To support an old VPN setup we have in-house, I need to use Yubikey 4 PIV to store PKCS#11 certificate. Those are then read by OpenVPN.
That post was very helpful and it works quite well on Linux machines
However, I cannot get it to works under Windows.
I installed the latest release of OpenSC for Windows (0.16.0, dated Jun 3 2016... a bit old?). OpenVPN installed is of version 2.4.0 x86_64-w64-mingw32.
The key is a Yubikey 4 (firmware is 4.3.3) configured in OTP/U2F/CCID composite mode. The certificates are already present (it was setuped on a Linux box).
When I try to use OpenVPN to list the certificate, OpenVPN seems to load opensc-pkcs11 driver just fine but it sees nothing:
Code:
C:\Users\wfb>OpenVPN --verb 7 --show-pkcs11-ids C:/Windows/System32/opensc-pkcs11.dll
Tue Feb 07 10:21:33 2017 us=433605 PKCS#11: Adding provider 'C:/Windows/System32/opensc-pkcs11.dll'-'C:/Windows/System32/opensc-pkcs11.dll'
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Provider 'C:/Windows/System32/opensc-pkcs11.dll' added rv=0-'CKR_OK'
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating openssl
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing providers
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing provider 'C:/Windows/System32/opensc-pkcs11.dll'
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Releasing sessions
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating slotevent
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Marking as uninitialized
On Linux, same key, same command (with Linux .so obviously):
Code:
wibou ~ $ openvpn --verb 7 --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so
Tue Feb 7 10:37:03 2017 us=516719 PKCS#11: Adding provider '/usr/lib64/opensc-pkcs11.so'-'/usr/lib64/opensc-pkcs11.so'
Tue Feb 7 10:37:03 2017 us=524160 PKCS#11: Provider '/usr/lib64/opensc-pkcs11.so' added rv=0-'CKR_OK'
Tue Feb 7 10:37:03 2017 us=608454 PKCS#11: Creating a new session
Tue Feb 7 10:37:03 2017 us=608513 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Tue Feb 7 10:37:03 2017 us=609156 PKCS#11: Using cached session
Certificate
DN: C=CA, ST=Quebec, L=Montreal, O=MY ORGANISATION, CN=MY NAME, emailAddress=MY_EMAIL@EMAIL.COM
Serial: 1A
Serialized id: piv_II/PKCS\x2315\x20emulated/00000000/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02
Tue Feb 7 10:37:03 2017 us=609495 PKCS#11: Terminating openssl
Tue Feb 7 10:37:03 2017 us=609527 PKCS#11: Removing providers
Tue Feb 7 10:37:03 2017 us=609556 PKCS#11: Removing provider '/usr/lib64/opensc-pkcs11.so'
Tue Feb 7 10:37:03 2017 us=610466 PKCS#11: Releasing sessions
Tue Feb 7 10:37:03 2017 us=610508 PKCS#11: Marking as uninitialized
(The error about 'CKR_SESSION_HANDLE_INVALID' is weird but it does not seem to matter).
There seems to be some people reporting various success:
https://community.openvpn.net/openvpn/ticket/740
https://www.sparklabs.com/forum/viewtopic.php?f=9&t=2253
But it's never quite clear how they did it and what they were using.
Since OpenSC release 0.16.0 is a bit old, I'm beginning to suspect it could only work on the latest (unreleased, unpackaged) development branch.
Did anyone here had some success storing PKCS#11 in PIV slots on Windows?
Any hint?Statistics: Posted by wibou — Tue Feb 07, 2017 4:40 pm
]]>