No PIN prompt when using eID for OpenVPN

GoogleCodeExporter commented 9 years ago

Hello!

I set up the OpenVPN client to use TCOS3 cards to authenticate against the 
server: this works well.
Now I want to use the Belgium eID card to also connect using OpenVPN.

Using this 'client.config' (some values are XXXed out)
client
dev tun
proto tcp
remote 192.168.122.218 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
# TCos3
#pkcs11-providers /usr/local/lib/libpkcs11tcos3NetKey64-1.6.3.so
#pkcs11-id "T-Systems International GmbH/TCOS 3.0 NetKey/XXXX/XXXX"
# Belgium eID
pkcs11-providers /usr/lib/libbeidpkcs11.so.0
pkcs11-id "Belgium Government/Belgium eID/XXXX/BELPIC/0200000000000000"
ca /etc/openvpn/ca/ca.crt
comp-lzo
verb 255
log /tmp/o.log

And this command:
openvpn --script-security 2 --config client.conf

A connection to the server is established - but it is closed after 60s timeout.

At this point I expect, that I have to enter the pin - but nothing happens.

Some more notes:
o The JAVA application works fine.
   Check PIN gives ok.
o Using Debian 7.5
o Using the latest version (4.0.6r1523) of eid-mw

Attached you can find the last lines of the log - and at this position the 
program freezes.

Kind regards

Andre

---

Direct after start (Card can be read - id is found):

Wed Jul  9 08:52:48 2014 us=679754 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] 
[EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] 
built on Jun 18 2013
Wed Jul  9 08:52:48 2014 us=679833 PKCS#11: pkcs11_initialize - entered
Wed Jul  9 08:52:48 2014 us=679903 PKCS#11: pkcs11_initialize - return 
0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=679950 PKCS#11: pkcs11_addProvider - entered - 
provider='/usr/lib/libbeidpkcs11.so.0', private_mode=00000000
Wed Jul  9 08:52:48 2014 us=679995 PKCS#11: Adding PKCS#11 provider 
'/usr/lib/libbeidpkcs11.so.0'
Wed Jul  9 08:52:48 2014 us=680045 PKCS#11: pkcs11h_addProvider entry 
version='1.09', pid=8290, reference='/usr/lib/libbeidpkcs11.so.0', 
provider_location='/usr/lib/libbeidpkcs11.so.0', allow_protected_auth=0, 
mask_private_mode=00000000, cert_is_private=0
Wed Jul  9 08:52:48 2014 us=680091 PKCS#11: Adding provider 
'/usr/lib/libbeidpkcs11.so.0'-'/usr/lib/libbeidpkcs11.so.0'
Wed Jul  9 08:52:48 2014 us=696162 PKCS#11: pkcs11h_addProvider Provider 
'/usr/lib/libbeidpkcs11.so.0' manufacturerID 'Belgium Government'
Wed Jul  9 08:52:48 2014 us=696218 PKCS#11: _pkcs11h_slotevent_notify entry
Wed Jul  9 08:52:48 2014 us=696264 PKCS#11: _pkcs11h_slotevent_notify return
Wed Jul  9 08:52:48 2014 us=696311 PKCS#11: Provider 
'/usr/lib/libbeidpkcs11.so.0' added rv=0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=696357 PKCS#11: pkcs11h_addProvider return 
rv=0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=696402 PKCS#11: pkcs11_addProvider - return 
rv=0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=696571 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Jul  9 08:52:48 2014 us=696630 NOTE: the current --script-security setting 
may allow this configuration to call user-defined scripts
Wed Jul  9 08:52:48 2014 us=696689 PO_INIT maxevents=4 flags=0x00000002
Wed Jul  9 08:52:48 2014 us=696973 PKCS#11: SSL_CTX_use_pkcs11 - entered - 
ssl_ctx=0x7f6d47a5f7c0, pkcs11_id_management=0, pkcs11_id='Belgium 
Government/Belgium eID/XXXX/BELPIC/0200000000000000'
Wed Jul  9 08:52:48 2014 us=697025 PKCS#11: 
pkcs11h_certificate_deserializeCertificateId entry 
p_certificate_id=0x7fff7a97c910, sz='Belgium Government/Belgium 
eID/XXXX/BELPIC/0200000000000000'
Wed Jul  9 08:52:48 2014 us=697073 PKCS#11: 
_pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7fff7a97c8d0
Wed Jul  9 08:52:48 2014 us=697119 PKCS#11: 
_pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', 
*p_certificate_id=0x7f6d47a605a0
Wed Jul  9 08:52:48 2014 us=697170 PKCS#11: pkcs11h_token_deserializeTokenId 
entry p_token_id=0x7f6d47a605a0, sz='Belgium Government/Belgium eID/XXXX/BELPIC'
Wed Jul  9 08:52:48 2014 us=697217 PKCS#11: _pkcs11h_token_newTokenId entry 
p_token_id=0x7fff7a97c878
Wed Jul  9 08:52:48 2014 us=697263 PKCS#11: _pkcs11h_token_newTokenId return 
rv=0-'CKR_OK', *p_token_id=0x7f6d47a60a60
Wed Jul  9 08:52:48 2014 us=697311 PKCS#11: pkcs11h_token_deserializeTokenId 
return rv=0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=697367 PKCS#11: 
pkcs11h_certificate_deserializeCertificateId return rv=0-'CKR_OK'
Wed Jul  9 08:52:48 2014 us=697415 PKCS#11: pkcs11h_certificate_create entry 
certificate_id=0x7f6d47a605a0, user_data=(nil), mask_prompt=00000003, 
pin_cache_period=-1, p_certificate=0x7fff7a97c918
Wed Jul  9 08:52:48 2014 us=697465 PKCS#11: 
pkcs11h_certificate_duplicateCertificateId entry to=0x7f6d47a609d0 
form=0x7f6d47a605a0
Wed Jul  9 08:52:48 2014 us=697512 PKCS#11: 
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', 
*to=0x7f6d47a61520
Wed Jul  9 08:52:48 2014 us=697557 PKCS#11: 
_pkcs11h_session_getSessionByTokenId entry token_id=0x7f6d47a61950, 
p_session=0x7f6d47a609e0
Wed Jul  9 08:52:48 2014 us=697602 PKCS#11: Creating a new session
Wed Jul  9 08:52:48 2014 us=697663 PKCS#11: pkcs11h_token_duplicateTokenId 
entry to=0x7f6d47a60f38 form=0x7f6d47a61950
Wed Jul  9 08:52:48 2014 us=697722 PKCS#11: pkcs11h_token_duplicateTokenId 
return rv=0-'CKR_OK', *to=0x7f6d47a61dc0
Wed Jul  9 08:52:48 2014 us=697768 PKCS#11: 
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', 
*p_session=0x7f6d47a60f20
Wed Jul  9 08:52:48 2014 us=697813 PKCS#11: pkcs11h_certificate_create return 
rv=0-'CKR_OK' *p_certificate=0x7f6d47a609d0
[...]

