[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Problem with PKCS#11 and iKey 1000 Token

  • Subject: [Openvpn-users] Problem with PKCS#11 and iKey 1000 Token
  • From: Marek Dlouhy <dlouhy@xxxxxxxxx>
  • Date: Wed, 4 Jan 2006 16:50:59 +0100
Hi,
I'm unsuccessfully trying to use PKCS#11 with iKey 1000 Token. When I start openvpn it fails with error CKR_SESSION_HANDLE_INVALID. Can someone help me, please?

Here is my PKCS#11 config:

pkcs11-providers k1pk112
pkcs11-slot-type id
pkcs11-slot 1
pkcs11-id-type label
pkcs11-id "838e3b93-0943-4dfc-b5f4-49e0b0827fe8"

but I also tried commands:
pkcs11-cert-private
pkcs11-sign-mode sign or pkcs11-sign mode recover


Output of "openvpn --show-pkcs11-slots k1pk112" is:

Provider Information:
    cryptokiVersion:    2.0
    manufacturerID:        Rainbow Technologies, Inc.
    flags:            0

The following slots are available for use with this provider.
Each slot shown below may be used as a parameter to a
--pkcs11-slot-type and --pkcs11-slot options.

Slots: (id - name)
    1 - iKey PKCS#11 Library
    2 - iKey PKCS#11 Library
    3 - iKey PKCS#11 Library
    4 - iKey PKCS#11 Library


Output of "openvpn --show-pkcs11-objects k1pk112 1" is:

Token Information:
    label:        Rainbow iKey
    manufacturerID:    Rainbow Technologies, Inc.
    model:        iKey 1000
    serialNumber:    0121002100000B25
    flags:        0000020d

You can access this token using
--pkcs11-slot-type "label" --pkcs11-slot "Rainbow iKey" options.

The following objects are available for use with this token.
Each object shown below may be used as a parameter to
--pkcs11-id-type and --pkcs11-id options.

Object
    Label:        838e3b93-0943-4dfc-b5f4-49e0b0827fe8
    Id:
        00
    Type:        Unsupported
Object
    Label:        838e3b93-0943-4dfc-b5f4-49e0b0827fe8
    Id:
        00
    Type:        Certificate
    subject:    /C=US/ST=CA/O=FortFunston/CN=vpnclient/emailAddress=nomail@xxxxxxxxx
    serialNumber:    02
    notBefore:    060103173108Z
Object
    Label:        838e3b93-0943-4dfc-b5f4-49e0b0827fe8
    Id:
        00
    Type:        Private Key
    Sign:        FALSE
    Sign Recover:    TRUE


And output of log file is:

Wed Jan 04 08:26:10 2006 us=881316 OpenVPN 2.1_beta8 Win32-MinGW [SSL] [LZO2] built on Jan  3 2006
Wed Jan 04 08:26:10 2006 us=881912 PKCS#11: pkcs11_initialize - entered
Wed Jan 04 08:26:10 2006 us=881941 PKCS#11: pkcs11h_initialize entry
Wed Jan 04 08:26:10 2006 us=881960 PKCS#11: pkcs11h_terminate entry
Wed Jan 04 08:26:10 2006 us=881974 PKCS#11: pkcs11h_terminate return
Wed Jan 04 08:26:10 2006 us=881990 PKCS#11: pkcs11h_initialize return rv=0-'CKR_OK'
Wed Jan 04 08:26:10 2006 us=882004 PKCS#11: pkcs11_initialize - return 0-'CKR_OK'
Wed Jan 04 08:26:10 2006 us=882019 PKCS#11: pkcs11_addProvider - entered - provider='k1pk112', sign_mode='sign'
Wed Jan 04 08:26:10 2006 us=882033 PKCS#11: Adding PKCS#11 provider 'k1pk112'
Wed Jan 04 08:26:10 2006 us=882048 PKCS#11: pkcs11h_addProvider entry pid=0, szProvider=k1pk112, szSignMode=sign
Wed Jan 04 08:26:11 2006 us=36077  PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
Wed Jan 04 08:26:11 2006 us=36117  PKCS#11: pkcs11_addProvider - return rv=0-'CKR_OK'
Wed Jan 04 08:26:11 2006 us=36171  WE_INIT maxevents=4 flags=0x00000002
Wed Jan 04 08:26:11 2006 us=36188  WE_INIT maxevents=4 capacity=8
Wed Jan 04 08:26:11 2006 us=36345  PKCS#11: SSL_CTX_use_pkcs11 - entered - ssl_ctx=00AE6A60, pkcs11_slot_type='id', pkcs11_slot='1', pkcs11_id_type='label', pkcs11_id='838e3b93-0943-4dfc-b5f4-49e0b0827fe8', pkcs11_protected_authentication=0
Wed Jan 04 08:26:11 2006 us=36368  PKCS#11: pkcs11h_openssl_createSession - entry
Wed Jan 04 08:26:11 2006 us=36384  PKCS#11: pkcs11h_openssl_createSession - return pkcs11h_openssl_session=00AE6618
Wed Jan 04 08:26:11 2006 us=36489  PKCS#11: pkcs11h_createSession entry szSlotType=id, szSlot=1, szIdType=label, szId=838e3b93-0943-4dfc-b5f4-49e0b0827fe8, fProtectedAuthentication=0, fCertPrivate=0, nPINCachePeriod=-1, p_pkcs11h_certificate=00AE665C
Wed Jan 04 08:26:11 2006 us=36511  PKCS#11: _pkcs11h_getSession entry szSlotType=id, szSlot=1, fProtectedAuthentication=0, nPINCachePeriod=-1, session=00AE6808
Wed Jan 04 08:26:11 2006 us=36529  PKCS#11: _pkcs11h_getSlot entry szSlotType=id, szSlot=1, provider=0022106C, slot=00221068
Wed Jan 04 08:26:11 2006 us=36547  PKCS#11: _pkcs11h_getSlotById entry szSlot=1, provider=0022106C, slot=00221068
Wed Jan 04 08:26:11 2006 us=36564  PKCS#11: _pkcs11h_getSlotById return rv=0-'CKR_OK'
Wed Jan 04 08:26:11 2006 us=36579  PKCS#11: _pkcs11h_getSlot return rv=0-'CKR_OK'
Wed Jan 04 08:26:11 2006 us=345261 PKCS#11: _pkcs11h_getSession return rv=0-'CKR_OK'
Wed Jan 04 08:26:11 2006 us=345304 PKCS#11: _pkcs11h_setCertificateSession_Certificate entry pkcs11h_certificate=00AE6808, szIdType=label, szId=838e3b93-0943-4dfc-b5f4-49e0b0827fe8
Wed Jan 04 08:26:11 2006 us=345331 PKCS#11: _pkcs11h_setCertificateSession_Certificate return rv=179-'CKR_SESSION_HANDLE_INVALID'
Wed Jan 04 08:26:11 2006 us=345350 PKCS#11: _pkcs11h_login entry session=00AE6088, fPublicOnly=1
Wed Jan 04 08:26:11 2006 us=345478 PKCS#11: _pkcs11h_logout entry session=00AE6088
Wed Jan 04 08:26:11 2006 us=345493 PKCS#11: _pkcs11h_logout return
Wed Jan 04 08:26:11 2006 us=345509 PKCS#11: _pkcs11h_resetSession entry session=00AE6088, slot=0021FAEC
Wed Jan 04 08:26:11 2006 us=515182 PKCS#11: _pkcs11h_resetSession return fFound=1
Wed Jan 04 08:26:12 2006 us=280328 PKCS#11: _pkcs11h_login return rv=0-'CKR_OK'
Wed Jan 04 08:26:12 2006 us=280377 PKCS#11: _pkcs11h_setCertificateSession_Certificate entry pkcs11h_certificate=00AE6808, szIdType=label, szId=838e3b93-0943-4dfc-b5f4-49e0b0827fe8
Wed Jan 04 08:26:12 2006 us=344803 PKCS#11: _isBetterCertificate entry pCurrent=00228CC0, nCurrentSize=0, pNew=00221490, nNewSize=739
Wed Jan 04 08:26:12 2006 us=344842 PKCS#11: _isBetterCertificate return fBetter=1
Wed Jan 04 08:26:12 2006 us=344868 PKCS#11: _isBetterCertificate entry pCurrent=00228CC0, nCurrentSize=739, pNew=00221490, nNewSize=739
Wed Jan 04 08:26:12 2006 us=345386 PKCS#11: _isBetterCertificate return fBetter=0
Wed Jan 04 08:26:12 2006 us=345413 PKCS#11: _isBetterCertificate entry pCurrent=00228CC0, nCurrentSize=739, pNew=00221490, nNewSize=739
Wed Jan 04 08:26:12 2006 us=345721 PKCS#11: _isBetterCertificate return fBetter=0


OS is Windows XP Prof. with SP2. Cryptoki version for iKey 1000 Token (K1PK112.DLL) is 2.6.1.24.

Thanks,
Marek


Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-01/msg00064.html on line 310

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-01/msg00064.html on line 310