Re: [Openvpn-devel] Issue with smartcard authentication for openvpn

Wed, 17 Apr 2019 08:53:50 -0700 

Hi JJK,

On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser <janj...@nikhef.nl> wrote:

> Hi Selva,
>
> On 10/04/19 19:09, Selva Nair wrote:
>
>
>
> On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser <janj...@nikhef.nl>
> wrote:
>
>
snipped...


> patching pkcs11-helper does not seem too difficult for this particular
>> case - but how can we test it? I have access to hw tokens but I don't know
>> how to trigger the "raw signature" bit.
>>
>
> If both server and client are built with OpenSSL 1.1.1 and TLS version is
> >= 1.2, PSS padding will get used and trigger this. OpenSSL does PSS
> padding internally and passes the padded data to the rsa_priv_enc calback
> for raw signature.
>
> This is based on my tests for our Windows cryptoapi and
> management-external-key patches for the same -- never tried this using
> pkcs11-helper, but I expect the same behaviour.
>
>
> The good news: I can reproduce this with
> - openvpn 2.4.7
> - openssl 1.1.1b
> - pkcs11helper 1.25.1
> - Safenet etoken
> - client+server CentOS 7
>
> The bad news: I don't have a fix yet.
>

What I has in mind was a very simple patch like the one attached (totally
untested).
But I guess you tried that already and it doesn't work? Is it because the
token
does not support raw signature (not all do) or something else?

Selva

From 547c58ce24e76598b504c9062820dae43fa9cc38 Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.n...@gmail.com>
Date: Wed, 17 Apr 2019 11:26:40 -0400
Subject: [PATCH] Support raw RSA signature

Signed-off-by: Selva Nair <selva.n...@gmail.com>
---
 lib/pkcs11h-openssl.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/pkcs11h-openssl.c b/lib/pkcs11h-openssl.c
index 4ebc211..6a396bb 100644
--- a/lib/pkcs11h-openssl.c
+++ b/lib/pkcs11h-openssl.c
@@ -567,7 +567,13 @@ __pkcs11h_openssl_rsa_enc (
 		padding
 	);
 
-	if (padding != RSA_PKCS1_PADDING) {
+	if (padding == RSA_PKCS1_PADDING) {
+		padding = CKM_RSA_PKCS;
+	}
+	else if (padding == RSA_NO_PADDING) {
+		padding = CKM_RSA_X_509;
+	}
+	else {
 		rv = CKR_MECHANISM_INVALID;
 		goto cleanup;
 	}
@@ -587,7 +593,7 @@ __pkcs11h_openssl_rsa_enc (
 	if (
 		(rv = pkcs11h_certificate_signAny (
 			certificate,
-			CKM_RSA_PKCS,
+			padding,
 			from,
 			flen,
 			to,
-- 
2.1.4


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to