PKCS#11 (OpenSC) not working with OpenVPN on Mac OS X

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
squeezy
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 04, 2020 10:55 am

PKCS#11 (OpenSC) not working with OpenVPN on Mac OS X

Post by squeezy » Tue Feb 04, 2020 12:34 pm

Hi,

I'm trying to use my Yubikey 5C to connect to an OpenVPN server.

The certificate was created on the Yubikey (CSR) using the "Yubikey PIV Manager" and signed by CA used for signed the certificate's OpenVPN server.
Trying to connect always results in an error when the OpenVPN client ask the PIN to unlock the certificate storage on the Yubikey (slot 9a).

I use OpenSC tools and get serialized ID from cert imported. As client VPN, I use Viscosity.
OpenVPN server version 2.4.6 is hosted on PFsense version 2.4.4. Authentication users is done with an OpenlDAP server (works well).

Following the error message (verb 9) when I fill it the PIN asked after user & password :

Code: Select all

2020-02-04 14:03:47: PKCS#11: Performing signature
2020-02-04 14:03:47: PKCS#11: Getting key attributes
2020-02-04 14:03:47: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
2020-02-04 14:03:47: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:01: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:01: PKCS#11: Key attributes loaded (0000000f)
2020-02-04 14:04:01: PKCS#11: Private key operation failed rv=32-'CKR_DATA_INVALID'
2020-02-04 14:04:01: PKCS#11: Calling pin_prompt hook for 'token_name'
2020-02-04 14:04:13: PKCS#11: pin_prompt hook return rv=0
2020-02-04 14:04:13: PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID'
2020-02-04 14:04:13: OpenSSL: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
2020-02-04 14:04:13: TLS_ERROR: BIO read tls_read_plaintext error
2020-02-04 14:04:13: TLS Error: TLS object -> incoming plaintext read error
2020-02-04 14:04:13: TLS Error: TLS handshake failed
2020-02-04 14:04:13: TCP/UDP: Closing socket

The configuration file from client use arguments :

- pkcs11-providers /Library/OpenSC/lib/opensc-pkcs11.so
- pkcs11-id 'piv_II/PKCS\x2315\x20emulated/fe58401dfe2196c3/token_name/01'



Is there a bug with PKCS11 ?

Anyone as an idea or a solution plz ?

Thanks for reading,

squeezy
OpenVpn Newbie
Posts: 2
Joined: Tue Feb 04, 2020 10:55 am

Re: PKCS#11 (OpenSC) not working with OpenVPN on Mac OS X

Post by squeezy » Wed Feb 26, 2020 10:56 am

Hi,
I figured it out.Thank you for your help.
An Administrator could marks as resolved plz ?
Kind regards

Post Reply