Opened 6 years ago

Closed 22 months ago

Last modified 22 months ago

#1075 closed Bug / Defect (wontfix)

PKCS#11 (OpenSC) not working with OpenVPN on windows 10

Reported by: Tobi Owned by: Samuli Seppänen
Priority: major Milestone: release 2.5.3
Component: Generic / unclassified Version: OpenVPN 2.4.6 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: opensc pkcs#11 yubikey
Cc:

Description

OS: Windows 10 (1803)
OpenVPN: 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
OpenSC: 0.18.0

Hi,
I'm trying to use my yubikey to connect to an openvpn server.
The certificate was created on the Yubikey using the "Yubikey PIV Manager".
The certificate is working fine with Firefox using the pkcs11 adapter from opensc.

Trying to connect always results in an error when the openvpn client tries to parse the pkcs11-id option:

The tutorial from https://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
seems a little outdated, as some cmdline options are no longer available, but the id can still be determined using:

C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=MYNAME
       Serial:         ABCDEF01234567890ABCDEF012345678
       Serialized id:  pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01

test.ovpn:

...
pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll"
pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
...

For some reason openvpn does not not like this id or format?

Complete log with 'verb 10':

C:\Program Files\OpenVPN\bin>openvpn --config C:\test.ovpn
Current Parameter Settings:
  config = 'C:\test.ovpn'
  mode = 0
  show_ciphers = DISABLED
  show_digests = DISABLED
  show_engines = DISABLED
  genkey = DISABLED
  key_pass_file = '[UNDEF]'
  show_tls_ciphers = DISABLED
  connect_retry_max = 0
Connection profiles [0]:
  proto = udp
  local = '[UNDEF]'
  local_port = '[UNDEF]'
  remote = 'PRIVATE'
  remote_port = '1194'
  remote_float = DISABLED
  bind_defined = DISABLED
  bind_local = DISABLED
  bind_ipv6_only = DISABLED
  connect_retry_seconds = 5
  connect_timeout = 120
  socks_proxy_server = '[UNDEF]'
  socks_proxy_port = '[UNDEF]'
  tun_mtu = 1500
  tun_mtu_defined = ENABLED
  link_mtu = 1500
  link_mtu_defined = DISABLED
  tun_mtu_extra = 0
  tun_mtu_extra_defined = DISABLED
  mtu_discover_type = -1
  fragment = 0
  mssfix = 1450
  explicit_exit_notification = 0
Connection profiles END
  remote_random = DISABLED
  ipchange = '[UNDEF]'
  dev = 'tun'
  dev_type = '[UNDEF]'
  dev_node = '[UNDEF]'
  lladdr = '[UNDEF]'
  topology = 1
  ifconfig_local = '[UNDEF]'
  ifconfig_remote_netmask = '[UNDEF]'
  ifconfig_noexec = DISABLED
  ifconfig_nowarn = DISABLED
  ifconfig_ipv6_local = '[UNDEF]'
  ifconfig_ipv6_netbits = 0
  ifconfig_ipv6_remote = '[UNDEF]'
  shaper = 0
  mtu_test = 0
  mlock = DISABLED
  keepalive_ping = 0
  keepalive_timeout = 0
  inactivity_timeout = 0
  ping_send_timeout = 0
  ping_rec_timeout = 0
  ping_rec_timeout_action = 0
  ping_timer_remote = DISABLED
  remap_sigusr1 = 0
  persist_tun = DISABLED
  persist_local_ip = DISABLED
  persist_remote_ip = DISABLED
  persist_key = DISABLED
  passtos = DISABLED
  resolve_retry_seconds = 1000000000
  resolve_in_advance = DISABLED
  username = '[UNDEF]'
  groupname = '[UNDEF]'
  chroot_dir = '[UNDEF]'
  cd_dir = '[UNDEF]'
  writepid = '[UNDEF]'
  up_script = '[UNDEF]'
  down_script = '[UNDEF]'
  down_pre = DISABLED
  up_restart = DISABLED
  up_delay = DISABLED
  daemon = DISABLED
  inetd = 0
  log = DISABLED
  suppress_timestamps = DISABLED
  machine_readable_output = DISABLED
  nice = 0
  verbosity = 10
  mute = 0
  gremlin = 0
  status_file = '[UNDEF]'
  status_file_version = 1
  status_file_update_freq = 60
  occ = ENABLED
  rcvbuf = 0
  sndbuf = 0
  sockflags = 0
  fast_io = DISABLED
  comp.alg = 4
  comp.flags = 4
  route_script = '[UNDEF]'
  route_default_gateway = '[UNDEF]'
  route_default_metric = 0
  route_noexec = DISABLED
  route_delay = 5
  route_delay_window = 30
  route_delay_defined = ENABLED
  route_nopull = DISABLED
  route_gateway_via_dhcp = DISABLED
  allow_pull_fqdn = DISABLED
  management_addr = '[UNDEF]'
  management_port = '[UNDEF]'
  management_user_pass = '[UNDEF]'
  management_log_history_cache = 250
  management_echo_buffer_size = 100
  management_write_peer_info_file = '[UNDEF]'
  management_client_user = '[UNDEF]'
  management_client_group = '[UNDEF]'
  management_flags = 0
  shared_secret_file = '[UNDEF]'
  key_direction = 1
  ciphername = 'AES-128-CBC'
  ncp_enabled = ENABLED
  ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
  authname = 'SHA256'
  prng_hash = 'SHA1'
  prng_nonce_secret_len = 16
  keysize = 0
  engine = DISABLED
  replay = ENABLED
  mute_replay_warnings = ENABLED
  replay_window = 64
  replay_time = 15
  packet_id_file = '[UNDEF]'
  use_iv = ENABLED
  test_crypto = DISABLED
  tls_server = DISABLED
  tls_client = ENABLED
  key_method = 2
  ca_file = '[[INLINE]]'
  ca_path = '[UNDEF]'
  dh_file = '[UNDEF]'
  cert_file = '[UNDEF]'
  extra_certs_file = '[UNDEF]'
  priv_key_file = '[UNDEF]'
  pkcs12_file = '[UNDEF]'
  cryptoapi_cert = '[UNDEF]'
  cipher_list = '[UNDEF]'
