| Yubico Forum https://forum.yubico.com/ |
|
| [QUESTION] Using PIV PKCS#11 for VPN under Windows https://forum.yubico.com/viewtopic.php?f=35&t=2557 |
Page 1 of 1 |
| Author: | wibou [ Tue Feb 07, 2017 4:40 pm ] |
| Post subject: | [QUESTION] Using PIV PKCS#11 for VPN under Windows |
Hello, To support an old VPN setup we have in-house, I need to use Yubikey 4 PIV to store PKCS#11 certificate. Those are then read by OpenVPN. That post was very helpful and it works quite well on Linux machines However, I cannot get it to works under Windows. I installed the latest release of OpenSC for Windows (0.16.0, dated Jun 3 2016... a bit old?). OpenVPN installed is of version 2.4.0 x86_64-w64-mingw32. The key is a Yubikey 4 (firmware is 4.3.3) configured in OTP/U2F/CCID composite mode. The certificates are already present (it was setuped on a Linux box). When I try to use OpenVPN to list the certificate, OpenVPN seems to load opensc-pkcs11 driver just fine but it sees nothing: Code: C:\Users\wfb>OpenVPN --verb 7 --show-pkcs11-ids C:/Windows/System32/opensc-pkcs11.dll Tue Feb 07 10:21:33 2017 us=433605 PKCS#11: Adding provider 'C:/Windows/System32/opensc-pkcs11.dll'-'C:/Windows/System32/opensc-pkcs11.dll' Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Provider 'C:/Windows/System32/opensc-pkcs11.dll' added rv=0-'CKR_OK' The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating openssl Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing providers Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing provider 'C:/Windows/System32/opensc-pkcs11.dll' Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Releasing sessions Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating slotevent Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Marking as uninitialized On Linux, same key, same command (with Linux .so obviously): Code: wibou ~ $ openvpn --verb 7 --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so Tue Feb 7 10:37:03 2017 us=516719 PKCS#11: Adding provider '/usr/lib64/opensc-pkcs11.so'-'/usr/lib64/opensc-pkcs11.so' Tue Feb 7 10:37:03 2017 us=524160 PKCS#11: Provider '/usr/lib64/opensc-pkcs11.so' added rv=0-'CKR_OK' Tue Feb 7 10:37:03 2017 us=608454 PKCS#11: Creating a new session Tue Feb 7 10:37:03 2017 us=608513 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Tue Feb 7 10:37:03 2017 us=609156 PKCS#11: Using cached session Certificate DN: C=CA, ST=Quebec, L=Montreal, O=MY ORGANISATION, CN=MY NAME, emailAddress=MY_EMAIL@EMAIL.COM Serial: 1A Serialized id: piv_II/PKCS\x2315\x20emulated/00000000/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02 Tue Feb 7 10:37:03 2017 us=609495 PKCS#11: Terminating openssl Tue Feb 7 10:37:03 2017 us=609527 PKCS#11: Removing providers Tue Feb 7 10:37:03 2017 us=609556 PKCS#11: Removing provider '/usr/lib64/opensc-pkcs11.so' Tue Feb 7 10:37:03 2017 us=610466 PKCS#11: Releasing sessions Tue Feb 7 10:37:03 2017 us=610508 PKCS#11: Marking as uninitialized (The error about 'CKR_SESSION_HANDLE_INVALID' is weird but it does not seem to matter). There seems to be some people reporting various success: https://community.openvpn.net/openvpn/ticket/740 https://www.sparklabs.com/forum/viewtopic.php?f=9&t=2253 But it's never quite clear how they did it and what they were using. Since OpenSC release 0.16.0 is a bit old, I'm beginning to suspect it could only work on the latest (unreleased, unpackaged) development branch. Did anyone here had some success storing PKCS#11 in PIV slots on Windows? Any hint? |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|