Cannot use libykcs11.dll with OpenVPN: CKR_ATTRIBUTE_TYPE_INVALID (unsupported CKA_SIGN_RECOVER)
yaegor opened this issue · 1 comments
Environment: Windows 10, 20H2, 19042.868
Latest OpenVPN: OpenVPN 2.5_rc3
yubico-piv-tool 2.2.0
I try to configure OpenVPN to use the certificate stored on YubiKey 5.
ovpn config file has:
pkcs11-providers 'c:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll'
pkcs11-id 'pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%23XXXXXXXX;manufacturer=Yubico%20%28www.yubico.com%29;serial=XXXXXXXX;id=%01'
(where pkcs11-id is from openvpn.exe --show-pkcs11-ids "c:\Program Files\Yubico\Yubico PIV Tool\bin\libykcs11.dll" command, device serial replaced with XXXXXXXX)
On OpenVPN connection, prompt for the token PIN appears and upon correct entry the OpenVPN log gets the error lines:
Thu Mar 18 13:46:49 2021 PKCS#11: Cannot perform signature 18:'CKR_ATTRIBUTE_TYPE_INVALID'
Thu Mar 18 13:46:49 2021 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
When configured with PKCS11 Spy from OpenSC, the spy log has:
29: C_GetAttributeValue
2021-03-18 13:46:49.541
[in] hSession = 0x1
[in] hObject = 0x56
[in] pTemplate[4]:
CKA_SIGN 0000000000000000 / 0
CKA_SIGN_RECOVER 0000000000000000 / 0
CKA_DECRYPT 0000000000000000 / 0
CKA_UNWRAP 0000000000000000 / 0
[out] pTemplate[4]:
CKA_SIGN 0000000000000000 / 1
CKA_SIGN_RECOVER 0000000000000000 / -1
CKA_DECRYPT 0000000000000000 / 1
CKA_UNWRAP 0000000000000000 / 1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
It seems that CKA_SIGN_RECOVER is not supported by libykcs11.dll
Note: current workaround is to use OpenSC opensc-pkcs11.dll instead of libykcs11.dll. It has different pkcs11-id and names the token differently, but works OK with the same certificate on the same card.