PKCS#11: Selecting smartcards dynamically via dialog

[EugeneKin]

Hi folks!
Are there any plans to implement "pkcs11-id-management" feature?

With latest 11.5 version i get "GUI> Error: Received NEED-STR message -- not implemented"

[selvanair]

Yes, its in my TODO list but not a high priority as no one seems to have missed it so far :)

[EugeneKin]

Got it, thanks.
OpenVPN Manager has this feature since "stone age", but is slightly outdated now, last release was 4 years ago.
It does not support new "OpenVPN Interactive Service". Works with Openvpn 2.4 in appmode (openvpn.exe) with admin rights only.

[tefod-zz]

After a day of research, I have now also stumbled across this.
Issue;
Want to use yubikey hardware tokens with imported certificates in the PIV storage. Works great together with installed OpenSC as PKCS11 driver:

pkcs11-providers 'c:\Program Files\OpenSC Project\PKCS11-Spy\pkcs11-spy.dll'
pkcs11-id 'pkcs11:model=PKCS%2315%20emulated;token=acme;manufacturer=piv_II;serial=91fca8502536985d;id=%04'

But: to get the hardware PIV compliant the serial (CHUID) from each token has to be unique - this is done by the YubiKey Manager or with the CLI Tools automatically! You can let generate a new CHUID but you can't set a specific one:
ykman piv objects generate chuid
That means on every change in the PIV storage (e.g. adding a new certificate) this number changes. Even if you delete and add the same certificate!
This would lead in a company environment with dozens of users, that you have to prepare and deploy for each employee a own OVPN - this is unfortuantely not maintainable nor user friendly.

Its a pitty that the pkcs11-id-management has not been added or that we can't select the key per slot or with placeholders etc.

Did someone found a workaround for this? I can't believe, that the OpenVPN Gui is used with hardware tokens in a company environment as foreseen (in PIV mode). Searched the web but found only people with similar issues without a solution yet.

[selvanair]

I distribute user-specific profiles, and have no idea how to avoid that. The GUI now supports importing ovpn via a URL, which makes it easier than before.
That said, have you tried using this token with --cryptoapcert ... instead? If an approproate driver is installed, Windows should automatically load certificates in the token to the store. I find that easier to administer.

[tefod-zz]

@selvanair that's really awesome. Just tried it right now - works flawlessly. This has some great benefits; i dont need to deploy OpenSC. Would work even without the YubiKey Minidriver (is been detected by Windows).
I can just contain any 'search' string into the SUBJ field - it would be found.

cryptoapicert 'SUBJ:_can_contain_any_string_which_is_included_in_the_certificate'
#or using the Thumb as follow
cryptoapicert 'THUMB:2cf42719f1c8ab26ad334xxxxxx'

I just found a minor drawback; Windows asks for the pin even the certificate is in the Slot 9e (card authentification) of the yubikey. I can live with that.

In the MS/Windows world this is huge better approach. PKCS11 with the unique serial/CUID makes it impossible for mass-deploy.

I distribute user-specific profiles, and have no idea how to avoid that.

This will work now! Just change the OpenVPN to SSL/TLS (without User Auth). Create a Certificate for each user and put them onto the token. And with the upper lines this should work with just one OVPN file. The user plugins in the token, connect and has to enter his PIN of the hardware token
You could even use the same certificate for all users - but a revoking would be difficult. And without "User Auth" you would not see, who is connected etc.

Some more words for my setup:
Goal was avoiding using of extra software (DUO, freeradius, authlite, userlock, multiotp, privacyIDEA etc.) and it must be on premise system. My workflow will look as follow - requirements:

• Yubikey with User-Certificates in the PIV Store, so that the users can access their Computers. Everything managed by Active Directory. With the installed minidriver of yubikey it makes it pretty complete; even with PIN/PUK function. No extra software necessary. Works offline. Lost tokens are not an issue.
• Accessing the OpenVPN (using pfsense as server and OpenVPN community edition)
  I will now adapt the OpenVPN Server as described above.

