Opened 5 years ago

Last modified 2 years ago

#1215 new Bug / Defect

No PIN prompt for PKCS#11

Reported by: jans Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: PKCS#11, smart card
Cc:

Description

I’m trying to use OpenVPN client with my client key stored on a Nitrokey Start (think of it as a smart card) and accessed via PKCS#11. In general it works but entering the PIN is an issue. On Linux (Ubuntu 18.04, SUSE Tumbleweed) as well as on Windows when starting OpenVPN client it waits for the PIN to be provided but doesn’t prompt the user to enter the PIN. Instead I have to open a separate terminal, telnet into the OpenVPN client and enter the PIN (tried on Linux). This is horrible user experience and I don’t think it’s the desired work flow. From what I read OpenVPN expects systemd to provide the PIN through systemd-ask-pass but systemd doesn’t prompt to enter a PIN. My impression is that systemd-ask-pass’s primarily focus is prompting for passwords during boot-time but not during run-time. Therefore I’m wondering if using systemd-ask-pass during run-time is a good idea. Since I face the same issue on Windows (where no systemd is installed, obviously) here the cause must be something else.

Looking at solving this issue I’m wondering:

a) An option for OpenVPN to enforce password prompt even when systemd exists, wouldn’t that make sense? (I couldn’t find such) In any case this is more a workaround instead of a proper solution.

b) What would be the systematic solution to that issue? Since this issue happens on Windows too, I don’t believe pushing this issue down to systemd would be the right approach.

Change History (9)

comment:1 Changed 5 years ago by jans

It seems that this is a duplicate of #538 for the systemd-part and a duplicate of #740 for the Windows-part. Sorry for that.

Last edited 5 years ago by jans (previous) (diff)

comment:2 Changed 5 years ago by Selva Nair

You have two unrelated issues:
First, your client config seems to have --management-query-passwords which directs openvpn to prompt for passwords and PIN from the management interface. If you want the PIN to be prompted from the command line, remove that option. That will work the way you expect on Windows and, when not using systemd, on Linux.

Second, systemd-pkcs11 interaction is currently "broken" as you noticed from #538. This is very likely fixed by a recent commit (will be available in the next release: 2.4.8) -- see https://patchwork.openvpn.net/patch/686/

#740 is irrelevant unless you are using OpenVPN-GUI on Windows. If you are, the GUI should prompt for the PIN.

Last edited 5 years ago by Selva Nair (previous) (diff)

comment:3 Changed 4 years ago by Gert Döring

so, 2.4.8 is out - @jans: is this still happening?

comment:4 Changed 4 years ago by nfournil

In 2.4.8 from PPA there's PIN code, GREAT !

BUT the signature fails with stock OpenSC (0.14) :

{{{ Enter UserPIN () token Password:
Thu May 28 09:47:37 2020 us=174506 PKCS#11: Cannot perform signature 5:'CKR_GENERAL_ERROR'
Thu May 28 09:47:37 2020 us=174617 OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
Thu May 28 09:47:37 2020 us=174632 TLS_ERROR: BIO read tls_read_plaintext error
Thu May 28 09:47:37 2020 us=174644 TLS Error: TLS object -> incoming plaintext read error
Thu May 28 09:47:37 2020 us=174655 TLS Error: TLS handshake failed
Thu May 28 09:47:37 2020 us=174875 Fatal TLS error (check_tls_errors_co), restarting
Thu May 28 09:47:37 2020 us=175045 TCP/UDP: Closing socket
Thu May 28 09:47:37 2020 us=175114 SIGUSR1[soft,tls-error] received, process restarting
Thu May 28 09:47:37 2020 us=175147 Restart pause, 5 second(s) }}}

It seems to be a function needed not present in OpenSC, add minimum version requirement in debian PPA headers to be perfect :-)

comment:5 Changed 4 years ago by Gert Döring

Not sure I can follow. What version of OpenSC is needed? Is that available as debian package?

IOW, who has to do what now?

comment:6 Changed 2 years ago by becm

The PKCS11/OpenSSL error might be related to PSS padding.
Support was added in pkcs11-helper 1.26, newer versions are now shipped in most distros and included with current OpenVPN installers for Windows.

comment:7 Changed 2 years ago by Selva Nair

pkcs11-helper will be is able to handle PSS only since 1.28 which is not yet released. I say "able to handle" instead of support because the high-level API that we use in OpenVPN does not expose it, and we'll need some non-trivial changes that would be too intrusive for 2.5.

We'll support it in OpenVPN-2.6 once pkcs11-helper-1.28 is released.

Last edited 2 years ago by Selva Nair (previous) (diff)

comment:8 Changed 2 years ago by Gert Döring

Now I am confused. Lev sent a patch to the list 3 days ago bumping vcpg for pkcs11-helper to 1.28... is that a different 1.28?

comment:9 in reply to:  8 Changed 2 years ago by Selva Nair

Replying to Gert Döring:

Now I am confused. Lev sent a patch to the list 3 days ago bumping vcpg for pkcs11-helper to 1.28... is that a different 1.28?

My bad -- it seems I'm running 14 days late. 1.28 was indeed released 2 weeks ago. I'll update my comment above.

Note: See TracTickets for help on using tickets.