pkcs11-id - Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'

[hjb]

OS: Windows 7
OpenVPN 2.4.5

PKCS#11 IDs exported with option --show-pkcs11-ids using the RFC 7512 UIR scheme are not recognized by --pkcs11-id and throw an error message:
"PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'"
IDs with the old scheme as exported with version 2.4.4 are still working.
There seems to be a bug ether with --show-pkcs11-ids or with --pkcs11-id. Or even both!?

[mclei]

I am facing this bug in both 2.4.5 and 2.4.6 with Yubikey and ePass2003. Is there any chance to get this fixed? I can sponsor a Yubikey token to the community.

Similar problem is also on Linux, where the special characters needs to be escaped manually.

[leiocalyx]

Looks related to #1075 (and there is more info in that ticket).
As a workaround, you could manually change the token to the format that is recognised.

[Gert Döring]

As far as I understand, this is a bug in pkcs11-helper - we have problems on Windows as well, and with 2.5_beta3, shipping a more recent (+patched) version of pkcs11-helper, things magically start working.

So, you might want to test the 2.5_beta3 test installer - if that works, please comment here. We currently plan to also release 2.4.10 with the new library, but only "if it works"...

[Gert Döring]

So, can I have an update here? Is this fixed with the new pkcs11 library in 2.5.0 and 2.4.10? Can we close the ticket?

[becm]

All official Windows releases (2.4.10+, 2.5, 2.6) consistently use the new RFC7512 serialization format by applying an unofficial patch (​https://github.com/OpenSC/pkcs11-helper/pull/4).

We (try to) regularly sync this patch with the Fedora-version (​https://src.fedoraproject.org/rpms/pkcs11-helper), they require "everything PKCS11" to be RFC7512-compliant.

[Gert Döring]

hooray!