pkcs11-id

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
kwinz
OpenVpn Newbie
Posts: 4
Joined: Tue Jul 14, 2020 1:07 pm

pkcs11-id

Post by kwinz » Wed Feb 03, 2021 10:02 am

I am trying openvpn to take its client certificate from pkcs11.

See https://openvpn.net/community-resources ... Did%20name
–pkcs11-id name
Specify the serialized certificate id to be used. The id can be gotten by the standalone –show-pkcs11-ids option.
My id looks like this:

Code: Select all

C:\Program Files\OpenVPN\bin>openvpn --show-pkcs11-ids "C:/Program Files/OpenSC Project/OpenSC/pkcs11/opensc-pkcs11.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             CN=client-xps15
       Serial:         7D66AF960CFDF15F027551BF48844D4D
       Serialized id:  pkcs11:model=PKCS%2315%20emulated;token=GIDS%20card%20%28UserPIN%29;manufacturer=www.mysmartlogon.com;serial=8ef553487aadf787;id=
According to this blog post https://mujadin.se/suse/openvpn/ I can not use it directly:
Convert the PKCS11 ID manually if using OpenVPN v2.4.8 - the ID generated differs from what OpenVPN actually wants when looking for the certificate.
Example: My ID looks like this: pkcs11:model=PKCS%2315%20emulated;token=am;manufacturer=piv_II;serial=12a3e4556598765e;id=%01
What OpenVPN wants is this: piv_II/PKCS\x2315\x20emulated/12a3e4556598765e/am/01
The conversion can be done by replacing/copying information from the serialized id string to the “what OpenVPN wants” string. As we can see the value of the token, the serial and the id are copied.
However I have both tried

Code: Select all

pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=GIDS%20card%20%28UserPIN%29;manufacturer=www.mysmartlogon.com;serial=8ef553487aadf787;id='
and

Code: Select all

pkcs11-id  'www.mysmartlogon.com/PKCS\x2315\x20emulated/8ef553487aadf787/GIDS%20card%20%28UserPIN%29/'
But they both give me an error

Code: Select all

Wed Feb 03 11:00:19 2021 PKCS#11: Cannot deserialize id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Wed Feb 03 11:00:19 2021 Cannot load certificate
This is all very confusing and somewhat limited in documentation.
What is the proper conversion format for pkcs11-id?
What is the correct value for me?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: pkcs11-id

Post by TinCanTech » Wed Feb 03, 2021 5:16 pm

Linked to https://github.com/OpenVPN/easy-rsa/pull/332

All I can suggest is, to read about --pkcs11* options in the manual.
Send an email to the Openvpn-Users mailing list.

kwinz
OpenVpn Newbie
Posts: 4
Joined: Tue Jul 14, 2020 1:07 pm

Re: pkcs11-id

Post by kwinz » Wed Feb 03, 2021 10:25 pm

So what almost worked was:

Code: Select all

pkcs11-id  'www.mysmartlogon.com/PKCS\x2315\x20emulated/8ef553487aadf787/GIDS\x20card\x20\x28UserPIN\x29/'
That gave me a crash/assertion error:

Code: Select all

2021-02-03 13:28:58 PKCS#11: Adding PKCS#11 provider 'C:/Program Files/OpenSC Project/OpenSC/pkcs11/opensc-pkcs11.dll'
Assertion failed!

Program: C:\Program Files\OpenVPN\bin\openvpn.exe
File: pkcs11h-mem.c, Line 64

Expression: s!=0
But that gave me hope that I just needed the id (as you can see from opevpn output the id was missing (nothing after ";id=")
and then using "pkcs11-tool" to find out that the ID could be "00":

Code: Select all

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -O
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      client-xps15-892f8191-e384-4465-a-26720
  ID:         00
  Usage:      encrypt, verify
  Access:     none
Certificate Object; type = X.509 cert
  label:      client-xps15-892f8191-e384-4465-a-26720
  subject:    DN: CN=client-xps15
  ID:         00
the breakthrough then was using

Code: Select all

pkcs11-id  'www.mysmartlogon.com/PKCS\x2315\x20emulated/8ef553487aadf787/GIDS\x20card\x20\x28UserPIN\x29/00'
and that worked.

I will make a bug report. The doumentation states that you can use the output of "openvpn --show-pkcs11-ids" but that's just not true right now.
The "openvpn --show-pkcs11-ids" should be changed to directly print what you need, without this undocumented manual conversion.

kwinz
OpenVpn Newbie
Posts: 4
Joined: Tue Jul 14, 2020 1:07 pm

Re: pkcs11-id

Post by kwinz » Wed Feb 03, 2021 10:39 pm

I linked this thread from the issue tracker: https://community.openvpn.net/openvpn/t ... #comment:9

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: pkcs11-id

Post by becm » Thu Feb 04, 2021 10:00 am

The CertID in standardized RFC format must be Percent-encoded. In this case

Code: Select all

pkcs11-id 'pkcs11:...;id=%00'
A "zero-byte" in CertID was not serialized correctly up to OpenVPN 2.4.9 Windows builds (see bug report for pkcs11-helper patch).

Official builds v2.4.10 and v2.5.0 should be fixed and actually "just work as documented" (again).
It's unclear to me why/how they can still be affected by this, for me the output of --show-pkcs11-ids for affected CertIDs is correct/usable.
Beware: The value in OpenVPN config must also be updated with the correct output of OpenVPN with this fix.

For further info also see OpenVPN issues (#491, #1044) and patch history.
An additional fix to correctly handle maxed-out values (here: 16-byte serial) was also incorporated in recent versions .

Post Reply