#1075 closed Bug / Defect (wontfix)
PKCS#11 (OpenSC) not working with OpenVPN on windows 10
Reported by: | Tobi | Owned by: | Samuli Seppänen |
---|---|---|---|
Priority: | major | Milestone: | release 2.5.3 |
Component: | Generic / unclassified | Version: | OpenVPN 2.4.6 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | opensc pkcs#11 yubikey |
Cc: |
Description
OS: Windows 10 (1803)
OpenVPN: 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
OpenSC: 0.18.0
Hi,
I'm trying to use my yubikey to connect to an openvpn server.
The certificate was created on the Yubikey using the "Yubikey PIV Manager".
The certificate is working fine with Firefox using the pkcs11 adapter from opensc.
Trying to connect always results in an error when the openvpn client tries to parse the pkcs11-id option:
The tutorial from https://openvpn.net/index.php/open-source/documentation/howto.html#pkcs11
seems a little outdated, as some cmdline options are no longer available, but the id can still be determined using:
C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Certificate DN: CN=MYNAME Serial: ABCDEF01234567890ABCDEF012345678 Serialized id: pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01
test.ovpn:
... pkcs11-providers "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll" pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01' ...
For some reason openvpn does not not like this id or format?
Complete log with 'verb 10':
C:\Program Files\OpenVPN\bin>openvpn --config C:\test.ovpn Current Parameter Settings: config = 'C:\test.ovpn' mode = 0 show_ciphers = DISABLED show_digests = DISABLED show_engines = DISABLED genkey = DISABLED key_pass_file = '[UNDEF]' show_tls_ciphers = DISABLED connect_retry_max = 0 Connection profiles [0]: proto = udp local = '[UNDEF]' local_port = '[UNDEF]' remote = 'PRIVATE' remote_port = '1194' remote_float = DISABLED bind_defined = DISABLED bind_local = DISABLED bind_ipv6_only = DISABLED connect_retry_seconds = 5 connect_timeout = 120 socks_proxy_server = '[UNDEF]' socks_proxy_port = '[UNDEF]' tun_mtu = 1500 tun_mtu_defined = ENABLED link_mtu = 1500 link_mtu_defined = DISABLED tun_mtu_extra = 0 tun_mtu_extra_defined = DISABLED mtu_discover_type = -1 fragment = 0 mssfix = 1450 explicit_exit_notification = 0 Connection profiles END remote_random = DISABLED ipchange = '[UNDEF]' dev = 'tun' dev_type = '[UNDEF]' dev_node = '[UNDEF]' lladdr = '[UNDEF]' topology = 1 ifconfig_local = '[UNDEF]' ifconfig_remote_netmask = '[UNDEF]' ifconfig_noexec = DISABLED ifconfig_nowarn = DISABLED ifconfig_ipv6_local = '[UNDEF]' ifconfig_ipv6_netbits = 0 ifconfig_ipv6_remote = '[UNDEF]' shaper = 0 mtu_test = 0 mlock = DISABLED keepalive_ping = 0 keepalive_timeout = 0 inactivity_timeout = 0 ping_send_timeout = 0 ping_rec_timeout = 0 ping_rec_timeout_action = 0 ping_timer_remote = DISABLED remap_sigusr1 = 0 persist_tun = DISABLED persist_local_ip = DISABLED persist_remote_ip = DISABLED persist_key = DISABLED passtos = DISABLED resolve_retry_seconds = 1000000000 resolve_in_advance = DISABLED username = '[UNDEF]' groupname = '[UNDEF]' chroot_dir = '[UNDEF]' cd_dir = '[UNDEF]' writepid = '[UNDEF]' up_script = '[UNDEF]' down_script = '[UNDEF]' down_pre = DISABLED up_restart = DISABLED up_delay = DISABLED daemon = DISABLED inetd = 0 log = DISABLED suppress_timestamps = DISABLED machine_readable_output = DISABLED nice = 0 verbosity = 10 mute = 0 gremlin = 0 status_file = '[UNDEF]' status_file_version = 1 status_file_update_freq = 60 occ = ENABLED rcvbuf = 0 sndbuf = 0 sockflags = 0 fast_io = DISABLED comp.alg = 4 comp.flags = 4 route_script = '[UNDEF]' route_default_gateway = '[UNDEF]' route_default_metric = 0 route_noexec = DISABLED route_delay = 5 route_delay_window = 30 route_delay_defined = ENABLED route_nopull = DISABLED route_gateway_via_dhcp = DISABLED allow_pull_fqdn = DISABLED management_addr = '[UNDEF]' management_port = '[UNDEF]' management_user_pass = '[UNDEF]' management_log_history_cache = 250 management_echo_buffer_size = 100 management_write_peer_info_file = '[UNDEF]' management_client_user = '[UNDEF]' management_client_group = '[UNDEF]' management_flags = 0 shared_secret_file = '[UNDEF]' key_direction = 1 ciphername = 'AES-128-CBC' ncp_enabled = ENABLED ncp_ciphers = 'AES-256-GCM:AES-128-GCM' authname = 'SHA256' prng_hash = 'SHA1' prng_nonce_secret_len = 16 keysize = 0 engine = DISABLED replay = ENABLED mute_replay_warnings = ENABLED replay_window = 64 replay_time = 15 packet_id_file = '[UNDEF]' use_iv = ENABLED test_crypto = DISABLED tls_server = DISABLED tls_client = ENABLED key_method = 2 ca_file = '[[INLINE]]' ca_path = '[UNDEF]' dh_file = '[UNDEF]' cert_file = '[UNDEF]' extra_certs_file = '[UNDEF]' priv_key_file = '[UNDEF]' pkcs12_file = '[UNDEF]' cryptoapi_cert = '[UNDEF]' cipher_list = '[UNDEF]' tls_cert_profile = '[UNDEF]' tls_verify = '[UNDEF]' tls_export_cert = '[UNDEF]' verify_x509_type = 0 verify_x509_name = '[UNDEF]' crl_file = '[UNDEF]' ns_cert_type = 0 remote_cert_ku[i] = 65535 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_ku[i] = 0 remote_cert_eku = 'TLS Web Server Authentication' ssl_flags = 192 tls_timeout = 2 renegotiate_bytes = -1 renegotiate_packets = 0 renegotiate_seconds = 3600 handshake_window = 60 transition_window = 3600 single_session = DISABLED push_peer_info = DISABLED tls_exit = DISABLED tls_auth_file = '[UNDEF]' tls_crypt_file = '[[INLINE]]' pkcs11_providers = C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_protected_authentication = DISABLED pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_private_mode = 00000000 pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_cert_private = DISABLED pkcs11_pin_cache_period = -1 pkcs11_id = 'pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01' pkcs11_id_management = DISABLED server_network = 0.0.0.0 server_netmask = 0.0.0.0 server_network_ipv6 = :: server_netbits_ipv6 = 0 server_bridge_ip = 0.0.0.0 server_bridge_netmask = 0.0.0.0 server_bridge_pool_start = 0.0.0.0 server_bridge_pool_end = 0.0.0.0 ifconfig_pool_defined = DISABLED ifconfig_pool_start = 0.0.0.0 ifconfig_pool_end = 0.0.0.0 ifconfig_pool_netmask = 0.0.0.0 ifconfig_pool_persist_filename = '[UNDEF]' ifconfig_pool_persist_refresh_freq = 600 ifconfig_ipv6_pool_defined = DISABLED ifconfig_ipv6_pool_base = :: ifconfig_ipv6_pool_netbits = 0 n_bcast_buf = 256 tcp_queue_limit = 64 real_hash_size = 256 virtual_hash_size = 256 client_connect_script = '[UNDEF]' learn_address_script = '[UNDEF]' client_disconnect_script = '[UNDEF]' client_config_dir = '[UNDEF]' ccd_exclusive = DISABLED tmp_dir = 'C:\Users\ABC~1\AppData\Local\Temp\' push_ifconfig_defined = DISABLED push_ifconfig_local = 0.0.0.0 push_ifconfig_remote_netmask = 0.0.0.0 push_ifconfig_ipv6_defined = DISABLED push_ifconfig_ipv6_local = ::/0 push_ifconfig_ipv6_remote = :: enable_c2c = DISABLED duplicate_cn = DISABLED cf_max = 0 cf_per = 0 max_clients = 1024 max_routes_per_client = 256 auth_user_pass_verify_script = '[UNDEF]' auth_user_pass_verify_script_via_file = DISABLED auth_token_generate = DISABLED auth_token_lifetime = 0 client = ENABLED pull = ENABLED auth_user_pass_file = '[UNDEF]' show_net_up = DISABLED route_method = 0 block_outside_dns = DISABLED ip_win32_defined = DISABLED ip_win32_type = 3 dhcp_masq_offset = 0 dhcp_lease_time = 31536000 tap_sleep = 0 dhcp_options = DISABLED dhcp_renew = DISABLED dhcp_pre_release = DISABLED domain = '[UNDEF]' netbios_scope = '[UNDEF]' netbios_node_type = 0 disable_nbt = DISABLED OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018 Windows version 6.2 (Windows 8 or greater) 64bit library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10 PKCS#11: pkcs11_initialize - entered PKCS#11: pkcs11_initialize - return 0-'CKR_OK' PKCS#11: pkcs11_addProvider - entered - provider='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', private_mode=00000000 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' PKCS#11: pkcs11h_addProvider entry version='1.22', pid=0, reference='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', provider_location='C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0 PKCS#11: Adding provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'-'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' PKCS#11: pkcs11h_addProvider Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' manufacturerID 'OpenSC Project' PKCS#11: _pkcs11h_slotevent_notify entry PKCS#11: _pkcs11h_slotevent_notify return PKCS#11: Provider 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll' added rv=0-'CKR_OK' PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK' WE_INIT maxevents=4 flags=0x00000002 WE_INIT maxevents=4 capacity=8 PKCS#11: tls_ctx_use_pkcs11 - entered - ssl_ctx=000000000070F7C0, pkcs11_id_management=0, pkcs11_id='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01' PKCS#11: pkcs11h_certificate_deserializeCertificateId entry p_certificate_id=000000000070E960, sz='pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01' PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=000000000070C900 PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=000000000264CAA0 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=000000000264CAA0 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=000000000264CED0 PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=000000000264CAA0 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=000000000264CED0 PKCS#11: pkcs11h_token_freeTokenId return PKCS#11: pkcs11h_certificate_freeCertificateId return PKCS#11: pkcs11h_certificate_deserializeCertificateId return rv=19-'CKR_ATTRIBUTE_VALUE_INVALID' PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID' PKCS#11: tls_ctx_use_pkcs11 - return ok=0, rv=19 Cannot load certificate "pkcs11:model=PKCS%2315%20emulated;token=MYNAME;manufacturer=piv_II;serial=deadbeef0123456;id=%01" using PKCS#11 interface Error: private key password verification failed Exiting due to fatal error
Change History (16)
comment:1 Changed 6 years ago by
comment:2 Changed 6 years ago by
OpenVPN 2.4.7 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Feb 21 2019
I'm facing the same problem with ePass2003 and OpenVPN 2.4.7@Win10 Official Build. Token id from 2.3.5:
pkcs11-id 'EnterSafe/ePass2003/2151121602011403/ePass2003/89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'
Now it's serialized as (intended to be RFC compliant)
pkcs11-id 'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%ec%cf%a6%fc%ba%3bL%86%9c%86XG%03%d5%de2%daF%fe'
OpenVPN refuses to run with msg Cannot deserialize id 19-CKR_ATTRIBUTE_VALUE_INVALID
I tried other possible forms of id with the same result (actually error). Only "old" format works with 2.4.7.
'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=%89%EC%CF%A6%FC%BA%3B%4C%86%9C%86%58%47%03%D5%DE%32%DA%46%FE' 'pkcs11:model=ePass2003;token=ePass2003;manufacturer=EnterSafe;serial=2151121602011403;id=89ECCFA6FCBA3B4C869C86584703D5DE32DA46FE'
Custom, Win10/MSVC build, from "openvpn-build" repository and "master" branch, generates "old", non RFC compliant, id that works as expected.
I'm afraid, that problem with official version arised from patch: pkcs11-helper-001-RFC7512.patch.
comment:3 Changed 6 years ago by
Encountered this bug as well using a yubikey.
Thanks to the comment above mine, I was able to reconstruct the pkcs11-id that works:
So, instead of the token provided by --show-pkcs11-ids
pkcs11:model=PKCS%2315%20emulated;token=testauth;manufacturer=piv_II;serial=935a6db294ffdce9;id=%04
This one works
piv_II/PKCS\x2315\x20emulated/935a6db294ffdce9/testauth/04
Mainly posting this as a "this affects me as well" oh and maybe I'll get email notifications.
comment:4 Changed 5 years ago by
Are you aware that this bug affects ANY newly created IDs? All IDs created with OpenVPN newer than 2.4.3 can't be used in a client config since the OpenVPN-client obviously can't read it's own new format.
I had to revert to v2.4.3 to be able to create working serialized ids again. This should not be the only working solution IMHO.
comment:6 Changed 4 years ago by
Some of the described problems (serial=<16-byte value>
) may be caused by known bugs in rfc7512 URI handling. A pending update may resolve them in future OpenVPN (Windows) builds.
Unknown error causes:
- failure for
serial=deadbeef0123456
(should not be afected) - problems on Linux (
libpkcs11-helper.so.1
normally is from an external source).
For inofficial tests of fixed URI handling on Windows:
Replace libpkcs11-helper-1.dll
with the one from the respective automatic build.
comment:7 Changed 4 years ago by
Windows 10
All versions from https://openvpn.net/community-downloads/
OpenVPN 2.4.9 with newer libpkcs11-helper-1.dll works
OpenVPN 2.5 Beta 3 works out of the box
New ID required with %00 at end.
comment:8 Changed 4 years ago by
Milestone: | → release 2.4.10 |
---|---|
Owner: | set to Samuli Seppänen |
Status: | new → assigned |
I think this is a fairly compelling argument to upgrade the pkcs11-helper for the next 2.4 installer we build as well - "things start working!" :-)
Assigning to Samuli, for installer building, and I think then the ticket can be closed.
Thanks, @becm, for pushing us.
comment:9 Changed 4 years ago by
I was able to make this work with OpenVPN 2.5.0 on Win10 amd64.
But the documentation is wrong: It says that for the pkcs11-id
you can directly use the output of openvpn --show-pkcs11-ids
. But in reality you first have to convert the serialized id via this guide: https://mujadin.se/suse/openvpn/ And that also wasn't sufficient beause it was still missing the proper ID 00 at the end and replace all % with \0. And if you get it wrong you get an error or assertion error.
I sumarized the struggle in this forum thread https://forums.openvpn.net/viewtopic.php?f=22&t=31762
The openvpn --show-pkcs11-ids
needs to be changed to directly output the pkcs11-id
that can be used. Can we track this effort via this issue or should I open a new one?
comment:10 Changed 4 years ago by
Milestone: | release 2.4.10 → release 2.5.3 |
---|
So, since this the original issue seems to be fixed for 2.5, and we won't invest much more development work into 2.4.x, bumping the milestone for the remaining issues to 2.5.3
@kwinz: we can track the remaining issue here.
"Someone" needs to submit a patch, though... I know nothing about pkcs11 and ID formats, so I can't do that myself.
comment:12 Changed 3 years ago by
Actually, IMHO, I'd think of a patch that makes "pkcs11-id" in the *.ovpn-config compatible to the output of "openvpn --show-pkcs11-ids" again.
If so, there is no need to manually convert any strings and/or change the docs.
comment:13 Changed 3 years ago by
The change to RFC7512 format is fully support in deserialization.
Problems are/were related to bugs in patch to pkcs11-helper
.
With OpenVPN Windows releases v2.5.0 and v2.4.10 those issues (field overflow, zero entry in certID) should be gone.
I can no longer observe the described problematic behaviour.
May get around to share some test code to help identify why these problems still seem to exist for some people.
Interested parties will have to be able to compile *stuff* on Windows (or run my unsigned binaries at their own risk).
comment:15 Changed 2 years ago by
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
comment:16 Changed 2 years ago by
If there are still issues with handling of pkcs11-id
please provide unobfuscated and complete logs with "verb 10" on Github.
From a manually altered log it's likely impossible to determine which (still not handled) parser corner case might have been triggered.
I am facing this bug in both 2.4.5 and 2.4.6 with Yubikey and ePass2003. Is there any chance to get this fixed? I can sponsor a Yubikey token to the community.
Similar problem is also on Linux, where the special characters needs to be escaped manually.