Opensc No Slot With A Token Was Found

  1. Opensc No Slot With A Token Was Found The First
  2. Opensc No Slot With A Token Was Found Money
  3. Opensc No Slot With A Token Was Found Stolen
  4. Opensc No Slot With A Token Was Found The First
  5. Opensc No Slot With A Token Was Found The Most
  6. Opensc No Slot With A Token Was Found Guilty

[UPDATED 2020.06.29]

I already covered how baffling smart cards hardware and standards can be:

But now that you - and presumably I - are no longer in a state of utterhelplessness when confronted by smart cards mumbo jumbo, let’s see whatclever things we can do with them. Coming to mind:

  • Jul 28, 2019 Manufacturer OpenSC Project Library OpenSC smartcard framework (ver 0.19) No slot with a token was found. After removing the USB key - this shows that pkcs11-tool is at least talking to the key here? $ pkcs11-tool -show-info Cryptoki version 2.20 Manufacturer OpenSC Project Library OpenSC smartcard framework (ver 0.19) No slots.
  • Subject: Opensc-devel Failed to connect to card: Card is invalid or cannot be handled Hello. I have Omnikey 6121 SC with 'Akis' sim card in it. Sim= 'akiskart.com.tr' Akis has a java program 'Akia' and with the program i can read the card.

The following commands illustrate the use of OpenSC pkcs11-tool with YubiHSM for. 0401 -i t3200.dat -o t3200.dat.sig-pss Using slot 0 with a present token (0x0. Cards or tokens present at this moment. So let’s see what happen when we insert a token. See the specific appendix on how to get the driver working, if needed. Let’s insert an Eutron ITSEC CryptoIdentity token, and run our program again.% opensc-tool -l Readers known about: Nr. Driver Name 0 openct Eutron CryptoIdendity. For the module to simulate the opensc-onepin module behavior the following option createslotsforpins = 'user'; Environment OPENSCCONF. Filename for a user defined configuration file. If this environment variable is not found on Windows, the registry key Software OpenSC Project OpenSC ConfigFile is checked. See debug = num.

  • Two-factor authentication: PAM, Kerberos, SSH, VPN, web, etc.

  • E-mail: signature and encryption

Now, each of those buzzwords may be familiar to the Linux layman. But - oh dear! -what intricacies, pitfalls, frustrations and sense of despair they entice whensmart cards come into play!

Here be dragons!

Some background

For the sake of the examples below, we’ll assume the following:

  • a PKI smart card from Aventra (MyEID 4.0.0)

  • used with two PIN codes

  • one for each purpose: login (authentication) and e-mail

  • along a card reader from HID Global (Omnikey 3x21 or 5422)

And for the sake of completeness, we’ll use:

  • a smart card-generated login keypair
    (you loose your card, you’re out, you dumbass!)

  • an externally-generated (and backed-up!) e-mail keypair(better still be able to decrypt those e-mails, though, huh?!)

Opensc No Slot With A Token Was Found The First

Software versions

Although all necessary packages are readily available in Debian/Stretch, ourchosen use case and hardware requires that we use packages from Debian/Buster:

  • for the Aventra MyEID (4.0.0) smart card (using multiple PINs):
    opensc>= 0.18.0

  • for the HID Omnikey 5422 card reader:
    libccid>= 1.4.27

PKCS#15

The first step is to initalize the smart card and create the necessary PKCS#15structure, along the PIN codes - aka. tokens/slots - for our declared purposes.

  • Install the required Debian packages:

  • PKCS#15 initialization:

  • PINs/PUKs (tokens/slots) creation:

Key pairs and (X.509) certificates

Next, we need to generate/import the required PKI material in each token/slot.

  • Login keypair generation:

  • Login certificate import (after having its CSR properly signed; see the OpenSSL section further below):

  • E-mail key/certificate import (externally-generated and exported into aPKCS#12 bundle; see the OpenSSL section further below):

With

Smart card preparation finalization

Now that we’re done with the smart card itself, we can “finalize” its preparation:

The exact meaning of this step depends on the actual smart card vendor.

  • on the Aventra MyEID, this switches the card from Creation State to OperationalState; PINs creation are then no longer possible and all access conditions areenforced

PKCS#11

Using smart cards for our purposes will in all cases be achieved thanks to thePKCS#11 software API/stack.

