18fe901a8684ef9c567ff62edc568ce6bb0cd8d65b5f45d4b3221f238b7a26199d06f6bf69667c0db497c6612c85a314bbfebd1ab812b5f06abb85cc1df1a962d2f49ea324efe08f0cd6c7358c1862aaf6eda127d0a60a663e2b82dcf5f72a6de6f2d992bdb46eea36641fb85c2ca6435632f4642ae624b76b8bc6ef7cfdc0639d6f2b9d40eff
128: 0
129: 300d310b300906035504030c02504c
130: 0211009882c1c7d8b97b690e7e4f7ae2793158
134: false
135: 0
136: 0
137: ''
138: ''
139: ''
140: 544
144: 78e29b
257: 3076310b300906035504061302504c310d300b06035504080c0454455354310d300b06035504070c0454455354310d300b060355040a0c0454455354310d300b060355040b0c0454455354310d300b06035504030c0454455354311c301a06092a864886f70d010901160d7465737440746573742e636f6d
258: '66653033656635623035633335343230'
272: ''
273: ''
297: ''
368: false
369: false
370: true
It seems the serial and id printed by patched OpenVPN (with pcks11 uri) is wrong. Can you try with an unpatched pkcs11-helper library. Its most likely binary compatible, so rebuilding OpenVPN may not be required.
This is the buggy patch of fedora, I do not know where they get this id from and what they are doing with it.
Please use vanilla pkcs11-helper if you want to see the real id.
You should try STMicro//0000000000000000/tpm2_test/66653033656635623035633335343230
The last part of the string is bin2hex of CKA_ID.
Or better is to execute openvpn with --show-pkcs11-ids
and with debug and extract the real id from the debug log.
Looks like the uri patch cannot handle such long ids -- strange that it converts that id to 'fe03ef5b05c35420'
This is the buggy patch of fedora, I do not know where they get this id from and what they are doing with it.
Please use vanilla pkcs11-helper if you want to see the real id.
You should try
STMicro//0000000000000000/tpm2_test/66653033656635623035633335343230
The last part of the string is bin2hex of CKA_ID.
Or better is to execute openvpn with
--show-pkcs11-ids
and with debug and extract the real id from the debug log.
Thank you! Now it does finally work (It errors on self-signed certificate on server side, so I think it works as intended)
Thank you for your help!
Looks like the uri patch cannot handle such long ids -- strange that it converts that id to 'fe03ef5b05c35420'
FWIW, that ID is the same 16 byte value with each byte written in ascii (0x66='f', 0x65='e' ... 0x30='0'). But it fails to parse back the uri as model is empty. For some reason the uri patch wants all fields to be non-empty. Anyway, irrelevant here, just saying.
Hello,
I have tried to use TPM2.0 to ensure that only some PC's can connect to VPN.
Using
openvpn --show-pkcs11-ids /usr/lib64/pkcs11/libtpm2_pkcs11.so
i get this output:I have tried to configure it in my config using these options:
and
The first one results with
I have tried second format because pkcs11-helper had problems with parsing in previous versions. When I use
pkcs11-id 'STMicro//0000000000000000/tpm2_ecc/d8bc0f69db86ae61'
:When I provide this with any model (i.e. STMicro/test/0000000000000000/tpm2_ecc/d8bc0f69db86ae61) result looks like this:
My TPM sadly does not contain any information regarding model:
Do you know any solution or workaround when model name is missing?
Thank you for your help. Jakub