  tls_cert_profile = '[UNDEF]'
  tls_verify = '[UNDEF]'
  tls_export_cert = '[UNDEF]'
  verify_x509_type = 0
  verify_x509_name = '[UNDEF]'
  crl_file = '[UNDEF]'
  ns_cert_type = 0
  remote_cert_ku[i] = 65535
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_ku[i] = 0
  remote_cert_eku = 'TLS Web Server Authentication'
  ssl_flags = 192
  tls_timeout = 2
  renegotiate_bytes = -1
  renegotiate_packets = 0
  renegotiate_seconds = 3600
  handshake_window = 60
  transition_window = 3600
  single_session = DISABLED
  push_peer_info = DISABLED
  tls_exit = DISABLED
  tls_auth_file = '[UNDEF]'
  tls_crypt_file = '[[INLINE]]'
  pkcs11_providers = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_protected_authentication = DISABLED
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_private_mode = 00000000
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_cert_private = DISABLED
  pkcs11_pin_cache_period = -1
  pkcs11_id = 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
  pkcs11_id_management = DISABLED
  server_network = 0.0.0.0
  server_netmask = 0.0.0.0
  server_network_ipv6 = ::
  server_netbits_ipv6 = 0
  server_bridge_ip = 0.0.0.0
  server_bridge_netmask = 0.0.0.0
  server_bridge_pool_start = 0.0.0.0
  server_bridge_pool_end = 0.0.0.0
  ifconfig_pool_defined = DISABLED
  ifconfig_pool_start = 0.0.0.0
  ifconfig_pool_end = 0.0.0.0
  ifconfig_pool_netmask = 0.0.0.0
  ifconfig_pool_persist_filename = '[UNDEF]'
  ifconfig_pool_persist_refresh_freq = 600
  ifconfig_ipv6_pool_defined = DISABLED
  ifconfig_ipv6_pool_base = ::
  ifconfig_ipv6_pool_netbits = 0
  n_bcast_buf = 256
  tcp_queue_limit = 64
  real_hash_size = 256
  virtual_hash_size = 256
  client_connect_script = '[UNDEF]'
  learn_address_script = '[UNDEF]'
  client_disconnect_script = '[UNDEF]'
  client_config_dir = '[UNDEF]'
  ccd_exclusive = DISABLED
  tmp_dir = 'C:\Users\ABC~1\AppData\Local\Temp\'
  push_ifconfig_defined = DISABLED
  push_ifconfig_local = 0.0.0.0
  push_ifconfig_remote_netmask = 0.0.0.0
  push_ifconfig_ipv6_defined = DISABLED
  push_ifconfig_ipv6_local = ::/0
  push_ifconfig_ipv6_remote = ::
  enable_c2c = DISABLED
  duplicate_cn = DISABLED
  cf_max = 0
  cf_per = 0
  max_clients = 1024
  max_routes_per_client = 256
  auth_user_pass_verify_script = '[UNDEF]'
  auth_user_pass_verify_script_via_file = DISABLED
  auth_token_generate = DISABLED
  auth_token_lifetime = 0
  client = ENABLED
  pull = ENABLED
  auth_user_pass_file = '[UNDEF]'
  show_net_up = DISABLED
  route_method = 0
  block_outside_dns = DISABLED
  ip_win32_defined = DISABLED
  ip_win32_type = 3
  dhcp_masq_offset = 0
  dhcp_lease_time = 31536000
  tap_sleep = 0
  dhcp_options = DISABLED
  dhcp_renew = DISABLED
  dhcp_pre_release = DISABLED
  domain = '[UNDEF]'
  netbios_scope = '[UNDEF]'
  netbios_node_type = 0
  disable_nbt = DISABLED
OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Windows version 6.2 (Windows 8 or greater) 64bit
library versions: OpenSSL 1.1.0h  27 Mar 2018, LZO 2.10
PKCS#11: pkcs11_initialize - entered
PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
PKCS#11: pkcs11_addProvider - entered - provider='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', private_mode=00000000
PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: pkcs11h_addProvider entry version='1.22', pid=0, reference='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', provider_location='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
PKCS#11: Adding provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'-'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
PKCS#11: pkcs11h_addProvider Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' manufacturerID 'OpenSC Project'
PKCS#11: _pkcs11h_slotevent_notify entry
PKCS#11: _pkcs11h_slotevent_notify return
PKCS#11: Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' added rv=0-'CKR_OK'
PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK'
WE_INIT maxevents=4 flags=0x00000002
WE_INIT maxevents=4 capacity=8
PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=000000000070F7C0, pkcs11_id_management=0, pkcs11_id='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=000000000070E960, sz='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01'
PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=000000000070C900
PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=000000000264CAA0
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=000000000264CAA0
PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=000000000264CED0
PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=000000000264CAA0
PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=000000000264CED0
PKCS#11: pkcs11h_token_freeTokenId return
PKCS#11: pkcs11h_certificate_freeCertificateId return
PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID'
PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
PKCS#11: tls_ctx_use_pkcs11 - return ok=0, rv=19
Cannot load certificate "pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01" using PKCS#11 interface
Error: private key password verification failed
Exiting due to fatal error