  • Install the required Debian packages:

  • Harden the default OpenSC configuration, in /etc/opensc/opensc.conf:

  • And test its functioning:

WARNINGS:

  • Aventra MyEID smart cards are known to raise (PKCS#11) issues with multiple PINs, unless OpenSC >= 0.18 is used(REF)

PKCS#11 URI

Some libraries and utilities may require you to provide so-called PKCS#11 URIas private key or certificate parameters. Those URIs are standardized by theRFC 7512 and look like:

LibNSS (Thunderbird/Firefox/Chromium)

PKCS#11 support is implemented in Mozilla Thunderbird, Firefox and GoogleChromium thanks to the libnss3 Network Security Services (NSS) library:

  • Add OpenSC driver to NSSDB:

NOTE: For Thunderbird and Firefox, you may need to specify the path to your profile instead of the home directory ~/.pki/nssdb location. Look fora pkcs11.txt file, where modutil will actually have added its magic.

WARNING: For Thunderbird, make sure the emailAddress attribute is includedin the certificate DN (as opposed to theRFC 3850, §.3recommendation) or it will complain about not being able to find the certificateat the moment the message is sent (albeit being correctly configured in theAccount Settings >Security section).

OpenSSL

OpenSSL shall be required to generate the Certificate Signing Request (CSR)corresponding to our login key, as well as issuing the CA-signed X.509certificates for both login and email purposes. Generally speaking, thisimplies:

  • Install the required Debian packages:

  • Create the PKCS#11-friendly openssl.conf:

  • Check the engine is properly configured

  • Create a CSR from a smart card private key:

  • Create a self-signed certificate from a smart card private key:

  • CA-signing a certificate, with the CA private key stored on a smart card:

OpenSSL being the horrifying piece of software that it is (at least to my simpleself), I invite you to discover OpenSSL-Easy, my humble and certainly poorattempt at making one’s OpenSSL life easier:

cURL

cURL relies on OpenSSL engine to perform its PKCS#11 magic. Once the engineinstalled (see above), it is just a matter of using the proper PKCS#11 URIsas private key and certificate arguments:

Secure Shell (SSH)

Using the smart card along SSH for RSA-based authentication is straight-forward,except for one BIG gotcha (see the WARNINGS further below).

  • Export the public key to your SSH authorized keys:

  • Login using your smart card:

  • Optionally temporarily storing your key in the SSH agent:

  • And correctly removing it from the SSH agent once done with it:

WARNINGS:

  • When using multiple PINs and until the changes proposed by RedHat/Fedora areintegrated in OpenSSH:Fedora 28: Better smart card support in OpenSSH
    One MUST use OpenSC’s onepin-opensc-pkcs11.so library to prevent the SSHagent from attempting to unlock all tokens/slots with the same PIN andeventually locking those tokens/slots that do not match.This is also the reason why one MUST create the login token/slot as thefirst one on the smart card.

MIT Kerberos V

Using public key material instead of passwords for Kerberos authenticationis known as PKINIT:

Setting it up is rather straight-forward, albeit not devoid of gotchas (seethe WARNINGS further below).

  • Install the required Debian packages (on both servers and clients):

  • Generating the required servers certificates implies delving into OpenSSL;once again, one’s life may be easier thanks to OpenSSL-Easy:
    OpenSSL-Easy (Authentication section)

  • Debug the Kerberos-specific ASN.1 Subject Alternative Name (SAN) with:

  • Configure the Kerberos Key Distribution Center (KDC) servers;in /etc/krb5kdc/kdc.conf:

  • Configure the Kerberos clients; in /etc/krb5.conf:

WARNINGS:

Opensc
  • MIT Kerberos V does not allow to enforce PKINIT; if it fails, it willautomatically revert to password-based authentication

  • If one is willing to enforce smart card-based authentication, one shouldlook into using the PAM PKCS#11 module instead of PKINIT (see section below)

Pluggable Authentication Module (PAM)

Using the smart card for authenticating on a Linux box implies adding the PKCS#11module - pam_pkcs11 - to the PAM stack. Again, nothing particularly complicated,except a few gotchas (see the WARNINGS further below).

