Hello
I had do this setup with :
OpenVPN 2.4(without SYSTEMD CRAP) + OpenSSL + OpenSC
OpenVPN Master + last Emmanuel DELOGET openSSL 1.1 Patchs + OpenSSL 1.1.0 + OpenSC Git/Master
All certs are ok : server seen it ok and then get a padding error in SSL and restart connection in loop :
Fri Feb 24 11:51:34 2017 us=479215 ::ffff:XXXX VERIFY SCRIPT OK: depth=3, XXX
Fri Feb 24 11:51:34 2017 us=479342 ::ffff:XXXX VERIFY OK: depth=3, XXX
Fri Feb 24 11:51:34 2017 us=484484 ::ffff:XXXX VERIFY SCRIPT OK: XXX
Fri Feb 24 11:51:34 2017 us=484582 ::ffff:XXXX VERIFY OK: depth=2, XXX
Fri Feb 24 11:51:34 2017 us=490072 ::ffff:XXXX VERIFY SCRIPT OK: XXX
Fri Feb 24 11:51:34 2017 us=490161 ::ffff:XXXX VERIFY OK: depth=1, XXX
Fri Feb 24 11:51:34 2017 us=495224 ::ffff:XXXX VERIFY SCRIPT OK: XXX
Fri Feb 24 11:51:34 2017 us=495313 ::ffff:XXXX VERIFY OK: XXX
Fri Feb 24 11:51:34 2017 us=512670 ::ffff:XXXX TLS_ERROR: BIO read tls_read_plaintext error: error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01: error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed: error:1408807B:SSL routines:ssl3_get_cert_verify:bad signature: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
In openSC logs :
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] framework-pkcs15.c:3512:pkcs15_prkey_sign: Initiating signing operation, mechanism 0x1.
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:393:sc_lock: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] reader-pcsc.c:582:pcsc_lock: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:435:sc_lock: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] framework-pkcs15.c:3573:pkcs15_prkey_sign: Selected flags 12. Now computing signature for 83 bytes. 256 bytes reserved.
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] pkcs15-sec.c:314:sc_pkcs15_compute_signature: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] pkcs15-sec.c:362:sc_pkcs15_compute_signature: supported algorithm flags 0x80000001, private key usage 0x2E
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:283:sc_get_encoding_flags: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:287:sc_get_encoding_flags: iFlags 0x12, card capabilities 0x80000001
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:316:sc_get_encoding_flags: pad flags 0x12, secure algorithm flags 0x0
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:317:sc_get_encoding_flags: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] pkcs15-sec.c:413:sc_pkcs15_compute_signature: DEE flags:0x00000012 alg_info->flags:0x80000001 pad:0x00000012 sec:0x00000000
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:242:sc_pkcs1_encode: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:246:sc_pkcs1_encode: hash algorithm 0x10, pad algorithm 0x2
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] padding.c:269:sc_pkcs1_encode: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:393:sc_lock: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:435:sc_lock: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] sec.c:68:sc_set_security_env: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card-sc-hsm.c:462:sc_hsm_set_security_env: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] sec.c:54:sc_compute_signature: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] apdu.c:550:sc_transmit_apdu: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:393:sc_lock: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] card.c:435:sc_lock: returning with: 0 (Success)
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] apdu.c:517:sc_transmit: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] apdu.c:376:sc_single_transmit: CLA:80, INS:68, P1:2, P2:20, data(256) 0x7ffc38b073b0
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] reader-pcsc.c:269:pcsc_transmit: reader ‘Nitrokey Nitrokey HSM (010000000000000000000000) 00 00’
0x7f0560d59700 16:15:43.856 [opensc-pkcs11] reader-pcsc.c:270:pcsc_transmit:
Outgoing APDU (265 bytes):
80 68 02 20 00 01 00 00 01 FF FF FF FF FF FF FF .h. …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF …
FF FF FF 00 30 51 30 0D 06 09 60 86 48 01 65 03 …0Q0….H.e. 04 02 03 05 00 04 40 00 CD 82 FD EE 74 BA 33 E9 ......@.....t.3. 4E B8 57 14 63 18 7F 35 D1 12 61 E4 E4 7C E3 B3 N.W.c..5..a..|.. E2 E5 36 64 BD CA 61 88 5A 5B CD 2B C2 B9 59 79 ..6d..a.Z[.+..Yy 1D 3C C2 C4 C4 A5 96 38 31 C7 D1 52 8A BD 90 FA .<.....81..R.... A6 77 81 0D 68 3D 3A 01 00 .w..h=:.. 0x7f0560d59700 16:15:43.856 [opensc-pkcs11] reader-pcsc.c:199:pcsc_internal_transmit: called 0x7f0560d59700 16:15:44.587 [opensc-pkcs11] reader-pcsc.c:279:pcsc_transmit: Incoming APDU (258 bytes): 0D 24 DD 89 7E F8 EF 98 06 09 6B C0 44 21 A8 E1 .$..~.....k.D!.. C3 3E 64 98 36 B6 AC 60 BB C3 D6 3B 2B 2B 54 6B .>d.6..