Change History (16)

comment:1 Changed 6 years ago by mclei

I am facing this bug in both 2.4.5 and 2.4.6 with Yubikey and ePass2003. Is there any chance to get this fixed? I can sponsor a Yubikey token to the community.

Similar problem is also on Linux, where the special characters needs to be escaped manually.

comment:2 Changed 6 years ago by DARDORO

I'm facing the same problem with ePass2003 and OpenVPN 2.4.7@Win10 Official Build. Token id from 2.3.5:

pkcs11-id 'EnterSafe/ePass2003/2151121602011403/ePass2003/89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'

Now it's serialized as (intended to be RFC compliant)

pkcs11-id 'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%ec%cf%a6%fc%ba%3bL%86%9c%86XG%03%d5%de2%daF%fe'

OpenVPN refuses to run with msg Cannot deserialize id 19-CKR_ATTRIBUTE_VALUE_INVALID
I tried other possible forms of id with the same result (actually error). Only "old" format works with 2.4.7.

'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%EC%CF%A6%FC%BA%3B%4C%86%9C%86%58%47%03%D5%DE%32%DA%46%FE'
'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'


Custom, Win10/MSVC build, from "openvpn-build" repository and "master" branch, generates "old", non RFC compliant, id that works as expected.
I'm afraid, that problem with official version arised from patch: pkcs11-helper-001-RFC7512.patch.

Version 0, edited 6 years ago by DARDORO (next)

comment:3 Changed 5 years ago by leiocalyx

Encountered this bug as well using a yubikey.

Thanks to the comment above mine, I was able to reconstruct the pkcs11-id that works:

So, instead of the token provided by --show-pkcs11-ids

pkcs11:model=PKCS%2315%20emulated;token=testauth;manufacturer=piv_II;serial=935a6db294ffdce9;id=%04

This one works

piv_II/PKCS\x2315\x20emulated/935a6db294ffdce9/testauth/04

Mainly posting this as a "this affects me as well" oh and maybe I'll get email notifications.

comment:4 Changed 5 years ago by ChrisTG74

Are you aware that this bug affects ANY newly created IDs? All IDs created with OpenVPN newer than 2.4.3 can't be used in a client config since the OpenVPN-client obviously can't read it's own new format.

I had to revert to v2.4.3 to be able to create working serialized ids again. This should not be the only working solution IMHO.

Last edited 5 years ago by ChrisTG74 (previous) (diff)

comment:5 Changed 5 years ago by tct

CC - and poking the devs

comment:6 Changed 4 years ago by becm

Some of the described problems (serial=<16-byte value>) may be caused by known bugs in rfc7512 URI handling. A pending update may resolve them in future OpenVPN (Windows) builds.

Unknown error causes:

  • failure for serial=deadbeef0123456 (should not be afected)
  • problems on Linux (libpkcs11-helper.so.1 normally is from an external source).

For inofficial tests of fixed URI handling on Windows:
Replace libpkcs11-helper-1.dll with the one from the respective automatic build.

Last edited 4 years ago by becm (previous) (diff)

comment:7 Changed 4 years ago by dardoro

Windows 10
All versions from https://openvpn.net/community-downloads/
OpenVPN 2.4.9 with newer libpkcs11-helper-1.dll works
OpenVPN 2.5 Beta 3 works out of the box
New ID required with %00 at end.

Last edited 4 years ago by dardoro (previous) (diff)

comment:8 Changed 4 years ago by Gert Döring

Milestone: release 2.4.10
Owner: set to Samuli Seppänen
Status: newassigned

I think this is a fairly compelling argument to upgrade the pkcs11-helper for the next 2.4 installer we build as well - "things start working!" :-)

Assigning to Samuli, for installer building, and I think then the ticket can be closed.

Thanks, @becm, for pushing us.

comment:9 Changed 4 years ago by kwinz

I was able to make this work with OpenVPN 2.5.0 on Win10 amd64.

But the documentation is wrong: It says that for the pkcs11-id you can directly use the output of openvpn --show-pkcs11-ids. But in reality you first have to convert the serialized id via this guide: https://mujadin.se/suse/openvpn/ And that also wasn't sufficient beause it was still missing the proper ID 00 at the end and replace all % with \0. And if you get it wrong you get an error or assertion error.

I sumarized the struggle in this forum thread https://forums.openvpn.net/viewtopic.php?f=22&t=31762
The openvpn --show-pkcs11-ids needs to be changed to directly output the pkcs11-id that can be used. Can we track this effort via this issue or should I open a new one?

Last edited 4 years ago by kwinz (previous) (diff)

comment:10 Changed 4 years ago by Gert Döring

Milestone: release 2.4.10release 2.5.3

So, since this the original issue seems to be fixed for 2.5, and we won't invest much more development work into 2.4.x, bumping the milestone for the remaining issues to 2.5.3

@kwinz: we can track the remaining issue here.

"Someone" needs to submit a patch, though... I know nothing about pkcs11 and ID formats, so I can't do that myself.

comment:11 Changed 3 years ago by Samuli Seppänen

So we're waiting for a documentation patch basically?

comment:12 Changed 3 years ago by ChrisTG74

Actually, IMHO, I'd think of a patch that makes "pkcs11-id" in the *.ovpn-config compatible to the output of "openvpn --show-pkcs11-ids" again.
If so, there is no need to manually convert any strings and/or change the docs.

comment:13 Changed 3 years ago by becm

The change to RFC7512 format is fully support in deserialization.
Problems are/were related to bugs in patch to pkcs11-helper.

With OpenVPN Windows releases v2.5.0 and v2.4.10 those issues (field overflow, zero entry in certID) should be gone.
I can no longer observe the described problematic behaviour.

May get around to share some test code to help identify why these problems still seem to exist for some people.
Interested parties will have to be able to compile *stuff* on Windows (or run my unsigned binaries at their own risk).

comment:14 Changed 22 months ago by Gert Döring

So, how to proceed here? Close due to "no user feedback"?

comment:15 Changed 22 months ago by Gert Döring

Resolution: wontfix
Status: assignedclosed

comment:16 Changed 22 months ago by becm

If there are still issues with handling of pkcs11-id please provide unobfuscated and complete logs with "verb 10" on Github.

From a manually altered log it's likely impossible to determine which (still not handled) parser corner case might have been triggered.

Note: See TracTickets for help on using tickets.