Next Goal:
I will try to even use the same Certificates in Windows Server as well in pfsense/OpenVPN; worst case, i just import the certificate in pfsense (after creating it in windows) - or better; i am gonna find a way to sync the two CA's :)

Thanks again!

[dgrilli]

Maybe in 2017 this feature was not much requested but nowadays I think should get a priority considering the number of people / companies which implement PIV devices.

[selvanair]

If we were to implement this what details of the available certificates should we show to the user? Certificate subject and issuer or also include the token manufacturer, model, label etc.? Show the full subject or just common name?

Sometimes there is too much info in these fields that could confuse a lay user, sometimes too little. Just showing a list of pkcs11-uri's is not user friendly.

[dgrilli]

Common Name, issuer and date validity... those are the three things that normally appear on any certificate selection prompt like the one IE,Chrome or Firefox show you... I would go with what everyone else does as minimum. Then you can always have an option to show more details or anything like that but it is definitely not necessary on a first implementation

[selvanair]

see PR #508 : May be tested using executables in GHA build artifacts; https://github.com/OpenVPN/openvpn-gui/actions/runs/2573546100#artifacts

[dgrilli]

@selvanair : wow! that was a very quick job you done here... I tested one of GHA build artifacts and works perfectly.
This would make our life much easier, really appreciate your help! :-)

I did test both with the PIV device already plugged in and without it to test the retry option and both looks good to me.
I also tested the opening of the certificate with the double click which works as well.

[tefod-zz]

Ouuhh, promising good news! Thanks @selvanair.
@dgrilli could you describe, how the config file must look like with the new files from the artifacts to get it run with a hardware token? Which settings, any dependies which has to be installed? Just tried, no success so long :)

[selvanair]

@tefod-zz If you have a setup working with pkcs11, just comment out the "pkcs11-id" line and add "pkcs11-id-management" in the config file. Here are the pkcs11-related lines in my test config where I use two provider dlls -- one for a hardware token and other a sotfhsm one.

pkcs11-providers "C:/program files (x86)/softhsm2/lib/softhsm2-x64.dll" etpkcs11.dll
pkcs11-id-management

The artifact zip includes the GUI exe and OpenSSL crypto dll. There are no other dependencies, so if you extract it to a folder somewhere, you can just start the GUI executable from it.
What error are you getting?

[lstipakov]

Sorry for delay. I got it working thanks to @selvanair instructions. I got dialog prompt with list of certificates. However after I selected certificate, openvpn process (it seems) crashed - I got “connection lost” or something prompt from GUI. This is probably unrelated to this specific change, since I used openvpn built from DCO branch and dco-win as a driver. I’ll retest with master/released and tap-windows6.

[tefod-zz]

just comment out the "pkcs11-id" line and add "pkcs11-id-management" in the config file.

That worked, thanks. I used pkcs11-spy.dll from OpenSC as provider dll. It worked flawlessly.

Regarding the provider dll - the etpkcs.dll from @selvanair 's example its probably from an aladdin etoken.
In my example above OpenSC worked. Does someone know, if is their vendor specific (Yubi) provider dll is available, which will work as well with the openvpn-gui.

[selvanair]

Any HSM that works on Windows presumably has a vendor dll that comes with it or could be downloaded from the vendor. If its pkcs#11 compliant, it should work with OpenVPN. If the hardware is supported by OpenSC, opensc-pkcs11.dllwould work as a replacement for the vendor dll (pkcs11-spy is not required).

Yubico's piv tool includes the vendor library (libykcs11.so on Linux) -- it may be called ykcs11.dll or libykcs11.dll on Windows.

[tefod-zz]

Thanks for the clarification. My previous attempt to include the libykcs11.dll had failed. Now I know the reason; the DLL files must either be copied together, or the bin folder from the Yubico PIV Tool needs to be added to the system path as described here.

Just for the next, who might stumble over this:

[selvanair]

Yes that dll has some dependencies which won't be found unless %PATH% is updated. If its a standalone dll, just using the full path would have worked.