…;++Tk
37 77 BF 9D 9E 30 95 2C C0 03 6C C1 C8 0F C6 01 7w…0.,…l…
CA 54 85 7C 8B D4 86 C8 92 9D 91 BF 1D CC E7 C8 .T.|…
A5 5D 43 97 40 A7 A9 29 97 9A 1B FE 3C 0B 5F 4B .]C.@…)…<._K
B7 F2 3F FB 50 A6 5E 43 7E A0 ED 1A EB 6A E3 1E …?.P.^C~…j…
11 51 73 D0 D9 8E 85 2D 8A 60 2C DD 99 40 07 68 .Qs…-.`,…@.h
3C 9A 92 61 F5 9E 41 CA 2B 83 93 C4 8C 48 8C 98 <…a…A.+…H…
5A 9C A9 43 08 E7 7C 97 B9 87 23 EA 6F 1E BF 01 Z…C…|…#.o…
0C B7 66 59 C0 29 22 43 58 8A DC 1D 7F 40 85 B5 …fY.)"CX…@…
43 2F B3 13 54 15 1D 58 E3 D3 0E B7 8A E0 87 CA C/…T…X…
23 C3 AC 07 E4 47 96 D4 21 51 31 C3 9C FD A6 CD #…G…!Q1…
70 2E A9 2C 9D 0C 82 13 37 85 85 AA B3 06 82 66 p…,…7…f
70 72 04 7F FB 28 53 15 FE 50 B5 7A C3 A2 AD 96 pr…(S…P.z…
D1 50 2F 58 FA E5 C1 E8 C8 4E 69 C2 73 BF 2B 52 .P/X…Ni.s.+R
ED AC C3 96 7C 40 F3 47 C7 FD 12 10 B9 94 A6 BE …|@.G…
90 00 …
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] apdu.c:386:sc_single_transmit: returning with: 0 (Success)
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] apdu.c:539:sc_transmit: returning with: 0 (Success)
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] card.c:445:sc_unlock: called
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] card-sc-hsm.c:576:sc_hsm_compute_signature: returning with: 256
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] sec.c:58:sc_compute_signature: returning with: 256
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] card.c:445:sc_unlock: called
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] pkcs15-sec.c:451:sc_pkcs15_compute_signature: returning with: 256
0x7f0560d59700 16:15:44.587 [opensc-pkcs11] card.c:445:sc_unlock: called
0x7f0560d59700 16:15:44.588 [opensc-pkcs11] reader-pcsc.c:627:pcsc_unlock: called
0x7f0560d59700 16:15:44.595 [opensc-pkcs11] framework-pkcs15.c:3590:pkcs15_prkey_sign: Sign complete. Result 256.
0x7f0560d59700 16:15:44.595 [opensc-pkcs11] mechanism.c:447:sc_pkcs11_signature_final: returning with: 0 (Success)
0x7f0560d59700 16:15:44.595 [opensc-pkcs11] mechanism.c:312:sc_pkcs11_sign_final: returning with: 0 (Success)
0x7f0560d59700 16:15:44.595 [opensc-pkcs11] pkcs11-object.c:697:C_Sign: C_Sign() = CKR_OK
I’m not an SSL expert, is it related to the padding negociation ? Is it a problem with nitrokey ?
The key is working ok with OpenSSH (and so without cert part)
Please help
Nicolas F.