NitroKey Pro PKCS11 ID

Got a problem with Viscosity or need help? Ask here!

hannehomuth

Posts: 2
Joined: Wed Jul 01, 2020 11:16 pm

Post by hannehomuth » Wed Jul 01, 2020 11:48 pm
Hi,

i'm evaluating the NitroKey Pro in combination with Viscosity for VPN usage.
Unfortunally I can't get it to work. The error message is always "ERROR: PKCS#11 - Invalid PKCS11 ID".
I've set the PKCS11 ID with the Viscosity discover mechanism. So I don't think it is wrong at all.

Things I did:
  • Installed OpenSC from https://github.com/OpenSC/OpenSC/wiki
    • Installed both (32- and 64bit version)
  • Installed Viscosity 1.8.5.1
  • Imported existing configuration which worked with former used Athena Tokens
  • Changed the PKCS11 Provider to "C:\Program Files\OpenSC Project\OpenSC\pkcs11\onepin-opensc-pkcs11.dll"
    • Tried "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll" also
  • Started discover mechanism which detected the NitroKey Token correct (imho)
  • Startet connection attempt -> Failed with Message INVALID PKCS11 ID
The Token seems to be correctly prepared, because I'm able to connect with that Token via Linux Openvpn Client.
The PKCS11 ID which was used on Linux machine is slighty different to the one which is detected by Viscosity client
Code: Select all
#Linux
ZeitControl/PKCS\x2315\x20emulated/000500006b95/OpenPGP\x20card\x20\x28User\x20PIN\x29/03
#Windows
ZeitControl/PKCS\x2315\x20emulated/000500006b95/OpenPGP\x20card\x20\x28User\x20PIN\x29

I tried to get the PKCS11 ID via openvpn which shows a the ID in another format, which doesn't work either (if I use this format within viscosity).
Code: Select all
C:\Program Files\OpenVPN\bin>openvpn.exe --show-pkcs11-ids "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             C=DE, ST=Berlin, L=Berlin, O=****, OU= Rechnerbetrieb, CN=****, emailAddress=*****@****.de
       Serial:         01
       Serialized id:  pkcs11:model=PKCS%2315%20emulated;token=OpenPGP%20card%20%28User%20PIN%29;manufacturer=ZeitControl;serial=000500006b95;id=%03


Does anyone know what is wrong?
Attachments
viscosity-log.txt
(11.6 KiB) Downloaded 403 times

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Jul 02, 2020 11:37 am
Hi hannehomuth,

The PKCS11 ID is indeed invalid, it should have 5 subsections. We've had varying success with OpenSC on Windows over the years with different keys.

First, please ensure you are using the x64 version of OpenSC on 64-bit Windows, and only the x64 version is installed, we have seen the two architectures not mix well before. Please uninstall both and then reinstall just the x64 version. The onepin DLL is the correct one to use for the vast majority of tokens.

Next, the difference you have noted in the IDs produced are important, the one you see on Windows is indeed invalid. Is that the only ID you see when using the Detect button in Viscosity or are there others in the drop down? Does the View Certificate button display the correct certificate? If you change Viscosity to Prompt for name on connect instead, does this work when connecting?

Can you please try using the Linux ID in Viscosity, this ID is the correct format however if Viscosity is not producing that ID it may not work. The value produced by Vanilla OpenVPN on Windows is incorrect, PKCS11 has been having some issues on Windows with vanilla OpenVPN for a while now (Viscosity has it's own implementation of PKCS11 on Windows, OpenVPN and your token do not communicate).

Finally, you may wish to try an older version of OpenSC. We have seen varying success using OpenSC 0.19 and 0.16 with different combinations of Token and Windows version in the past, you may find a specific version of OpenSC works with your key where others do not. You may also wish to try the 0.20-rc versions, I believe we had issues with rc1 but rc2 worked for us for example - https://github.com/OpenSC/OpenSC/releases/

If you are evaluating PKCS11 and your wider userbase is on Windows, our recommendation is a token that uses the SafeNet driver, it is far more optimised for Windows and we have never seen issues with this driver on Windows.
If you do wish to stick with OpenSC, it's driver is certainly better supported on Nix and macOS, we would recommend trialing Yubikey's, we have seen better compatibility with these on Windows than any other token that uses OpenSC.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

hannehomuth

Posts: 2
Joined: Wed Jul 01, 2020 11:16 pm

Post by hannehomuth » Thu Jul 02, 2020 4:25 pm
Hi Eric,

thank you for the quick and detailed answer.
Quick answer from my side - opensc 0.19 works as expected with the NitroKey Pro within Viscosity.

I will answer your other questions anyway because they might be interessting for you as developer.
Thu Jul 02, 2020 11:37 amEric wrote:
First, please ensure you are using the x64 version of OpenSC on 64-bit Windows, and only the x64 version is installed, we have seen the two architectures not mix well before. Please uninstall both and then reinstall just the x64 version. The onepin DLL is the correct one to use for the vast majority of tokens.
I deinstalled both versions, rebooted, and installed the 64bit version of opensc 0.20 only, but no success. The behaviour was identically for me.
I installed both versions in the first place because this guick start quide said to do so
Thu Jul 02, 2020 11:37 amEric wrote:
Next, the difference you have noted in the IDs produced are important, the one you see on Windows is indeed invalid. Is that the only ID you see when using the Detect button in Viscosity or are there others in the drop down? Does the View Certificate button display the correct certificate? If you change Viscosity to Prompt for name on connect instead, does this work when connecting?
Yes, it was the only ID which was shown within the dropdown box. The "View Certificate" button did come up with the correct certificate, there was no problem. Changing the method to "Prompt for name on connect" neither succeed with opensc 0.20. Same behaviour, one ID within the dropdown in the upcoming dialog with the missing last section.
Thu Jul 02, 2020 11:37 amEric wrote:
Can you please try using the Linux ID in Viscosity, this ID is the correct format however if Viscosity is not producing that ID it may not work.
Sorry, I didn't write it in the first post, but I tried that multiple times without success.

Thu Jul 02, 2020 11:37 amEric wrote:
Finally, you may wish to try an older version of OpenSC. We have seen varying success using OpenSC 0.19 and 0.16 with different combinations of Token and Windows version in the past, you may find a specific version of OpenSC works with your key where others do not. You may also wish to try the 0.20-rc versions, I believe we had issues with rc1 but rc2 worked for us for example - https://github.com/OpenSC/OpenSC/releases/
That was the trick! I had no sucess with 0.20-rc versions, but the 0.19 version of opensc worked directly. The ID produced is identically with the one produced on linux. Great! Thank you.
Thu Jul 02, 2020 11:37 amEric wrote:
If you are evaluating PKCS11 and your wider userbase is on Windows, our recommendation is a token that uses the SafeNet driver, it is far more optimised for Windows and we have never seen issues with this driver on Windows.
If you do wish to stick with OpenSC, it's driver is certainly better supported on Nix and macOS, we would recommend trialing Yubikey's, we have seen better compatibility with these on Windows than any other token that uses OpenSC.
We've a mixed situation. Multiple Linux users, some Mac, and a few working on windows (50% Linux/Mac and 50% Windows). And furthermore, some using booth systems. We decided to use/test NitroKey Pro 2 because we used them for another project (another use case indeed) and had some NitroKeys left over. But thanks for the recommendation of Yubikey, we will think about it.


Regards,
Hannes

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Jul 02, 2020 4:58 pm
Thanks for the feedback, Hannes, we're always happy to hear it! Glad you're up and running, that's the main thing.

Cheers,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
4 posts Page 1 of 1