Using local cert file with PKCS#11 HSM private key

[pranavp-gad]

I am trying to configure an OpenVPN client where the private key is stored on a Hardware Security Module (HSM) via PKCS#11, but the client certificate resides on the local disk.

My Goal:

Private Key: HSM (accessed via pkcs11-providers)

Client Certificate: Local file (e.g., /etc/openvpn/client.crt)

The Issue: Whenever I include both the pkcs11-id and the cert directives in my config, OpenVPN fails to start. It seems to expect that if I am using PKCS#11, the certificate must also be stored on the token.

Is there a way to do this?

[selvanair]

If you can use version 2.7 (currently in RC stage), a file for --cert and a pkcs11 uri for --key will work. This requires loading pkcs11 provider as URI's are directly interpreted by OpenSSL (no pkcs11-helper related options required).

See the commit message for this feature copied below for details:

Interpret --key and --cert option argument as URI

OpenSSL 3 has providers which can load keys and certificates
from various key stores and HSMs using a provider-specific URI.
While certificates are generally exportable, and some providers
support a PEM file that acts as a proxy for non-exportable private
keys, not all providers are expected to do so. A generic capability
to read keys and certificates from URIs appears useful.

This patch does this by extending the scope of the argument for
"--key" and "--cert" options to include URIs. 

This is backward compatible as OpenSSL falls back to treating URIs
with no scheme or unrecognized scheme as file names.

Parsing of inlined keys and certificates is unchanged (those
should be in PEM format).

Specification of URIs that OpenSSL accepts depends on the
providers that support them. Some are standard URIs such as
"file:/path", but providers may support non-standard URIs
with arbitrary scheme names. OpenSSL by itself recognizes
only file URI.  However, the implementation is agnostic to the
URI specification as parsing is done by the provider that supports
the URI. A new URI gets automatically recognized when the provider
that supports it is loaded.

Below are some usage examples:

Relative or absolute path to a file or as a URI "file:/absolute/path":

   --key mykey.pem      (same as what is currently supported)
   --key file:/path/to/mykey.pem
   --cert file:/path/to/mycert.pem

Other file types supported by OpenSSL would also work:

   --key client.p12
   --cert client.p12

pkcs11-provider supports "pkcs11:" URI (RFC 7512):

   --key pkcs11:token=Foo;id=%01
   --cert pkcs11:token=Foo;id=%01

tpm2-provider recognizes a custom URI "handle:<hex>":

   --key handle:0x81000000

These examples assume that required providers, if any, are loaded
and configured.

v2: same as PR 591 but with the fixup commit that addresses review comments is squashed.

Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20240906103734.36633-1-frank@lichtenheld.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29075.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

[cron2]

@pranavp-gad have you been able to test this with one of the 2.7 release candidates? Does it work?

[pranavp-gad]

@cron2 No I did not get a chance to look into this. Currently I am on the kirkstone branch of Yocto. Need to check the compatibility of this version of openvpn with kirkstone.