Hi, Currently RSA-PSS signatures are handled in pkcs11-helper by asking the token to do raw RSA signature of data already padded by OpenSSL. Many new hardware tokens refuse to support this mode and require the padding to be done in hardware.
For a recent user report see this thread: https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg05732.html Probably there are some related tickets on Trac too. In OpenVPN, we have a couple of options to fix this: (i) Use a different library like libp11 (for OpenSSL only). (ii) Extend pkcs11-helper (iii) Roll something new on our own :) After some thought, I have decided that extending pkcs11-helper may be the least painful approach --- not including the mental distress in getting code reviews and changes accepted. The "helper" has several features that we depend on and not readily available in alternatives. If anyone is interested in testing this, see https://github.com/selvanair/pkcs11-helper/releases/tag/pss-support Though I've opened a PR at https://github.com/OpenSC/pkcs11-helper/pull/31 , it's only an RFC and would likely require some iterations. Comments, suggestions for improvement, and test reports, are most welcome. Thanks, Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
