Re: [Openvpn-users] openvpn and spanish eID (DNIe or DNI electronico)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I've resolved some problems, i explain above. But i still get an error
when i try to use *any* smartcard. The same certificate into p.12 format
in disk works, but not when i store it in smartcard. The cert validation
success at client and server, but immediately after client cert
validation, server fails with a "tls_read_plaintext error". Any help
would be grateful:

Thu Jul 22 10:40:41 2010 192.168.0.192:1680 VERIFY OK: depth=1,
/C=ES/O=FNMT/OU=FNMT_Clase_2_CA
Thu Jul 22 10:40:41 2010 192.168.0.192:1680 VERIFY OK: depth=0,
/C=es/O=fnmt/OU=fnmt_clase_2_ca/OU=500690066/CN=NOMBRE_YEBENES_MORENO_SERGIO_-_NIF_********
Thu Jul 22 10:40:41 2010 192.168.0.192:1680 UDPv4 WRITE [22] to
192.168.0.192:1680: P_ACK_V1 kid=0 [ 17 ]
Thu Jul 22 10:40:41 2010 192.168.0.192:1680 UDPv4 READ [114] from
192.168.0.192:1680: P_CONTROL_V1 kid=0 [ ] pid=18 DATA len=100
Thu Jul 22 10:40:41 2010 192.168.0.192:1680 UDPv4 WRITE [22] to
192.168.0.192:1680: P_ACK_V1 kid=0 [ 18 ]
Thu Jul 22 10:40:41 2010 192.168.0.192:1680 UDPv4 READ [114] from
192.168.0.192:1680: P_CONTROL_V1 kid=0 [ ] pid=19 DATA len=100
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 UDPv4 WRITE [22] to
192.168.0.192:1680: P_ACK_V1 kid=0 [ 19 ]
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 UDPv4 READ [114]
from 192.168.0.192:1680: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 UDPv4 WRITE [22] to
192.168.0.192:1680: P_ACK_V1 kid=0 [ 20 ]
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 UDPv4 READ [110]
from 192.168.0.192:1680: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=96
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 TLS_ERROR: BIO read
tls_read_plaintext error: error:0407006A:rsa
routines:RSA_padding_check_PKCS1_type_1:block type is not 01:
error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:
error:1408807A:SSL routines:SSL3_GET_CERT_VERIFY:bad rsa signature:
error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 TLS Error: TLS
object -> incoming plaintext read error
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680 TLS Error: TLS
handshake failed
Thu Jul 22 10:40:41 2010 us=31000 192.168.0.192:1680
SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Jul 22 10:40:47 2010 us=218000 192.168.0.192:1677 UDPv4 WRITE [73]
to 192.168.0.192:1677: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=59
Thu Jul 22 10:40:47 2010 us=218000 read UDPv4: Connection reset by peer
(WSAECONNRESET) (code=10054)

*****************
at client side i get the following log:

Thu Jul 22 10:40:34 2010 PKCS#11: Performing signature
Thu Jul 22 10:40:34 2010 PKCS#11: Getting key attributes
Thu Jul 22 10:40:34 2010 PKCS#11: Get private key attributes failed:
130:'CKR_OBJECT_HANDLE_INVALID'
Thu Jul 22 10:40:36 2010 us=421000 PKCS#11: Calling pin_prompt hook for
'FNMT'
Enter FNMT token Password:
Thu Jul 22 10:40:40 2010 us=140000 PKCS#11: pin_prompt hook return rv=0
Thu Jul 22 10:40:40 2010 us=937000 PKCS#11: Key attributes loaded (0000000d)
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 WRITE [126] to
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ 22 ] pid=4 DATA len=100
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 WRITE [114] to
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ ] p id=5 DATA len=100
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 WRITE [114] to
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ ] p id=6 DATA len=100
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 WRITE [114] to
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ ] p id=7 DATA len=100
Thu Jul 22 10:40:40 2010 us=937000 ACK output sequence broken: [8] 4 5 6 7
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 READ [73] from
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ ] p id=22 DATA len=59
Thu Jul 22 10:40:40 2010 us=937000 ACK output sequence broken: [8] 4 5 6 7
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 WRITE [22] to
192.168.0.192:1194: P_ACK_V1 kid=0 [ 22 ]
Thu Jul 22 10:40:40 2010 us=937000 ACK output sequence broken: [8] 4 5 6 7
Thu Jul 22 10:40:40 2010 us=937000 UDPv4 READ [73] from
192.168.0.192:1194: P_CONTROL_V1 kid=0 [ ] p id=22 DATA len=59

*************
i think i have the correct client configuration, the provider is loaded,
and the serialized ID  was obtained with --show-pkcs11-ids option:

Certificate
       DN:             /C=es/O=fnmt/OU=fnmt clase 2
ca/OU=500690066/CN=NOMBRE YEBENES MORENO SERGIO
- NIF *******
       Serial:         3CA26125
       Serialized id: 
FNMT\x2DRCM/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x03/
\x22L\x5D\x0A\x28\x19/FNMT/91E00C8BACAB1B0A4B2983C7BCBED2C1FA33E243

***************
and client pkcs11-id configuration:

pkcs11-id
'FNMT\x2DRCM/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x03/\x22L\x5D\x0A\x28\x19/FNMT/91E00C8BACAB1B0A4B2983C7BCBED2C1FA33E243'

> Hi, i'm new in this forum. I'm trying to set up openvpn with an
> smartcard like spanish eID (DNIe or DNI electronico). I have some
> experience in this kind of token and now i'm experiencing two problems:
>
> 1) to get access to certificates and keys you must enter the pin. So,
> when i put:
>
> openvpn --show-pkcs11-ids UsrPkcs11.dll
>
> i get access only to a intermediate CA certificate, so i cannot get
> "pkcs11-id" value to put it in client configuration although i could use
> a "--pin" option
i have no solution to this, except using the information provided by
pkcs1-tool to extract part of the ID
>
> 2) with above command i get the intermediate CA id, but it contains
> chars with backslashes, so the client fails when reading configuration
> file. Although this id is not a client certificate's, i tried it to see
> configuration file behaviour. The command output:
>
> opensc\bin>openvpn --show-pkcs11-ids UsrPkcs11.dll
>
> The following objects are available for use.
> Each object shown below may be used as parameter to
> --pkcs11-id option please remember to use single quote mark.
>
> Certificate
> DN: /C=ES/O=DIRECCION GENERAL DE LA POLICIA/OU=DNIE/CN=AC DNIE 001
> Serial: 642066C9997BAEE14402DA6EA422D649
> Serialized id:
> DGP\x2DFNMT//\x86\xE5\x21\x21pQ\x19/DNI\x20electr├│nico/5338364535323132313730353131393230303831323139313230373538
>
> As you can see, Serialized id constains backslashes and rare chars. I
> use windows xp and the last build in
>
> http://www.opensc-project.org/downloads/users/alonbl/build/
this is not a problem, it is solved quoting with simple commas
>
> Could i construct pkcs11-id value using the information provided by
> pkcs11-tool? For example, with pkcs11-tool i get an id like
> 5338364535323132313730353131393230303831323139313230373538 to that
> intermediate ca cert. I could extract also the path and then put it as
> serilized-id in openvpn...
>
> regards
>

-- 
Sergio

Re: [Openvpn-users] openvpn and spanish eID (DNIe or DNI electronico)

Robust and flexible VPN network tunnelling

Re: [Openvpn-users] openvpn and spanish eID (DNIe or DNI electronico)