PKCS#11 (OpenSC) not working with OpenVPN Server on Mac OS X (Viscosity client)

Got a problem with Viscosity or need help? Ask here!

squeezy

Posts: 1
Joined: Wed Feb 05, 2020 3:03 am

Post by squeezy » Wed Feb 05, 2020 3:12 am
Hi,

I'm trying to use my Yubikey 5C to connect to an OpenVPN server.

The certificate was created on the Yubikey (CSR) using the "Yubikey PIV Manager" and signed by CA used for signed the certificate's OpenVPN server.
Trying to connect always results in an error when the OpenVPN client ask the PIN to unlock the certificate storage on the Yubikey (slot 9a).

I use OpenSC tools and get serialized ID from cert imported. As client VPN, I use Viscosity version 1.8.4 build 1528.
OpenVPN server version 2.4.6 is hosted on PFsense version 2.4.4. Authentication users is done with an OpenlDAP server (works well).

Following the error message (verb 9) when I fill it the PIN asked after user & password :
Code: Select all
2020-02-04 14:03:47: PKCS#11: Performing signature
2020-02-04 14:03:47: PKCS#11: Getting key attributes
2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed
2020-02-04 14:04:13: TCP/UDP: Closing socket
The configuration file from client use arguments :

- pkcs11-providers /Library/OpenSC/lib/opensc-pkcs11.so
- pkcs11-id 'piv_II/PKCS\x2315\x20emulated/fe58401dfe2196c3/token_name/01'


Is there a bug with PKCS11 ?

Anyone as an idea or a solution plz ?

Thanks for reading,

James

User avatar
Posts: 2313
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Feb 05, 2020 7:38 am
Hi squeezy,
The certificate was created on the Yubikey (CSR) using the "Yubikey PIV Manager"
YubiCo deprecated "Yubikey PIV Manager" quite some time ago and it is no longer maintained. It's possible that may be the source of your problem. I recommend using one of their more up-to-date tools.

Please note that OpenSSL will also reject insecure keys or certificates. As a test I recommend generating a certificate and key pair and loading it onto your Yubikey (rather than generating on device) to test for whether the issue lies with your certificate and/or key.
https://www.sparklabs.com/support/kb/ar ... pn-server/
I use OpenSC tools and get serialized ID from cert imported
Please attempt using Viscosity's PKCS#11 certificate detection, rather than entering the serialised ID manually, as this will ensure the correct name is being used. You can do this by either selecting the "Prompt for certificate name" option under the PKCS#11 section when editing your connection in Viscosity, or by clicking the "Detect" button in the same section when using the "Use certificate name below" option.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts Page 1 of 1