Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:27 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Feb 07, 2017 4:40 pm 
Offline

Joined: Tue Feb 07, 2017 3:28 pm
Posts: 1
Hello,

To support an old VPN setup we have in-house, I need to use Yubikey 4 PIV to store PKCS#11 certificate. Those are then read by OpenVPN.
That post was very helpful and it works quite well on Linux machines

However, I cannot get it to works under Windows.
I installed the latest release of OpenSC for Windows (0.16.0, dated Jun 3 2016... a bit old?). OpenVPN installed is of version 2.4.0 x86_64-w64-mingw32.
The key is a Yubikey 4 (firmware is 4.3.3) configured in OTP/U2F/CCID composite mode. The certificates are already present (it was setuped on a Linux box).

When I try to use OpenVPN to list the certificate, OpenVPN seems to load opensc-pkcs11 driver just fine but it sees nothing:
Code:
C:\Users\wfb>OpenVPN --verb 7 --show-pkcs11-ids C:/Windows/System32/opensc-pkcs11.dll
Tue Feb 07 10:21:33 2017 us=433605 PKCS#11: Adding provider 'C:/Windows/System32/opensc-pkcs11.dll'-'C:/Windows/System32/opensc-pkcs11.dll'
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Provider 'C:/Windows/System32/opensc-pkcs11.dll' added rv=0-'CKR_OK'

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating openssl
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing providers
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Removing provider 'C:/Windows/System32/opensc-pkcs11.dll'
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Releasing sessions
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Terminating slotevent
Tue Feb 07 10:21:33 2017 us=464805 PKCS#11: Marking as uninitialized


On Linux, same key, same command (with Linux .so obviously):
Code:
wibou ~ $ openvpn --verb 7 --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so
Tue Feb  7 10:37:03 2017 us=516719 PKCS#11: Adding provider '/usr/lib64/opensc-pkcs11.so'-'/usr/lib64/opensc-pkcs11.so'
Tue Feb  7 10:37:03 2017 us=524160 PKCS#11: Provider '/usr/lib64/opensc-pkcs11.so' added rv=0-'CKR_OK'
Tue Feb  7 10:37:03 2017 us=608454 PKCS#11: Creating a new session
Tue Feb  7 10:37:03 2017 us=608513 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Tue Feb  7 10:37:03 2017 us=609156 PKCS#11: Using cached session

Certificate
       DN:             C=CA, ST=Quebec, L=Montreal, O=MY ORGANISATION, CN=MY NAME, emailAddress=MY_EMAIL@EMAIL.COM
       Serial:         1A
       Serialized id:  piv_II/PKCS\x2315\x20emulated/00000000/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02
Tue Feb  7 10:37:03 2017 us=609495 PKCS#11: Terminating openssl
Tue Feb  7 10:37:03 2017 us=609527 PKCS#11: Removing providers
Tue Feb  7 10:37:03 2017 us=609556 PKCS#11: Removing provider '/usr/lib64/opensc-pkcs11.so'
Tue Feb  7 10:37:03 2017 us=610466 PKCS#11: Releasing sessions
Tue Feb  7 10:37:03 2017 us=610508 PKCS#11: Marking as uninitialized

(The error about 'CKR_SESSION_HANDLE_INVALID' is weird but it does not seem to matter).

There seems to be some people reporting various success:
https://community.openvpn.net/openvpn/ticket/740
https://www.sparklabs.com/forum/viewtopic.php?f=9&t=2253

But it's never quite clear how they did it and what they were using.
Since OpenSC release 0.16.0 is a bit old, I'm beginning to suspect it could only work on the latest (unreleased, unpackaged) development branch.

Did anyone here had some success storing PKCS#11 in PIV slots on Windows?
Any hint?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group