OpenVPN and the Aladdin eToken on Windows
ForewordThis short note will explain how to set up OpenVPN with Aladdin's eToken. These tokens introduce Two-Factor Authentication to the OpenVPN setup. This document follows the same structure of the OpenVPN and Smartcards HOWTO. I still need to try this setup on GNU/Linux. I will update this document accordingly as soon as I get around doing it.
IntroductionIn order to use Proper Smart Card support has been implemented in OpenVPN in the 2.1 branch by adding PKCS#11 support (I don't consider the cryptoapicert option, since it is Windows only), so on the client you need OpenVPN 2.1 at least (you can still keep your OpenVPN 2.0 on the server). Besides OpenVPN 2.1, you'll also need OpenSC. OpenSC implements the PKCS#11 RSA standard, which specifies how to store cryptographic information on devices. On Linux you may want to use the packages your distribution of choice offers (that would be "apt-get install opensc pcscd" on Debian derived Distros), whereas on Windows you'll need the installer from the OpenSC Project. In this HOWTO I also presume you already have a PKI-based OpenVPN setup. The only additional requirement here is that the client has a OpenVPN from the 2.1 branch installed.
Card InitializationAs a first step, we'll put our private keys on the Aladdin e-token. To check that the card and the reader are both recognized, we'll user cardos-info.exe and opensc-tool.exe:
C:\Program Files\Smart card bundle>cardos-info.exe Info : CardOS/M4.01 (C) Siemens AG 1994-2001 Chip type: 96 Serial number: 23 11 b4 17 24 0f Full prom dump: 33 66 00 45 FF FF FF FF 60 FF 23 11 B4 17 24 0F 3f.E....`.#...$. 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.3 (that's CardOS M4.01) Current life cycle: 32 (administration) Security Status of current DF: Free memory : 1024 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 2, Eeprom size: 32, cpu type: 66, chip config: 63 Free eeprom memory: 17146 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF:
Opensc-tool -l Nr. Driver Name 0 pcsc AKS ifdh 0 1 pcsc AKS ifdh 1 2 pcsc Texas Instruments SmartCardSlot 0 C:\Program Files\Smart card bundle>opensc-tool -r0 -a 3b:f2:98:00:ff:c1:10:31:fe:55:c8:03:15 C:\Program Files\Smart card bundle>opensc-tool.exe -n CardOS M4With pkcs15-init.exe we can erase the card and format it according the PKCS#15 specification
C:\Program Files\Smart card bundle>pkcs15-init -E C:\Program Files\Smart card bundle>pkcs15-init --create-pkcs15 New Security Officer PIN (Optional - press return for no PIN). Please enter Security Officer PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify:Then we can add an auth id and corresponding user PIN to the token:
C:\Program Files\Smart card bundle>pkcs15-init --store-pin --auth-id 01 --label "Michele Baldessari" New User PIN. Please enter User PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Security officer PIN required. Please enter Security officer PIN:In order to check that the PIN has been added correctly we can use pkcs15-tool --list-pins:
C:\Program Files\Smart card bundle>pkcs15-tool --list-pins PIN [Security Officer PIN] Com. Flags: 0x3 ID : ff Flags : [0xB2], local, initialized, needs-padding, soPin Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 PIN [Michele Baldessari] Com. Flags: 0x3 ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 3 Type : ascii-numeric Path : 3f005015At this point we can put our keys on the token, by importing the PKCS#12 file we've been assigned by our PKI administrator. One thing to be careful is the keysize supported by the token. Mine reaches 1024bit and apparently you need specific token and a corresponding software update in order to reach 2048bits. See this link for further information.
When the size is not supported, the following error will appear on the screen while trying to import the PKCS#12 file:
C:\Program Files\Smart card bundle>pkcs15-init -S mycert.p12 -f PKCS12 -a 01 Importing 2 certificates: 0: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=michele@pupazzo.org/emailAddress=michele@pupazzo.org 1: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Foo VPN/emailAddress=michele@pupazzo.org Card does not support this key. Failed to store private key: Key length/algorithm not supported by cardWhen trying to import a different certificate which has a 1024bit private key, the procedure goes further, but we still get an error about the token wanting to split the key according to its usage, once for signing and once for decription.
