Bugzilla – Bug 1217104
network:vpn/openvpn: Bug rfc 7512 pkcs11 uris do not work
Last modified: 2024-07-10 07:08:25 UTC
When testing openvpn with pkcs11 rfc7512 uris (such as 'pkcs11-id pkcs11:token=remote;label=1' ) openvpn does not parse them, using it's own format (pkcs11-id 'IBM/SW\x20\x20\x20TPM/0000000000000000/remote/32313039303063653831663432323865') Openvpn should support rfc7512 uris to standardise it with other tools. This is apparently supported on fedora, so we may need to look at what they did.
See also https://community.openvpn.net/openvpn/ticket/491
Hi William, Could you please share the steps on how can I easily reproduce it locally?
No problem. The best environment for this will be a virtual machine with libvirt and an emulated TPM. You can configure this with: <domain type='kvm'> <devices> <tpm model='tpm-crb'> <backend type='emulator' version='2.0'/> </tpm> </devices> </domain> Ensure that the tpm mode is "CRB" and version 2.0. Install the needed packages: zypper install openssl-3 pkcs11-provider tpm2-pkcs11 opensc openvpn Display info about the tpm pkcs11 module: pkcs11-tool --module /usr/lib64/pkcs11/libtpm2_pkcs11.so --show-info Setup the tpm2 token: tpm2_ptool init Add a token: tpm2_ptool addtoken --pid 1 --label remote --sopin 0000 --userpin 0000 Import a private key: this assumes ecdsa, change to rsa for that. tpm2_ptool import --label remote --privkey key.pem --algorithm ecc --sopin 0000 --key-label 1 Import the x509 cert associated to the key tpm2_ptool addcert --label remote --key-label 1 crt.pem List the objects, ensure you see a private key, public key, and cert. tpm2_ptool listobjects --label remote - CKA_CLASS: CKO_PRIVATE_KEY CKA_ID: - '32313039303063653831663432323865' CKA_KEY_TYPE: CKK_EC CKA_LABEL: '1' id: 1 - CKA_CLASS: CKO_PUBLIC_KEY CKA_ID: - '32313039303063653831663432323865' CKA_KEY_TYPE: CKK_EC CKA_LABEL: '1' id: 2 - CKA_CLASS: CKO_CERTIFICATE CKA_ID: - '32313039303063653831663432323865' CKA_LABEL: '1' id: 3 OPTIONAL: Show the key and cert are working with openssl. # provider.conf ``` openssl_conf = openssl_init [openssl_init] providers = provider_sect [provider_sect] default = default_sect pkcs11 = pkcs11_sect [default_sect] activate = 1 [pkcs11_sect] module = /usr/lib64/ossl-modules/pkcs11.so pkcs11-module-path = /usr/lib64/pkcs11/libtpm2_pkcs11.so activate = 1 ``` OPENSSL_CONF=provider.conf openssl x509 -provider pkcs11 -noout -text -in "pkcs11:token=remote;label=1;type=cert?pin-value=0000" OPENSSL_CONF=provider.conf openssl pkey -provider pkcs11 -noout -text -in "pkcs11:token=remote;label=1;type=private?pin-value=0000" Configure openvpn: # comment out key/cert # add pkcs11-providers /usr/lib64/pkcs11/libtpm2_pkcs11.so pkcs11-id 'pkcs11:token=remote;label=1?pin-value=0000' pkcs11-protected-authentication 0 pkcs11-cert-private 1 Start openvpn. For extra debugging you can add: [Service] Environment="TPM2_PKCS11_LOG_LEVEL=2" Environment="PKCS11_PROVIDER_DEBUG=file:/dev/stderr,level:2"
How did you go with these steps mate?
Hi William, Sorry for the delay but I was busy with some important CVEs and bugs for SLE/ALP for the past few days and didn't get enough time to look into this. I'll start with this soon. Just wrapping up some things
Hey no stress mate! That's important work, :)