OpenVPN
OpenVPN does not show all certs from yubikey via pkcs11-providers opensc-pkcs11.dll
Describe the bug
User get prompted to select the certificate for cert-based authentication. This menu does not show/offer all available certs on a yubikey 5 NFC.
Missing cert is in slot 82.
See output:
Yubikeys own tool reports:
C:\Windows\System32>ykman piv info
PIV version: 5.4.3
PIN tries remaining: 3/3
PUK tries remaining: 0/3
Management key algorithm: TDES
PUK is blocked
Management key is stored on the YubiKey, protected by PIN.
CHUID: ....
CCC: No data available
Slot 82 (RETIRED1):
Private key type: ECCP384
Public key type: ECCP384
Subject DN: CN=.....
Issuer DN: CN=.....
Serial: 00:28:00:00:.....
Fingerprint: 79d3fffc8a3b18a6c.....
Not before: 2024-09-09T06:34:26+00:00
Not after: 2025-03-08T06:34:26+00:00
Slot 9A (AUTHENTICATION):
Private key type: ECCP384
Public key type: ECCP384
Subject DN: CN=.....
Issuer DN: CN=.....
Serial: 00:28:00:00:00.....
Fingerprint: 2ebf9ab673ba14.....
Not before: 2024-01-26T17:11:24+00:00
Not after: 2024-07-24T17:11:24+00:00
Slot 9D (KEY_MANAGEMENT):
Private key type: ECCP384
Public key type: ECCP384
Subject DN: CN=.....
Issuer DN: CN=.....
Serial: 00:28:00:00:.....
Fingerprint: bfb1ab325e4......
Not before: 2024-06-28T14:31:13+00:00
OpenSC debugging:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -I
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.26)
Using slot 0 with a present token (0x0)
Option -T
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -T
Available slots:
Slot 0 (0x4): Yubico YubiKey FIDO+CCID 0
token label : John Doe
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 6aed8be786e35738
pin min/max : 4/8
uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6aed8be786e35738;token=John%20Doe
Option -L
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -L
Available slots:
Slot 0 (0x0): Microsoft UICC ISO Reader 5ef02fb8 0
(token not recognized)
Slot 1 (0x4): Yubico YubiKey FIDO+CCID 0
token label : John Doe
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 6aed8be786e35738
pin min/max : 4/8
uri : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6aed8be786e35738;token=John%20Doe
To Reproduce Use Openvpn client with pkcs11-providers and point to opensc-pkcs11.dll. Have certificate on yubikey in slot 82.
Expected behavior OpenVPN menu should show all available certs on yubikey.
Version information (please complete the following information): Windows 11, latest openvpn 64 bit.
Additional context
Looks like, it shows only certs in the common slots 9a,9b,9c,9d, not the additional slots 82....95.
It says Slot 82 (RETIRED1). So maybe the RETIRED means something like expired, do not use?
If pkcs11 tool does not enumerate it, OpenVPN also would not. Looks like a compatibility issue of yubikey with pkcs11. May be related to the need for key history object in PIV to enumerate retired key slots which yubikey does not populate by default. See https://github.com/OpenSC/OpenSC/issues/847 and yubikey docs on how to fix.
As you are on Windows you may be able to use those certificates as is using the cryptoapicert option instead of pkcs11.
