-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PKCS#11: Selecting smartcards dynamically via dialog #158
Comments
Yes, its in my TODO list but not a high priority as no one seems to have missed it so far :) |
Got it, thanks. |
After a day of research, I have now also stumbled across this.
But: to get the hardware PIV compliant the serial (CHUID) from each token has to be unique - this is done by the YubiKey Manager or with the CLI Tools automatically! You can let generate a new CHUID but you can't set a specific one: Its a pitty that the Did someone found a workaround for this? I can't believe, that the OpenVPN Gui is used with hardware tokens in a company environment as foreseen (in PIV mode). Searched the web but found only people with similar issues without a solution yet. |
I distribute user-specific profiles, and have no idea how to avoid that. The GUI now supports importing ovpn via a URL, which makes it easier than before. |
@selvanair that's really awesome. Just tried it right now - works flawlessly. This has some great benefits; i dont need to deploy OpenSC. Would work even without the YubiKey Minidriver (is been detected by Windows).
I just found a minor drawback; Windows asks for the pin even the certificate is in the Slot 9e (card authentification) of the yubikey. I can live with that. In the MS/Windows world this is huge better approach. PKCS11 with the unique serial/CUID makes it impossible for mass-deploy.
This will work now! Just change the OpenVPN to SSL/TLS (without User Auth). Create a Certificate for each user and put them onto the token. And with the upper lines this should work with just one OVPN file. The user plugins in the token, connect and has to enter his PIN of the hardware token Some more words for my setup:
Next Goal: Thanks again! |
Maybe in 2017 this feature was not much requested but nowadays I think should get a priority considering the number of people / companies which implement PIV devices. |
If we were to implement this what details of the available certificates should we show to the user? Certificate subject and issuer or also include the token manufacturer, model, label etc.? Show the full subject or just common name? Sometimes there is too much info in these fields that could confuse a lay user, sometimes too little. Just showing a list of pkcs11-uri's is not user friendly. |
Common Name, issuer and date validity... those are the three things that normally appear on any certificate selection prompt like the one IE,Chrome or Firefox show you... I would go with what everyone else does as minimum. Then you can always have an option to show more details or anything like that but it is definitely not necessary on a first implementation |
see PR #508 : May be tested using executables in GHA build artifacts; https://github.com/OpenVPN/openvpn-gui/actions/runs/2573546100#artifacts |
@selvanair : wow! that was a very quick job you done here... I tested one of GHA build artifacts and works perfectly. I did test both with the PIV device already plugged in and without it to test the retry option and both looks good to me. |
Ouuhh, promising good news! Thanks @selvanair. |
@tefod-zz If you have a setup working with pkcs11, just comment out the "pkcs11-id" line and add "pkcs11-id-management" in the config file. Here are the pkcs11-related lines in my test config where I use two provider dlls -- one for a hardware token and other a sotfhsm one.
The artifact zip includes the GUI exe and OpenSSL crypto dll. There are no other dependencies, so if you extract it to a folder somewhere, you can just start the GUI executable from it. |
Sorry for delay. I got it working thanks to @selvanair instructions. I got dialog prompt with list of certificates. However after I selected certificate, openvpn process (it seems) crashed - I got “connection lost” or something prompt from GUI. This is probably unrelated to this specific change, since I used openvpn built from DCO branch and dco-win as a driver. I’ll retest with master/released and tap-windows6. |
That worked, thanks. I used pkcs11-spy.dll from OpenSC as provider dll. It worked flawlessly. Regarding the provider dll - the etpkcs.dll from @selvanair 's example its probably from an aladdin etoken. |
Any HSM that works on Windows presumably has a vendor dll that comes with it or could be downloaded from the vendor. If its pkcs#11 compliant, it should work with OpenVPN. If the hardware is supported by OpenSC, opensc-pkcs11.dllwould work as a replacement for the vendor dll (pkcs11-spy is not required). Yubico's piv tool includes the vendor library (libykcs11.so on Linux) -- it may be called ykcs11.dll or libykcs11.dll on Windows. |
Thanks for the clarification. My previous attempt to include the libykcs11.dll had failed. Now I know the reason; the DLL files must either be copied together, or the bin folder from the Yubico PIV Tool needs to be added to the system path as described here. |
Yes that dll has some dependencies which won't be found unless %PATH% is updated. If its a standalone dll, just using the full path would have worked. |
Hi folks!
Are there any plans to implement "pkcs11-id-management" feature?
With latest 11.5 version i get "GUI> Error: Received NEED-STR message -- not implemented"
The text was updated successfully, but these errors were encountered: