PKCS#11 (OpenSC) not working with OpenVPN on Mac OS X

[squeezy]

Hi,

I'm trying to use my Yubikey 5C to connect to an OpenVPN server.

The certificate was created on the Yubikey (CSR) using the "Yubikey PIV Manager" and signed by CA used for signed the certificate's OpenVPN server.
Trying to connect always results in an error when the OpenVPN client ask the PIN to unlock the certificate storage on the Yubikey (slot 9a).

I use OpenSC tools and get serialized ID from cert imported. As client VPN, I use Viscosity.
OpenVPN server version 2.4.6 is hosted on PFsense version 2.4.4. Authentication users is done with an OpenlDAP server (works well).

Following the error message when I fill it the PIN asked after user & password :

2020-02-04 11:52:08: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
2020-02-04 11:52:08: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-02-04 11:52:08: TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 11:52:08: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 11:52:08: TLS Error: TLS handshake failed
2020-02-04 11:52:08: TCP/UDP: Closing socket

The configuration file from client use arguments :

• pkcs11-providers /Library/OpenSC/lib/opensc-pkcs11.so
• pkcs11-id 'piv_II/PKCS\x2315\x20emulated/fe58401dfe2196c3/token_name/01'

Is there a bug with PKCS11 ?

Anyone as an idea or a solution plz ?

Thanks for reading,

[squeezy]

Edit with verb 9 :

2020-02-04 14:03:47: PKCS#11: Performing signature
2020-02-04 14:03:47: PKCS#11: Getting key attributes
2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed
2020-02-04 14:04:13: TCP/UDP: Closing socket

[Selva Nair]

This is a client-side error, nothing to do with the server 2.4.6 that you listed as the bug report for. As you are using viscosity client, which ships with a custom build of OpenVPN, you will have to contact them to resolve this.

Likely related to ​https://sourceforge.net/p/openvpn/mailman/openvpn-devel/thread/63b81ed6-dce7-94b8-0dd5-8864a8314ec6%40nikhef.nl/#msg36636383 If so, fix is in pkcs11-helper.

[squeezy]

Hi,

Thank you for your answer.

I have contacted Viscosity support and waiting for their return.
I have tested with openvpn client on windows and I got the same error, same thing on ubuntu. It's not a problem from OS or which client is used..

I don't understand how to fix pkcs11-helper.. Could you help me plz ?

[squeezy]

Hi,
I figured it out.Thank you for your help.
An Administrator could marks as resolved plz ?
Kind regards