Opened 20 months ago

Last modified 7 weeks ago

#1075 new Bug / Defect

PKCS#11 (OpenSC) not working with OpenVPN on windows 10

Reported by: Tobi Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: opensc pkcs#11 yubikey
Cc:

Description

OS: Windows 10 (1803)
OpenVPN: 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
OpenSC: 0.18.0

Hi,
I'm trying to use my yubikey to connect to an openvpn server.
The certificate was created on the Yubikey using the "Yubikey PIV Manager".
The certificate is working fine with Firefox using the pkcs11 adapter from opensc.

Trying to connect always results in an error when the openvpn client tries to parse the pkcs11-id option:

The tutorial from https://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
seems a little outdated, as some cmdline options are no longer available, but the id can still be determined using:

C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=MYNAME
       Serial:         ABCDEF01234567890ABCDEF012345678
       Serialized id:  pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01

test.ovpn:

...
pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
...

For some reason openvpn does not not like this id or format?

Complete log with 'verb 10':

C:\Program Files\OpenVPN\bin>openvpn --config C:\test.ovpn
Current Parameter Settings:
  config = 'C:\test.ovpn'
  mode = 0
  show_ciphers = DISABLED
  show_digests = DISABLED
  show_engines = DISABLED
  genkey = DISABLED
  key_pass_file = '[UNDEF]'
  show_tls_ciphers = DISABLED
  connect_retry_max = 0
Connection profiles [0]:
  proto = udp
  local = '[UNDEF]'
  local_port = '[UNDEF]'
  remote = 'PRIVATE'
  remote_port = '1194'
  remote_float = DISABLED
  bind_defined = DISABLED
  bind_local = DISABLED
  bind_ipv6_only = DISABLED
  connect_retry_seconds = 5
  connect_timeout = 120
  socks_proxy_server = '[UNDEF]'
  socks_proxy_port = '[UNDEF]'
  tun_mtu = 1500
  tun_mtu_defined = ENABLED
  link_mtu = 1500
  link_mtu_defined = DISABLED
  tun_mtu_extra = 0
  tun_mtu_extra_defined = DISABLED
  mtu_discover_type = -1
  fragment = 0
  mssfix = 1450
  explicit_exit_notification = 0
Connection profiles END
  remote_random = DISABLED
  ipchange = '[UNDEF]'
  dev = 'tun'
  dev_type = '[UNDEF]'
  dev_node = '[UNDEF]'
  lladdr = '[UNDEF]'
  topology = 1
  ifconfig_local = '[UNDEF]'
  ifconfig_remote_netmask = '[UNDEF]'
  ifconfig_noexec = DISABLED
  ifconfig_nowarn = DISABLED
  ifconfig_ipv6_local = '[UNDEF]'
  ifconfig_ipv6_netbits = 0
  ifconfig_ipv6_remote = '[UNDEF]'
  shaper = 0
  mtu_test = 0
  mlock = DISABLED
  keepalive_ping = 0
  keepalive_timeout = 0
  inactivity_timeout = 0
  ping_send_timeout = 0
  ping_rec_timeout = 0
  ping_rec_timeout_action = 0
  ping_timer_remote = DISABLED
  remap_sigusr1 = 0
  persist_tun = DISABLED
  persist_local_ip = DISABLED
  persist_remote_ip = DISABLED
  persist_key = DISABLED
  passtos = DISABLED
  resolve_retry_seconds = 1000000000
  resolve_in_advance = DISABLED
  username = '[UNDEF]'
  groupname = '[UNDEF]'
  chroot_dir = '[UNDEF]'
  cd_dir = '[UNDEF]'
  writepid = '[UNDEF]'
  up_script = '[UNDEF]'
  down_script = '[UNDEF]'
  down_pre = DISABLED
  up_restart = DISABLED
  up_delay = DISABLED
  daemon = DISABLED
  inetd = 0
  log = DISABLED
  suppress_timestamps = DISABLED
  machine_readable_output = DISABLED
  nice = 0
  verbosity = 10
  mute = 0
  gremlin = 0
  status_file = '[UNDEF]'
  status_file_version = 1
  status_file_update_freq = 60
  occ = ENABLED
  rcvbuf = 0
  sndbuf = 0
  sockflags = 0
  fast_io = DISABLED
  comp.alg = 4
  comp.flags = 4
  route_script = '[UNDEF]'
  route_default_gateway = '[UNDEF]'
  route_default_metric = 0
  route_noexec = DISABLED
  route_delay = 5
  route_delay_window = 30
  route_delay_defined = ENABLED
  route_nopull = DISABLED
  route_gateway_via_dhcp = DISABLED
  allow_pull_fqdn = DISABLED
  management_addr = '[UNDEF]'
  management_port = '[UNDEF]'
  management_user_pass = '[UNDEF]'
  management_log_history_cache = 250
  management_echo_buffer_size = 100
  management_write_peer_info_file = '[UNDEF]'
  management_client_user = '[UNDEF]'
  management_client_group = '[UNDEF]'
  management_flags = 0
  shared_secret_file = '[UNDEF]'
  key_direction = 1
  ciphername = 'AES-128-CBC'
  ncp_enabled = ENABLED
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
  authname = 'SHA256'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 0
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = ENABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  use_iv = ENABLED
  test_crypto = DISABLED
  tls_server = DISABLED
  tls_client = ENABLED
  key_method = 2
  ca_file = '[[INLINE]]'
  ca_path = '[UNDEF]'
  dh_file = '[UNDEF]'
  cert_file = '[UNDEF]'
  extra_certs_file = '[UNDEF]'
  priv_key_file = '[UNDEF]'
  pkcs12_file = '[UNDEF]'
  cryptoapi_cert = '[UNDEF]'
  cipher_list = '[UNDEF]'
  tls_cert_profile = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 0
  verify_x509_name = '[UNDEF]'
  crl_file = '[UNDEF]'
  ns_cert_type = 0
  remote_cert_ku[i] = 65535
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = 'TLS Web Server Authentication'
  ssl_flags = 192
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 3600
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_auth_file = '[UNDEF]'
  tls_crypt_file = '[[INLINE]]'
  pkcs11_providers = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
  pkcs11_id_management = DISABLED
  server_network = 0.0.0.0
  server_netmask = 0.0.0.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  ifconfig_pool_defined = DISABLED
  ifconfig_pool_start = 0.0.0.0
  ifconfig_pool_end = 0.0.0.0
  ifconfig_pool_netmask = 0.0.0.0
  ifconfig_pool_persist_filename = '[UNDEF]'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '[UNDEF]'
  ccd_exclusive = DISABLED
  tmp_dir = 'C:\Users\ABC~1\AppData\Local\Temp\'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = DISABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 1024
  max_routes_per_client = 256
  auth_user_pass_verify_script = '[UNDEF]'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  client = ENABLED
  pull = ENABLED
  auth_user_pass_file = '[UNDEF]'
  show_net_up = DISABLED
  route_method = 0
  block_outside_dns = DISABLED
  ip_win32_defined = DISABLED
  ip_win32_type = 3
  dhcp_masq_offset = 0
  dhcp_lease_time = 31536000
  tap_sleep = 0
  dhcp_options = DISABLED
  dhcp_renew = DISABLED
  dhcp_pre_release = DISABLED
  domain = '[UNDEF]'
  netbios_scope = '[UNDEF]'
  netbios_node_type = 0
  disable_nbt = DISABLED
OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
PKCS#11: pkcs11_initialize - entered
PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
PKCS#11: pkcs11_addProvider - entered - provider='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', private_mode=00000000
PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: pkcs11h_addProvider entry version='1.22', pid=0, reference='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', provider_location='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
PKCS#11: Adding provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'-'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: pkcs11h_addProvider Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' manufacturerID 'OpenSC Project'
PKCS#11: _pkcs11h_slotevent_notify entry
PKCS#11: _pkcs11h_slotevent_notify return
PKCS#11: Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' added rv=0-'CKR_OK'
PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK'
WE_INIT maxevents=4 flags=0x00000002
WE_INIT maxevents=4 capacity=8
PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=000000000070F7C0, pkcs11_id_management=0, pkcs11_id='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=000000000070E960, sz='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=000000000070C900
PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=000000000264CAA0
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=000000000264CAA0
PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=000000000264CED0
PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=000000000264CAA0
PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=000000000264CED0
PKCS#11: pkcs11h_token_freeTokenId return
PKCS#11: pkcs11h_certificate_freeCertificateId return
PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
PKCS#11: tls_ctx_use_pkcs11 - return ok=0, rv=19
Cannot load certificate "pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01" using PKCS#11 interface
Error: private key password verification failed
Exiting due to fatal error

