|
|
Hello,
i would like to use an Aladdin eToken in order to secure a OpenVPN
private-key. However, while using this setup on Linux everything works as
expected, on Windows i'm experiencing troubles:
i have the following structure on the Aladdin eToken:
-----------------------------------------------------------------------------
rf@bender:~$ sudo pkcs11-tool -L
Available slots:
Slot 0 Aladdin eToken PRO
token label: OpenSC Card (testuser)
token manuf: OpenSC Project
token model: PKCS #15 SCard
token flags: login required, PIN initialized, token initialized
serial num : <serial>
Slot 1 Aladdin eToken PRO
token label: OpenSC Card
token manuf: OpenSC Project
token model: PKCS #15 SCard
token flags: PIN initialized, token initialized
serial num : <serial>
Slot 2 Aladdin eToken PRO
token label: OpenSC Card
token manuf: OpenSC Project
token model: PKCS #15 SCard
token flags: token initialized
serial num : <serial>
Slot 3 Aladdin eToken PRO
token label: OpenSC Card
token manuf: OpenSC Project
token model: PKCS #15 SCard
token flags: token initialized
serial num : <serial>
Slot 4 (empty)
Slot 5 (empty)
Slot 6 (empty)
Slot 7 (empty)
containing the following information:
-----------------------------------------------------------------------------
rf@bender:~$ sudo pkcs15-tool -k --list-public-keys -c
X.509 Certificate [testuser id]
Flags : 2
Authority: no
Path : 3F0050153149
ID : 45
Private RSA Key [testuser id]
Com. Flags : 3
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 16
Native : yes
Path : 3F005015
Auth ID : 01
ID : 45
Public RSA Key [testuser id]
Com. Flags : 2
Usage : [0x4], sign
Access Flags: [0x0]
ModLength : 1024
Key ref : 0
Native : no
Path : 3F0050153048
Auth ID :
ID : 45
and the following OpenVPN configuration:
-----------------------------------------------------------------------------
rf@bender:~/work/openvpn-2.1.rc1$ ./openvpn --version
OpenVPN 2.1_rc1 i386-pc-linux-gnu [SSL] [LZO1] [EPOLL] built on Nov 30 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@xxxxxxxxxxx>
-----------------------------------------------------------------------------
rf@bender:~$
sudo ./openvpn --show-pkcs11-slots /usr/lib/pkcs11/opensc-pkcs11.so
Provider Information:
cryptokiVersion: 2.11
manufacturerID: OpenSC Project (www.opensc.org)
flags: 0
The following slots are available for use with this provider.
Each slot shown below may be used as a parameter to a
--pkcs11-slot-type and --pkcs11-slot options.
Slots: (id - name)
0 - Aladdin eToken PRO
1 - Aladdin eToken PRO
2 - Aladdin eToken PRO
3 - Aladdin eToken PRO
4 - OpenCT reader (detached)
5 - OpenCT reader (detached)
6 - OpenCT reader (detached)
7 - OpenCT reader (detached)
-----------------------------------------------------------------------------
rf@bender:~$
sudo ./openvpn --show-pkcs11-objects /usr/lib/pkcs11/opensc-pkcs11.so 0
PIN:
Token Information:
label: OpenSC Card (testuser)
manufacturerID: OpenSC Project
model: PKCS #15 SCard
serialNumber: <serial>
flags: 0000040c
You can access this token using
--pkcs11-slot-type "label" --pkcs11-slot "OpenSC Card (testuser)" options.
The following objects are available for use with this token.
Each object shown below may be used as a parameter to
--pkcs11-id-type and --pkcs11-id options.
Object
Type: Private Key
CKA_ID:
45
CKA_LABEL: testuser id
CKA_SIGN: TRUE
CKA_SIGN_RECOVER: FALSE
Object
Type: Certificate
CKA_ID:
45
CKA_LABEL: testuser id
subject: <specific
dn>/CN=testuser2/emailAddress=support@xxxxxxx
serialNumber: 04
notBefore: 061204165207Z
Object
Type: Public Key
CKA_ID:
45
CKA_LABEL: testuser id
using Linux, this configuration works perfectly, but not
with Windows XP, where i use the same OpenVPN version as on Linux
and the attached configuration-file
OpenVPN details on Windows: (same token as on Linux of course)
etpkcs11.dll Version: 3.650.26.0
>openvpn --version
OpenVPN 2.1_rc1 Win32-MinGW [SSL] [LZO2] built on Oct 31 2006
Developed by James Yonan
Copyright (C) 2002-2005 OpenVPN Solutions LLC <info@xxxxxxxxxxx>
>openvpn --show-pkcs11-slots etpkcs11.dll
Provider Information:
cryptokiVersion: 2.1
manufacturerID: Aladdin Ltd.
flags: 0
The following slots are available for use with this provider.
Each slot shown below may be used as a parameter to a
--pkcs11-slot-type and --pkcs11-slot options.
Slots: (id - name)
0 - AKS ifdh 0
1 - AKS ifdh 1
>openvpn --show-pkcs11-objects etpkcs11.dll 0
PIN:
Token Information:
label: eToken
manufacturerID: Aladdin Knowledge Systems Ltd.
model: eToken CardOS/M4
serialNumber: <serial>
flags: 0000000d
You can access this token using
--pkcs11-slot-type "label" --pkcs11-slot "eToken" options.
PKCS#11: Cannot open session to token 'eToken' 1-'CKR_CANCEL'
The following objects are available for use with this token.
Each object shown below may be used as a parameter to
i suppose that OpenVPN has troubles to talk to the token (i've recorded the
errors in a logfile, please tell me if it's ok to post it on the
mailinglist).
I've tried also to store the X.509-certificate PEM or DER encoded, and had no
luck with neither of them. Furthermore, i've tried all 3
pkcs11-id-type methods for selecting the certificate (id, label, subject), but
was not successful.
Could somebody please take a look at the configuration? Are there any known
problems regarding the Aladdin eToken (maybe regarding to the --split-key
issue documented in http://www.opensc-project.org/opensc/wiki/CardOs )?
thanks in advance,
Robert
client
dev tun
proto udp
remote 172.29.9.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca bender_ca.crt
pkcs11-providers eTpkcs11.dll
pkcs11-slot-type label
pkcs11-slot "eToken"
pkcs11-sign-mode auto
pkcs11-id-type label
pkcs11-id "testuser id"
comp-lzo
verb 120
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00033.html on line 401
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-12/msg00033.html on line 401
|