Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error #396

Open
fliot opened this issue Jan 31, 2023 · 3 comments
Open

PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error #396

fliot opened this issue Jan 31, 2023 · 3 comments

Comments

@fliot
Copy link

fliot commented Jan 31, 2023

Hi, first of all, congrats to committers, Ghostunnel is a very nice piece of software !

I had, very different and very explicit error messages until I found out the correct pkcs11 parameters (certificate, token label, etc...),
But I'm still facing issues trying to handle mTLS Client tunnel, based on HSM & PKCS11 token.

ghostunnel client 
    --listen localhost:8080 
    --target my.remote.service:443 
    --override-server-name my.remote.service
    --cert my-certificate-as-extracted-from-the-hsm-token.cer 
    --pkcs11-module my_pkcs11.dll 
    --pkcs11-token-label "token-label" 
    --pkcs11-pin 1234

[816] 2023/01/31 19:37:30.399578 starting ghostunnel in client mode
[816] 2023/01/31 19:37:30.400616 using PKCS#11 module as certificate source
[816] 2023/01/31 19:37:31.246722 using target address my.remote.service:443
[816] 2023/01/31 19:37:31.247721 listening for connections on localhost:8080
[816] 2023/01/31 19:37:33.773976 error on dial: pkcs11key: sign init: pkcs11: 0x70: CKR_MECHANISM_INVALID

My HSM token, seems to effectively provide signing for CKM_SHA256_RSA_PKCS or CKM_RSA_PKCS (just in case you were wondering...)
image

Any idea ?
Thanks in advance.
@mcpherrinm
Copy link
Contributor

Is the pkcs11 DLL provided by your HSM vendor? Are you willing to share what vendor that is?

There's no flag for this, but I wonder if it has to do with RSA-PSS in TLS1.3. Do you know if the server you're connecting to supports TLS1.3?

If you've got any Go experience, can you try adding a MaxVersion: tls.TlsVersionTLS12 around here: https://github.com/ghostunnel/ghostunnel/blob/master/tls.go#L115 and see if that works?

Otherwise we might have to add a bit of debugging to log what parameters it's unhappy with.

@fliot
Copy link
Author

fliot commented Feb 1, 2023

Hi,
Thanks for your feedback,
Indeed, with this

MaxVersion:               tls.VersionTLS12,
Renegotiation: tls.RenegotiateOnceAsClient,

I got some success, and definitively TLS1.3 is blocking, due to my HSM/pkcs11 DLL functions.
Great thanks for your support.

@fliot fliot closed this as completed Feb 1, 2023
@mcpherrinm mcpherrinm reopened this Feb 1, 2023
@mcpherrinm
Copy link
Contributor

mcpherrinm commented Feb 1, 2023
edited

I'm going to keep this open as a bug, as it would be reasonable to support these tokens but limited to TLS 1.2, or at least produce a better error message

@mcpherrinm mcpherrinm changed the title Pkcs11 or Windows issue ? PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcpherrinm @fliot