Change History (5)

comment:1 Changed 12 months ago by mclei

I am facing this bug in both 2.4.5 and 2.4.6 with Yubikey and ePass2003. Is there any chance to get this fixed? I can sponsor a Yubikey token to the community.

Similar problem is also on Linux, where the special characters needs to be escaped manually.

comment:2 Changed 11 months ago by DARDORO

OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019

I'm facing the same problem with ePass2003 and OpenVPN 2.4.7@Win10 Official Build. Token id from 2.3.5:

pkcs11-id 'EnterSafe/ePass2003/2151121602011403/ePass2003/89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'

Now it's serialized as (intended to be RFC compliant)

pkcs11-id 'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%ec%cf%a6%fc%ba%3bL%86%9c%86XG%03%d5%de2%daF%fe'

OpenVPN refuses to run with msg Cannot deserialize id 19-CKR_ATTRIBUTE_VALUE_INVALID
I tried other possible forms of id with the same result (actually error). Only "old" format works with 2.4.7.

'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%EC%CF%A6%FC%BA%3B%4C%86%9C%86%58%47%03%D5%DE%32%DA%46%FE'
'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'


Custom, Win10/MSVC build, from "openvpn-build" repository and "master" branch, generates "old", non RFC compliant, id that works as expected.
I'm afraid, that problem with official version arised from patch: pkcs11-helper-001-RFC7512.patch.

Last edited 11 months ago by DARDORO (previous) (diff)

comment:3 Changed 10 months ago by leiocalyx

Encountered this bug as well using a yubikey.

Thanks to the comment above mine, I was able to reconstruct the pkcs11-id that works:

So, instead of the token provided by --show-pkcs11-ids

pkcs11:model=PKCS%2315%20emulated;token=testauth;manufacturer=piv_II;serial=935a6db294ffdce9;id=%04

This one works

piv_II/PKCS\x2315\x20emulated/935a6db294ffdce9/testauth/04

Mainly posting this as a "this affects me as well" oh and maybe I'll get email notifications.

comment:4 Changed 6 months ago by ChrisTG74

Are you aware that this bug affects ANY newly created IDs? All IDs created with OpenVPN newer than 2.4.3 can't be used in a client config since the OpenVPN-client obviously can't read it's own new format.

I had to revert to v2.4.3 to be able to create working serialized ids again. This should not be the only working solution IMHO.

Last edited 6 months ago by ChrisTG74 (previous) (diff)

comment:5 Changed 7 weeks ago by tincantech

CC - and poking the devs

Note: See TracTickets for help on using tickets.