C:\Program Files\Smart card bundle>pkcs15-init -S aladdin.p12 -f PKCS12 -a 01 Importing 2 certificates: 0: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org 1: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Foo VPN/emailAddress=michele@pupazzo.org Error - this token requires a more restrictive key usage. Keys stored on this token can be used either for signing or decipherment, but not both. You can either specify a more restrictive usage through the --key-usage command line argument, or allow me to transparently create two key objects with separate usage by specifying --split-keyAdding the --split-key option to the command line helps things going further, but in my case it still failed because the size became an issue:
C:\Program Files\Smart card bundle>pkcs15-init --split-key -S aladdin.p12 -f PKCS12 -a 01 Importing 2 certificates: 0: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org 1: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Foo VPN/emailAddress=michele@pupazzo.org Security officer PIN required. Please enter Security officer PIN: User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN: File 3f0050153149 too small (require 1837, have 1383) - please increase size in profile Failed to store private key: Object not validSo I remade the PKCS#12 and explicitely excluded the CA from the file
C:\Program Files\Smart card bundle>pkcs15-init --split-key -S aladdin2.p12 -f PKCS12 -a 01 Importing 1 certificates: 0: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org Security officer PIN required. Please enter Security officer PIN: User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:This time it worked without issues :)
OpenVPN Configuration
Now we correctly stored our keys on the token, and all is left is the configuration of OpenVPN. Let's check is OpenVPN correctly recognizes the PKCS#11 slots (i.e. the card readers) with the --show-pkcs11-slots option:
openvpn.exe --show-pkcs11-slots "C:\Program Files\Smart Card Bundle\opensc-pkcs11.dll" Provider Information: cryptokiVersion: 2.11 manufacturerID: OpenSC Project (www.opensc-proje flags: 0 The following slots are available for use with this provider. Each slot shown below may be used as a parameter to a --pkcs11-slot-type and --pkcs11-slot options. Slots: (id - name) 0 - AKS ifdh 0 1 - AKS ifdh 0 2 - AKS ifdh 0 3 - AKS ifdh 0 4 - AKS ifdh 1 5 - AKS ifdh 1 6 - AKS ifdh 1 7 - AKS ifdh 1Checking the PKCS#11 objects recognized by OpenVPN is also very simple with the --show-pkcs11-objects:
openvpn.exe --show-pkcs11-objects "C:\Program Files\Smart Card Bundle\opensc-pkcs11.dll" 0 PIN: Token Information: label: OpenSC Card (Michele Baldessari) manufacturerID: OpenSC Project model: PKCS #15 SCard serialNumber: 2311B417240F flags: 0000040c You can access this token using --pkcs11-slot-type "label" --pkcs11-slot "OpenSC Card (Michele Baldessari)" options. The following objects are available for use with this token. Each object shown below may be used as a parameter to --pkcs11-id-type and --pkcs11-id options. Object Type: Private Key CKA_ID: 45 CKA_LABEL: Private Key CKA_SIGN: TRUE CKA_SIGN_RECOVER: TRUE Object Type: Private Key CKA_ID: 46 CKA_LABEL: Private Key CKA_SIGN: TRUE CKA_SIGN_RECOVER: TRUE Object Type: Certificate CKA_ID: 46 CKA_LABEL: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org subject: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org serialNumber: 05 notBefore: 070427092127Z Object Type: Public Key CKA_ID: 46 CKA_LABEL: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org Object Type: Private Key CKA_ID: 47 CKA_LABEL: Private Key CKA_SIGN: TRUE CKA_SIGN_RECOVER: TRUE Object Type: Certificate CKA_ID: 47 CKA_LABEL: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org subject: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org serialNumber: 05 notBefore: 070427092127Z Object Type: Public Key CKA_ID: 47 CKA_LABEL: /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.orgLet's configure OpenVPN now:
pull nobind dev tap remote vpn.exmaple.org tls-client port 1194 comp-lzo key-method 2 verb 2 keepalive 10 120 persist-key persist-tun ns-cert-type server ca "C:\\Program Files\\Smart card bundle\\smartcard\\foo-cacert.pem" pkcs11-providers "C:\\Program Files\\Smart card bundle\\opensc-pkcs11.dll" pkcs11-slot-type label pkcs11-slot "OpenSC Card (Michele Baldessari)" pkcs11-id-type subject pkcs11-id "/C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=aladdin/emailAddress=michele@pupazzo.org"
Run
At this point we can test our configuration and try the connection with our remote server:
C:\temp\OpenVPN\bin>openvpn --config ..\config\aladdin.ovpn Fri Apr 27 14:12:16 2007 OpenVPN 2.1_rc2 Win32-MinGW [SSL] [LZO2] built on Feb 28 2007 Fri Apr 27 14:12:16 2007 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\Smart card bundle\opensc-pkcs11.dll' Fri Apr 27 14:12:22 2007 LZO compression initialized Fri Apr 27 14:12:22 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Apr 27 14:12:22 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ] Fri Apr 27 14:12:22 2007 Local Options hash (VER=V4): 'd79ca330' Fri Apr 27 14:12:22 2007 Expected Remote Options hash (VER=V4): 'f7df56b8' Fri Apr 27 14:12:22 2007 UDPv4 link local: [undef] Fri Apr 27 14:12:22 2007 UDPv4 link remote: 1.2.3.4:1194 Fri Apr 27 14:12:22 2007 VERIFY OK: depth=1, /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=Foo_VPN/emailAddress=it@pupazzo.org Fri Apr 27 14:12:22 2007 VERIFY OK: nsCertType=SERVER Fri Apr 27 14:12:22 2007 VERIFY OK: depth=0, /C=IT/ST=Bozen/L=Sterzing/O=Foo/CN=vpn.example.org/emailAddress=it@pupazzo.org Enter OpenSC Card (Michele Baldessari) token Password: Fri Apr 27 14:12:26 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Apr 27 14:12:26 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Apr 27 14:12:26 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Fri Apr 27 14:12:26 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Fri Apr 27 14:12:26 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Fri Apr 27 14:12:26 2007 [vpn.example.org] Peer Connection Initiated with 1.2.3.4:1194 Fri Apr 27 14:12:28 2007 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{97B41B3C-9334-42C4-8BF3-C21C8C905018}.tap Fri Apr 27 14:12:28 2007 TAP-Win32 MTU=1500 Fri Apr 27 14:12:28 2007 Notified TAP-Win32 driver to set a DHCP IP/netmask of 172.16.254.6/255.255.255.0 on interface {97B41B3C-9334-42C4-8 BF3-C21C8C905018} [DHCP-serv: 172.16.254.0, lease-time: 31536000] Fri Apr 27 14:12:28 2007 Successful ARP Flush on interface [7] {97B41B3C-9334-42C4-8BF3-C21C8C905018}And we're done ;)
14 May 2007