  • Install the required Debian packages:

  • Configure the PAM PKCS#11 module; in /etc/pam_pkcs11/pam_pkcs11.conf:

  • Configure the PAM authentication stack, in /etc/pam.d/common-auth:

WARNINGS:

  • If MIT Kerberos V is configured for PKINIT (in /etc/krb5.conf), pam_krb5will attempt PKINIT authentication, when password-based fails, even iftry_pkinit is not specified

  • At the time of writing, PAM PKCS#11 module will segfault if any form ofCRL check is attempted

  • The smart card PIN code will be stored by pam_pkcs11 and used as “password”by subsequent modules (e.g. pam_gnome_keyring); this can lead to akward - ifnot unsecure - results; thus our mandating password (Kerberos/LDAP)authentication once PKCS#11’s succeeded
    (see this as “two+”-factor authentication)

Apache (client) authentication

Using the smart card for (client) authentication on the Apache web server in aLDAP-centric environment is far - very far! - from trivial.

I invite you to read the article dedicated on the subject:

OpenVPN

Naively, one would think that using the smart card with OpenVPN would be assimple as:

  • Recovering the PKCS#11 ID(s) for use by OpenVPN:

  • And adding the relevant PKCS#11 stanza to OpenVPN (client) configuration:

Poor you! Nope! Not that easy! Well… Yes… That easy, provided you takeinto account the following well-(and-longime)-known bugs:

Shortly put, you will just need to:

  • retrieve OpenVPN and PKCS#11 helper source packages

  • apply the patches mentioned in the two above bug reports

  • make sure to disable PKCS#11 helper (multi-)threading

  • build the corresponding new Debian packages

  • and install them

  • … what!?!…

GNU Privacy Guard (GnuPG)

GnuPG is expected to be natively used along ad-hoc OpenPGP cards, totallydifferent beasts from the PKCS#15 and X.509-oriented smart cards we’re nowgrowing accustomed to.

Howevever, GnuPG can be made to work with those, again via the PKCS#11 interfaceand some additional trickery:

  • Install the required Debian package:

  • Configure the GnuPG Agent, in ~/.gnupg/gpg-agent.conf:

  • Configure the GnuPG PKCS#11 Smart Card Daemon (SCD), in ~/.gnupg/gnupg-pkcs11-scd.conf:

  • Where the <login-hash> and <email-hash> are recovered with:

  • Reload the GnuPG Agent and verify everything is ready:

We can therefrom coerce GnuPG into being more X.509 (and S/MIME) friendly:

  • Import our CA root (and intermediate) certificate(s):

  • Import our smart cards certificates:

  • And associate the corresponding (smart card) private keys:

(TODO: unravel the misteries of using the smart card with gpg itself)

WARNINGS:

  • At the time of writing, all of this will only work with RSA keys!

Python requests library

Python requests is nowadays the most ubiquitouslibrary for doing HTTP(S).

However, PKCS#11 isn’t natively supported and requires leveraging theM2Crypto library to hook the necessarygear work in, by replacing the https://adapter (handler) by theM2HttpsAdapter found in:

Which is as simple as it gets:

Encrypt/Decrypt data

Should you need to encrypt/decrypt data using your SmartCard:

Debugging

If you run into troubles, you can easily debug PKCS#11 interactions thanks toOpenSC’s OPENSC_DEBUG or PKCS11SPY environment variables:

Shortcoming: Probabilistic Signature Scheme (PSS) not supported

Probabilistic Signature Scheme (PSS),now creeps in TLS connections relying on OpenSSL 1.1.1 or above. This mayprevent you to use your credentials on websites that moved on to TLS 1.3 or withOpenVPN (which stubbornly refuses to stick to TLS 1.2 and not use PSS),unless you use:

OpenSC 0.20.0 or above

LibP11 0.4.8 or above (<-> OpenSSL engine)

PKCS#11 Helper patch (forecoming 1.26.0 release <-> OpenVPN)

Smart card?!? Easy!!!

OpenConnect supports the use of X.509 certificates and keys fromsmart cards (as well as software storage such as GNOME Keyring andSoftHSM) by means of the PKCS#11 standard. Objects from PKCS#11 tokensare specified by a PKCS#11 URI according toRFC 7512.

In order to use a certificate or key with OpenConnect, you mustprovide a PKCS#11 URI which identifies it sufficiently. That can be as simpleas the following example:

  • openconnect -c pkcs11:id=%01 vpn.example.com
However, if you're now looking blankly at a USB crypto device andwondering what PKCS#11 URI to use, the following documentation shouldhopefully assist you in working it out.

Identifying the token

In order to use a PKCS#11 token with OpenConnect, first it must be installedappropriately in the system'sp11-kit configuration.You shouldn't need to worry about this; it should automatically be the case forproperly packaged software on any modern operating system.

Typically, the smart card support is likely to beprovided by OpenSC and adistribution's packaging of OpenSC should automatically have registeredthe OpenSC module with p11-kit by creating a file such as/usr/share/p11-kit/modules/opensc.module.

In order to query the available PKCS#11 modules, and the certificatesstored therein, the best tool to use is thep11tooldistributed with GnuTLS. In Fedora it's in the gnutls-utils package.

First identify the PKCS#11 modules which are available by using the --list-tokens option:

  • p11tool --list-tokens
This should produce output including something like the following:

This example shows the relatively common PIVSmartCard, in this case in a Yubikey NEO device.

Locating the certificate

Having established that the token is present and registered correctly with p11-kit, the nextstep is to identify the URI of the certificate you wish to use. You will note thatthe above output of p11tool --list-tokens gave a PKCS#11 URI for each token.With that, we can now query the objects available within a specific token, using the --list-all-certsoption. We can cut and paste the PKCS#11 URI for the token, but be careful to put it withinquotes because it contains semicolons:

  • p11tool --list-all-certs 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29'

Note that the PKCS#11 URI specifies a list of attributes which mustmatch. Some of these match criteria may be redundant — in this case we've asked it to list the certificates in a tokenwhich has a model of 'PKCS#15 emulated'and amanufacturer of 'piv_II'and serial number108421384210c3f5and token label 'PIV_II (PIV CardHolder pin)'. Since any one of those criteria would probablybe sufficient to uniquely identify this token from the other configured tokensin our system, a simpler command line would also work. For example:

  • p11tool --list-all-certs pkcs11:manufacturer=piv_II

Opensc No Slot With A Token Was Found Money

The output of either such command should look something like this:

This device has four certificates installed; the URL for each oneis given in the output. (Choosing between the certificates ona given device, if there is more than one, is left as an exercise forthe user. You may need to try each one.)

Some devices may not even permit you to list the certificateswithout logging in. In that case add --login to thep11tool command line above, and provide the PIN whenrequested

For OpenConnect 7.01 we should be able to use the URI seen here inits entirety, and the software will be cunning enough tofind the corresponding key:

  • openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert' vpn.example.com
Older versions, however, may require a little help...

Helping OpenConnect find the key

If no explicit -k argument is given to specify the key,OpenConnect will use the contents of the -c argument as thebasis for finding both certificate and key.

It will sensibly add object-type=cert or object-type=privatefor itself, according to which object it is trying to locate each time. But inversion 7.00 and earlier, it would not do that if the URI you providealready contained any object-type= element. So the first thing you need to do witholder versions of OpenConnect is trim that part of the URI. So the above example might now be:

  • openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication' vpn.example.com

Additionally, it can sometimes be the case that although the ID(id=) for a certificate should match the ID of its matchingkey, the label (object=) might not match. Newer versionsof OpenConnect (7.01+), on failing to find a key, will strip the labelfrom the search URI and add the ID of the certificate that was found (even ifno ID was part of the original search terms provided with the -c option). But older versions don't.

So it can be useful also to remove the object= part of the URI and leave only the id= attribute to specify the individual object, so that you're giving search criteria which are true for both the certificate and the key:

  • openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01' vpn.example.com

And while we're at it, that's still a massively redundant way of specifying which tokento look in, so we can cut that down as we did before just to make it less unwieldy:

  • openconnect -c 'pkcs11:manufacturer=piv_II;id=%01' vpn.example.com

Searching for the key manually

If the heuristics for finding the key don't work, you can alwaysprovide an explicit PKCS#11 URI for the key with the -koption. You can look for them by using the --list-privkeys option to p11tool. You will almost certainly want to use the --login option too:

  • p11tool --list-privkeys --login pkcs11:manufacturer=piv_II

Here's the full longhand specification of both certificate and key:

  • openconnect -c 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=Certificate%20for%20PIV%20Authentication;object-type=cert' -k 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%01;object=PIV%20AUTH%20key;object-type=private' vpn.example.com
OpenConnect doesn't care; you can use certificate and key from entirely

Opensc No Slot With A Token Was Found Stolen

different

Opensc No Slot With A Token Was Found The First

hardware tokens if you want to. Or one from a file. Or a keyfrom a TPM and a certificate from a PKCS#11 hardware token. Or all kinds of bizarre combinations. But if it's a Opensc

Opensc No Slot With A Token Was Found The Most

sensible

Opensc No Slot With A Token Was Found Guilty

combination on a sanely configured PKCS#11 token, and OpenConnect can't infer the key location from the certificate, then please send us an email and we'll try to fix it.