Connection to server is established, the last lines in the log, before the 
program hangs.
There is no PIN prompt - neither on the card reader nor on the terminal.

Wed Jul  9 08:52:54 2014 us=676101 SSL state (connect): SSLv3 read server 
certificate request A
Wed Jul  9 08:52:54 2014 us=676151 SSL state (connect): SSLv3 read server done A
Wed Jul  9 08:52:54 2014 us=676216 SSL state (connect): SSLv3 write client 
certificate A
Wed Jul  9 08:52:54 2014 us=684460 SSL state (connect): SSLv3 write client key 
exchange A
Wed Jul  9 08:52:54 2014 us=684536 PKCS#11: __pkcs11h_openssl_enc entered - 
flen=36, from=0x7fff7a97e900, to=0x7f6d47a941b6, rsa=0x7f6d47a77370, padding=1
Wed Jul  9 08:52:54 2014 us=684591 PKCS#11: Performing signature
Wed Jul  9 08:52:54 2014 us=684643 PKCS#11: pkcs11h_certificate_signAny entry 
certificate=0x7f6d47a609d0, mech_type=1, source=0x7fff7a97e900, 
source_size=0000000000000024, target=0x7f6d47a941b6, 
*p_target_size=0000000000000080
Wed Jul  9 08:52:54 2014 us=684693 PKCS#11: Getting key attributes
Wed Jul  9 08:52:54 2014 us=684755 PKCS#11: 
__pkcs11h_certificate_getKeyAttributes entry certificate=0x7f6d47a609d0
Wed Jul  9 08:52:54 2014 us=684800 PKCS#11: 
_pkcs11h_session_freeObjectAttributes entry attrs=0x7fff7a97e670, count=4
Wed Jul  9 08:52:54 2014 us=684845 PKCS#11: 
_pkcs11h_session_freeObjectAttributes return
Wed Jul  9 08:52:54 2014 us=684891 PKCS#11: Get private key attributes failed: 
130:'CKR_OBJECT_HANDLE_INVALID'
Wed Jul  9 08:52:54 2014 us=684946 PKCS#11: _pkcs11h_certificate_resetSession 
entry certificate=0x7f6d47a609d0, public_only=0, session_mutex_locked=1
Wed Jul  9 08:52:54 2014 us=685010 PKCS#11: _pkcs11h_session_getObjectById 
entry session=0x7f6d47a60f20, class=3, id=0x7f6d47a604f0, 
id_size=0000000000000008, p_handle=0x7f6d47a609e8
Wed Jul  9 08:52:54 2014 us=685055 PKCS#11: _pkcs11h_session_validate entry 
session=0x7f6d47a60f20
Wed Jul  9 08:52:54 2014 us=685110 PKCS#11: _pkcs11h_session_validate 
session->pin_expire_time=0, time=1404888774
Wed Jul  9 08:52:54 2014 us=685155 PKCS#11: _pkcs11h_session_validate return 
rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=685201 PKCS#11: _pkcs11h_session_findObjects entry 
session=0x7f6d47a60f20, filter=0x7fff7a97e5b0, filter_attrs=2, 
p_objects=0x7fff7a97e5e0, p_objects_found=0x7fff7a97e5e8
Wed Jul  9 08:52:54 2014 us=685824 PKCS#11: _pkcs11h_session_findObjects return 
rv=0-'CKR_OK', *p_objects_found=1
Wed Jul  9 08:52:54 2014 us=685872 PKCS#11: _pkcs11h_session_getObjectById 
return rv=0-'CKR_OK', *p_handle=00000002
Wed Jul  9 08:52:54 2014 us=685918 PKCS#11: _pkcs11h_certificate_resetSession 
return rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=685975 PKCS#11: 
_pkcs11h_session_getObjectAttributes entry session=0x7f6d47a60f20, object=2, 
attrs=0x7fff7a97e670, count=4
Wed Jul  9 08:52:54 2014 us=686323 PKCS#11: 
_pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=686371 PKCS#11: Key attributes loaded (00000001)
Wed Jul  9 08:52:54 2014 us=686416 PKCS#11: 
_pkcs11h_session_freeObjectAttributes entry attrs=0x7fff7a97e670, count=4
Wed Jul  9 08:52:54 2014 us=686465 PKCS#11: 
_pkcs11h_session_freeObjectAttributes return
Wed Jul  9 08:52:54 2014 us=686511 PKCS#11: 
__pkcs11h_certificate_getKeyAttributes return rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=686558 PKCS#11: pkcs11h_certificate_sign entry 
certificate=0x7f6d47a609d0, mech_type=1, source=0x7fff7a97e900, 
source_size=0000000000000024, target=0x7f6d47a941b6, 
*p_target_size=0000000000000080
Wed Jul  9 08:52:54 2014 us=686615 PKCS#11: 
__pkcs11h_certificate_doPrivateOperation entry certificate=0x7f6d47a609d0, 
op=0, mech_type=1, source=0x7fff7a97e900, source_size=0000000000000024, 
target=0x7f6d47a941b6, *p_target_size=0000000000000080
Wed Jul  9 08:52:54 2014 us=686662 PKCS#11: 
_pkcs11h_certificate_validateSession entry certificate=0x7f6d47a609d0
Wed Jul  9 08:52:54 2014 us=686708 PKCS#11: _pkcs11h_session_validate entry 
session=0x7f6d47a60f20
Wed Jul  9 08:52:54 2014 us=686763 PKCS#11: _pkcs11h_session_validate 
session->pin_expire_time=0, time=1404888774
Wed Jul  9 08:52:54 2014 us=686809 PKCS#11: _pkcs11h_session_validate return 
rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=686854 PKCS#11: 
_pkcs11h_certificate_validateSession return rv=0-'CKR_OK'
Wed Jul  9 08:52:54 2014 us=687392 PKCS#11: 
__pkcs11h_certificate_doPrivateOperation init rv=0

