Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

included libpkcs11-helper-1.dll is compiled without Elliptic Curve support >=2.4.5 #168

Closed
uriseja opened this issue Mar 15, 2020 · 4 comments
Closed

included libpkcs11-helper-1.dll is compiled without Elliptic Curve support >=2.4.5 #168

uriseja opened this issue Mar 15, 2020 · 4 comments
Labels
deprecated The issue applies to deprecated code only and will be closed when the code will be removed. mingw related to mingw build

Comments

@uriseja
Copy link

uriseja commented Mar 15, 2020

Trying to use pkcs11 tokens with EC keys and openpn >= 2.4.5 yields with an error:

PKCS#11: Adding PKCS#11 provider 'onepin-opensc-pkcs11.dll'
PKCS#11: Invalid public key algorithm 408
PKCS#11: Unable get evp object

OpenVPN builds <=2.4.4 work as expected
@becm
Copy link
Contributor

becm commented Apr 27, 2020

According to build logs, pkcs11-helper 1.22 fails to detect EC support in OpenSSL 1.1.x library. OpenVPN 2.4.4 used OpenSSL 1.0.x.

@dwmw2 seems to affect Fedora as well (see build.log files):
First detection miss of EC support with pkcs11-helper 1.22/OpenSSL 1.1.1.
Last success for pkcs11-helper 1.11/OpenSSL 1.0.x.

Also seem to happen with self-compiled versions on Debian sarge, the builtin still uses libcrypto.so.1.0.2.

Used configure.am should only work up to OpenSSL 1.0.x, even with ecs_locl.h hack.
Later pkcs11-helper versions have detection and code refinements and compile with EC support for current Fedora OpenSSL (unable to test if it actually works for PKI tokens).

Support in pkcs11-helperfor Elliptic Curves with OpenSSL 1.1.1 seems to be in release 1.23 or should require at least parts of changes in February 2018 commit.

mattock added a commit to mattock/openvpn-build that referenced this issue Aug 28, 2020
@mattock
Update pkcs11-helper to 1.26.0
2b9d85d 
URL: OpenVPN#168
Signed-off-by: Samuli Seppänen <[email protected]>
@becm
Copy link
Contributor

becm commented Sep 19, 2020

The pkcs11-helper/OpenSSL combination in current OpenVPN 2.5 beta releases should support EC operations.
@uriseja can you (or anyone else with a EC-capable token) verify this fixes the problem?

Test exposure for different PKCS#11 tokens is severely limited.
Since this update is also to be incorporated into OpenVPN 2.4.10 release for Windows, please report any unexpected behavioural changes. Some effects may only show with certain hard- or middleware.

@dwmw2
Copy link

dwmw2 commented Sep 19, 2020

Test exposure for different PKCS#11 tokens is severely limited

Little excuse for that with SoftHSM being so readily available. Feel free to lift from the OpenConnect test suite, which tests EC, RSA and even DSA keys from PKCS#11 in various permutations.

@flichtenheld flichtenheld added mingw related to mingw build deprecated The issue applies to deprecated code only and will be closed when the code will be removed. labels Jan 20, 2023
@flichtenheld
Copy link
Member

There never was confirmation that this problem is indeed fixed. But also no reports that it is not. Let's go with fixed for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
deprecated The issue applies to deprecated code only and will be closed when the code will be removed. mingw related to mingw build
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flichtenheld @dwmw2 @uriseja @becm