i have a Zymkey4 and am trying to use it with OpenVPN through the PKCS#11 interface. I have configured my OpenVPN client to utilize the Zymkey PKCS#11 provider located at /usr/lib/libzk_pkcs11.so. Below is a sample of my .ovpn configuration:
client
dev tun
proto udp
remote 192.168.1.100 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA256
compress lz4
verb 3
#TLS Authentication
remote-cert-tls server
# PKCS#11 configuration
pkcs11-providers /usr/lib/libzk_pkcs11.so
pkcs11-cert-private 0
pkcs11-id '0000'
pkcs11-pin-cache 300
pkcs11-private-mode 0
pkcs11-protected-authentication 0
However, when I attempt to run OpenVPN with this configuration using the command:
sudo openvpn --config /home/pi/Desktop/ovpn/try1.ovpn
I encounter the following error:
2024-09-27 13:05:16 PKCS#11: Adding PKCS#11 provider '/usr/lib/libzk_pkcs11.so'
2024-09-27 13:05:16 PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
2024-09-27 13:05:16 Cannot load certificate "0000" using PKCS#11 interface
2024-09-27 13:05:16 Error: private key password verification failed
2024-09-27 13:05:16 Exiting due to fatal error
I suspect the issue might be related to the slot or certificate ID mapping. For your reference, here is the slot information I retrieved using pkcs11-tool and zk_pkcs11-util:
pi@raspberrypi:~/Desktop/ovpn/cert $ zk_pkcs11-util --show-slots
Available slots:
Slot 1686566119
Slot info:
Description: SoftHSM slot ID 0x6486f4e7
Manufacturer ID: SoftHSM project
Hardware version: 2.5
Firmware version: 2.5
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.5
Firmware version: 2.5
Serial number: d0b7bd10e486f4e7
Initialized: yes
User PIN init.: yes
Label: erarge
Slot 1
Slot info:
Description: SoftHSM slot ID 0x1
Manufacturer ID: SoftHSM project
Hardware version: 2.5
Firmware version: 2.5
Token present: yes
Token info:
Manufacturer ID: SoftHSM project
Model: SoftHSM v2
Hardware version: 2.5
Firmware version: 2.5
Serial number:
Initialized: no
User PIN init.: no
Label:
pi@raspberrypi:~/Desktop/ovpn/cert $ pkcs11-tool --module /usr/lib/libzk_pkcs11.so -L
Available slots:
Slot 0 (0x6486f4e7): SoftHSM slot ID 0x6486f4e7
token label : erarge
token manufacturer : SoftHSM project
token model : SoftHSM v2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 2.5
firmware version : 2.5
serial num : d0b7bd10e486f4e7
pin min/max : 4/255
Slot 1 (0x1): SoftHSM slot ID 0x1
token state: uninitialized
pkcs11-tool --module /usr/lib/libzk_pkcs11.so -L
zk_pkcs11-util --show-slots
It appears that OpenVPN is not able to correctly identify the certificate with the ID 0000. The error CKR_ATTRIBUTE_VALUE_INVALID suggests a possible attribute mismatch or configuration issue in the PKCS#11 library.
Could you provide guidance on the correct pkcs11-id or pkcs11-cert-private values I should use in the OpenVPN configuration? Alternatively, are there any specific settings or requirements for using the Zymkey4 with OpenVPN that I might be missing?
Thank you for your support.