SparkLabs Forum.

Community Help.


Yubikey + OpenSC failing on authentication

Hi,

I am trying to understand why my setup fails, and have been trying to figure out this in complete vain. I have Viscosity on Win10. Username password connection establishment works correctly and the VPN is being set-up.

We also have Yubikey based VPN connection, which works correctly on OS X, with the same yubikey, but refuses to connect on W10. I can see in the opensc debug logs, that the certificate is being looked up correctly, if I add the opensc-pkcs11.dll driver and use the detect certificate functionality.

But when I am starting the setup of the connection, although it asks for the PIN it seems to have no effect on the actual yubikey itself and also ... nothing turns up in the opensc logs.

It's probably a long shot, but perhaps someone has some ideas or thoughts where I should look into.

I'm running:
OpenSC 0.18.0 (both 32 and 64 bit are installed)
Viscosity 1.7.11 (1567)
.NET 4.7.03056.461808

After adding verb 7 to provide additional debug logging, what I'm seeing in connection details window is:

Code: Select all

Aug 16 00:03:20: PKCS#11: Adding PKCS#11 provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll'
Aug 16 00:03:20: PKCS#11: Adding provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll'-'C:\Windows\SysWOW64\opensc-pkcs11.dll'
Aug 16 00:03:22: PKCS#11: Provider 'C:\Windows\SysWOW64\opensc-pkcs11.dll' added rv=0-'CKR_OK'
...
Aug 16 00:03:23: PKCS#11: Creating a new session
...
Aug 16 00:03:25: PKCS#11: Performing signature
Aug 16 00:03:25: PKCS#11: Getting key attributes
Aug 16 00:03:25: PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID'
Aug 16 00:03:25: PKCS#11: Calling pin_prompt hook for 'redacted'
...
Aug 16 00:03:39: PKCS#11: pin_prompt hook return rv=0
Aug 16 00:03:39: PKCS#11: Key attributes loaded (0000000f)
Aug 16 00:03:39: PKCS#11: Private key operation failed rv=257-'CKR_USER_NOT_LOGGED_IN'
Aug 16 00:03:40: PKCS#11: Calling pin_prompt hook for 'redacted'
...
Aug 16 00:03:47: PKCS#11: pin_prompt hook return rv=0
Aug 16 00:03:47: PKCS#11: Cannot perform signature 257:'CKR_USER_NOT_LOGGED_IN'
Hi laazik,

Is the Yubikey software able to access and use this key and it's saved P12 on Windows? We have seem some finicky behaviour from Yubikeys like this before and it came down to reinitialising the device using Yubikey's software sadly.

It's also possible this is a bug in OpenSC. OpenSC won't log anything using it's library, only using it's command line tool. You will need to ensure you are using the 32bit version but it looks like you already are, I assume you are using the latest version? It may be worth trying an older version, there has been a bit of a crack down on the PKCS11 spec in recent years.

I'm afraid we don't have the time to run up a test instance specifically for this scenario at the moment, if you are still having problems next week though let us know.

Regards,
Eric
Thank you for quick reply. Indeed, after downgrading OpenSC to version 0.16.0 it started to work correctly. So at least for now for some setups the 0.18.0 on Windows 10 does not correctly do authentication and the solution is to downgrade to the 0.16.0 (confirmed to work).
3 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy