Opened 5 years ago

Last modified 4 years ago

#374 new Bug / Defect

problem reading smart card.

Reported by: dremspider Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.2.1 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: volunteer
Cc:

Description

I have an Athena pkcs11 card that has been written with OpenSC. It works fine to VPN in using viscosity on Windows, but I can't get it to work under Ubuntu to save my life. At this point, I think it is a bug but I could be wrong. When I try to connect it seems like it isn't recognizing that my card is plugged in. Here is what I have:

thinklinux@thinklinux:~/VPN$ openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate

DN: <stuff here>
Serial: 1004
Serialized id: OpenSC\x20Project/PKCS\x2315/0C0A54802107180B/dlohin\x20\x28dlohin\x29/A42A746534A27DEA51418246DABE3F6B111835BB

I copy this information and add it to the config file

pkcs11-providers /usr/lib/libopensc-pkcs11.so
pkcs11-id 'OpenSC\x20Project/PKCS\x2315/0C0A54802107180B/dlohin\x20\x28dlohin\x29/A42A746534A27DEA51418246DABE3F6B111835BB'

When I try to connect:
thinklinux@thinklinux:~/VPN$ openvpn --config lohinlan.ovpn
Sun Feb 16 15:48:57 2014 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Feb 13 2013
Sun Feb 16 15:48:57 2014 PKCS#11: Adding PKCS#11 provider '/usr/lib/libopensc-pkcs11.so'
Sun Feb 16 15:48:57 2014 PKCS#11: Cannot initialize provider '/usr/lib/libopensc-pkcs11.so' 6-'CKR_FUNCTION_FAILED'
Sun Feb 16 15:48:57 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
NEED-OK|token-insertion-request|Please insert dlohin (dlohin) token:
NEED-OK|token-insertion-request|Please insert dlohin (dlohin) token:ok
NEED-OK|token-insertion-request|Please insert dlohin (dlohin) token:ok
NEED-OK|token-insertion-request|Please insert dlohin (dlohin) token:ca
Sun Feb 16 15:51:15 2014 PKCS#11: Cannot get certificate object
Sun Feb 16 15:51:15 2014 PKCS#11: Cannot get certificate object
Sun Feb 16 15:51:15 2014 PKCS#11: Unable get rsa object
Sun Feb 16 15:51:15 2014 Cannot load certificate "OpenSC\x20Project/PKCS\x2315/0C0A54802107180B/dlohin\x20\x28dlohin\x29/A42A746534A27DEA51418246DABE3F6B111835BB" using PKCS#11 interface
Sun Feb 16 15:51:15 2014 Error: private key password verification failed
Sun Feb 16 15:51:15 2014 Exiting

Looking at the documentation it looks like it is waiting for me to insert the card.

Running "pcscd -afd"

you see that the card is in (I just pulled it and put it back in"
00000028 eventhandler.c:387:EHStatusHandlerThread() Card inserted into Lenovo Integrated Smart Card Reader 00 00
00000025 Card ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F

When I do the extra verb 9 option:

179-'CKR_SESSION_HANDLE_INVALID'
Sun Feb 16 15:51:53 2014 us=827234 PKCS#11: pkcs11h_certificate_loadCertificate return rv=179-'CKR_SESSION_HANDLE_INVALID'
Sun Feb 16 15:51:53 2014 us=827243 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=0x7f0ec315e790, public_only=1, session_mutex_locked=0
Sun Feb 16 15:51:53 2014 us=827256 PKCS#11: _pkcs11h_session_login entry session=0x7f0ec31667b0, is_publicOnly=1, readonly=1, user_data=(nil), mask_prompt=00000003
Sun Feb 16 15:51:53 2014 us=827266 PKCS#11: _pkcs11h_session_logout entry session=0x7f0ec31667b0
Sun Feb 16 15:51:53 2014 us=827275 PKCS#11: _pkcs11h_session_logout return
Sun Feb 16 15:51:53 2014 us=827284 PKCS#11: _pkcs11h_session_reset entry session=0x7f0ec31667b0, user_data=(nil), mask_prompt=00000003, p_slot=0x7fff2c953088
Sun Feb 16 15:51:53 2014 us=827293 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='OpenSC Project' model='PKCS#15', serialNumber='0C0A54802107180B', label='dlohin (dlohin)'
Sun Feb 16 15:51:53 2014 us=827303 PKCS#11: Calling token_prompt hook for 'dlohin (dlohin)'

You can see that it looks like it is passing in the correct information.. At least I think it is correct. At this point either I am doing something wrong or this is some weird bug. Maybe it is something wrong with my configuration?

Change History (1)

comment:1 Changed 4 years ago by Samuli Seppänen

Keywords: volunteer added

We could use a volunteer for reproducing this...

Note: See TracTickets for help on using tickets.