Hi all,
We have been working with the combination of smartcard and openvpn together
successfully for quite some time now.
Other organizations wanted to use similar set-up but i run into something
peculiar.
I got from them a smartcard for testing purposes, and if I do on the
commandline:
# openvpn --show-pkcs11-ids /usr/lib/libaetpkss.so
I get:
Certificate
DN: CN=testuser
Serial: 6C:82:04:4D:00:00:00:00:11:32
Serialized id:
A\x2EE\x2ET\x2E\x20Europe\x20B\x2EV\x2E/19CB0206010D00C0/1055010917955104/jwitvliet/32313030626532642D343962622D346130372D386362342D626330363534316162316533
"translated", it becomes:
A.E.T. Europe
B.V./19CB0206010D00C0/1055010917955104/jwitvliet/32313030626532642D343962622D346130372D386362342D626330363534316162316533
==========================================================
If I list the object on the card (without logging in) I see:
# pkcs11-tool --module /usr/lib/libaetpkss.so -O
Using slot 0 with a present token (0xcd01)
Certificate Object, type = X.509 cert
label: testuser's CA OMTW ID
ID:
32313030626532642d343962622d346130372d386362342d626330363534316162316533
Public Key Object; RSA 2048 bits
label: testuser's CA OMTW ID
ID:
32313030626532642d343962622d346130372d386362342d626330363534316162316533
Usage: encrypt, verify, wrap
Object 7, type 2147483651
Object 8, type 2147483651
Object 9, type 2147483651
Object 10, type 2147483652
With presenting credentials:
pkcs11-tool --module /usr/lib/libaetpkss.so -O -l
Using slot 0 with a present token (0xcd01)
Logging in to "jwitvliet".
Please enter User PIN:
Certificate Object, type = X.509 cert
label: testuser's CA OMTW ID
ID:
32313030626532642d343962622d346130372d386362342d626330363534316162316533
Public Key Object; RSA 2048 bits
label: testuser's CA OMTW ID
ID:
32313030626532642d343962622d346130372d386362342d626330363534316162316533
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: testuser's CA OMTW ID
ID:
32313030626532642d343962622d346130372d386362342d626330363534316162316533
Usage: decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv =
CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Object 8, type 2147483651
Object 9, type 2147483651
Object 10, type 2147483651
Object 11, type 2147483652
= = > here the worrying starts, because of the "warning"... <==
There might be something wrong with the card...
Seeing what is available with the pkcs11-tool, I decided reducing the pkcs11
string to:
32313030626532642D343962622D346130372D386362342D626330363534316162316533
I get:
Mar 31 17:18:38 LWT001125b3f687 openvpn-nl[14834]: PKCS#11: Cannot deserialize
id 19-'CKR_ATTRIBUTE_VALUE_INVALID'
Mar 31 17:18:38 LWT001125b3f687 openvpn-nl[14834]: Cannot load certificate
"32313030626532642D343962622D346130372D386362342D626330363534316162316533"
using PKCS#11 interface
So, anybody around who can explain about the "Cannot deserialize id" ?
Specially the reference towards "19-"
Hans
______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het electronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are
not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages.
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-users
