Yubikey + OpenSC failing on authentication

Got a problem with Viscosity or need help? Ask here!

laazik

Posts: 2
Joined: Thu Aug 16, 2018 7:00 am

Post by laazik » Thu Aug 16, 2018 7:17 am
Hi,

I am trying to understand why my setup fails, and have been trying to figure out this in complete vain. I have Viscosity on Win10. Username password connection establishment works correctly and the VPN is being set-up.

We also have Yubikey based VPN connection, which works correctly on OS X, with the same yubikey, but refuses to connect on W10. I can see in the opensc debug logs, that the certificate is being looked up correctly, if I add the opensc-pkcs11.dll driver and use the detect certificate functionality.

But when I am starting the setup of the connection, although it asks for the PIN it seems to have no effect on the actual yubikey itself and also ... nothing turns up in the opensc logs.

It's probably a long shot, but perhaps someone has some ideas or thoughts where I should look into.

I'm running:
OpenSC 0.18.0 (both 32 and 64 bit are installed)
Viscosity 1.7.11 (1567)
.NET 4.7.03056.461808

After adding verb 7 to provide additional debug logging, what I'm seeing in connection details window is:
Code: Select all
Aug 16 00:03:20: PKCS#11: Adding PKCS#11 provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll'
Aug 16 00:03:20: PKCS#11: Adding provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll'-'C:\Windows\SysWOW64\opensc-pkcs11.dll'
Aug 16 00:03:22: PKCS#11: Provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll' added rv=0-'CKR_OK'
...
Aug 16 00:03:23: PKCS#11: Creating a new session
...
Aug 16 00:03:25: PKCS#11: Performing signature
Aug 16 00:03:25: PKCS#11: Getting key attributes
Aug 16 00:03:25: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
Aug 16 00:03:25: PKCS#11: Calling pin_prompt hook for 'redacted'
...
Aug 16 00:03:39: PKCS#11: pin_prompt hook return rv=0
Aug 16 00:03:39: PKCS#11: Key attributes loaded (0000000f)
Aug 16 00:03:39: PKCS#11: Private key operation failed rv=257-'CKR_USER_NOT_LOGGED_IN'
Aug 16 00:03:40: PKCS#11: Calling pin_prompt hook for 'redacted'
...
Aug 16 00:03:47: PKCS#11: pin_prompt hook return rv=0
Aug 16 00:03:47: PKCS#11: Cannot perform signature 257:'CKR_USER_NOT_LOGGED_IN'

Eric

User avatar
Posts: 872
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Aug 16, 2018 4:01 pm
Hi laazik,

Is the Yubikey software able to access and use this key and it's saved P12 on Windows? We have seem some finicky behaviour from Yubikeys like this before and it came down to reinitialising the device using Yubikey's software sadly.

It's also possible this is a bug in OpenSC. OpenSC won't log anything using it's library, only using it's command line tool. You will need to ensure you are using the 32bit version but it looks like you already are, I assume you are using the latest version? It may be worth trying an older version, there has been a bit of a crack down on the PKCS11 spec in recent years.

I'm afraid we don't have the time to run up a test instance specifically for this scenario at the moment, if you are still having problems next week though let us know.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

laazik

Posts: 2
Joined: Thu Aug 16, 2018 7:00 am

Post by laazik » Thu Aug 16, 2018 6:57 pm
Thank you for quick reply. Indeed, after downgrading OpenSC to version 0.16.0 it started to work correctly. So at least for now for some setups the 0.18.0 on Windows 10 does not correctly do authentication and the solution is to downgrade to the 0.16.0 (confirmed to work).
3 posts Page 1 of 1