Original issue reported on code.google.com by AndreasF...@gmail.com on 9 Jul 2014 at 7:30

GoogleCodeExporter commented 9 years ago

Hi Andreas,

Creative use of your eID here ;-)

The PIN prompts are all done through the binaries in /usr/lib/eid-mw/ (e.g., 
"beid-askpin" is run when the library wants to ask you for a PIN code and you 
don't have a pinpad on the smartcard reader). Since these are written in GTK+, 
you need a running X server for this to be possible. Is that the case?

Original comment by wouter.v...@fedict.be on 9 Jul 2014 at 9:14

GoogleCodeExporter commented 9 years ago

Hello!

Hmmm.... GTK+ is installed, calling /usr/lib/eid-mw/beid-askpin 'by hand' works.

The card reader is a ReinerSCT cyberJack e-com - with internal pin pad. When 
using the Java application the PIN must be entered on the reader itself. This 
works fine.

I run
$ strace -f openvpn --script-security 2 --config client.conf >l.log 2>&1

and I'm curious about the results of the following greps: nothing is found.
$ grep askpin l.log
$ grep eid-mw l.log

Kind regards

Andre

Original comment by AndreasF...@gmail.com on 10 Jul 2014 at 5:17

GoogleCodeExporter commented 9 years ago

Hi!

Additional note: I tested also with 

04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader

with the same result.

Kind regards

Andre

Original comment by AndreasF...@gmail.com on 10 Jul 2014 at 5:59

GoogleCodeExporter commented 9 years ago

Hi Andreas,

I must admit I'd forgotten about this a bit.

I do believe, however, that in order to be able to use a PKCS#11 module with 
OpenVPN, all the certificates need to be within the CA that's used by OpenVPN. 
To be able to use your eID for OpenVPN, this would mean you would need to have 
a server with a certificate within one of the Belgian CAs, which isn't possible 
except under certain specific circumstances.

So I don't think this is a problem, but a case of OpenVPN working as designed 
(and rejecting the eID certificates). As such, I'm closing this report.

If you have reason to believe that my above explanation is wrong, feel free to 
open a new issue -- but note that due to the announced closure of Google Code, 
we're now moving towards github: https://github.com/Fedict/eid-mw

Regards,

Original comment by wouter.v...@fedict.be on 20 Mar 2015 at 12:09

Changed state: Invalid

yiminyangguang520 / eid-mw

No PIN prompt when using eID for OpenVPN #123