OpenVPN does not show all certs from yubikey via pkcs11-providers opensc-pkcs11.dll

[bauerstefan]

Describe the bug

User get prompted to select the certificate for cert-based authentication. This menu does not show/offer all available certs on a yubikey 5 NFC.

Missing cert is in slot 82.

See output:

Yubikeys own tool reports:

C:\Windows\System32>ykman piv info
PIV version:              5.4.3
PIN tries remaining:      3/3
PUK tries remaining:      0/3
Management key algorithm: TDES
PUK is blocked
Management key is stored on the YubiKey, protected by PIN.
CHUID: ....
CCC:   No data available
Slot 82 (RETIRED1):
  Private key type: ECCP384
  Public key type:  ECCP384
  Subject DN:       CN=.....
  Issuer DN:        CN=.....
  Serial:           00:28:00:00:.....
  Fingerprint:      79d3fffc8a3b18a6c.....
  Not before:       2024-09-09T06:34:26+00:00
  Not after:        2025-03-08T06:34:26+00:00

Slot 9A (AUTHENTICATION):
  Private key type: ECCP384
  Public key type:  ECCP384
  Subject DN:       CN=.....
  Issuer DN:        CN=.....
  Serial:           00:28:00:00:00.....
  Fingerprint:      2ebf9ab673ba14.....
  Not before:       2024-01-26T17:11:24+00:00
  Not after:        2024-07-24T17:11:24+00:00

Slot 9D (KEY_MANAGEMENT):
  Private key type: ECCP384
  Public key type:  ECCP384
  Subject DN:       CN=.....
  Issuer DN:        CN=.....
  Serial:           00:28:00:00:.....
  Fingerprint:      bfb1ab325e4......
  Not before:       2024-06-28T14:31:13+00:00

OpenSC debugging:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -I
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.26)
Using slot 0 with a present token (0x0)

Option -T

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -T
Available slots:
Slot 0 (0x4): Yubico YubiKey FIDO+CCID 0
  token label        : John Doe
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 6aed8be786e35738
  pin min/max        : 4/8
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6aed8be786e35738;token=John%20Doe

Option -L

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -L
Available slots:
Slot 0 (0x0): Microsoft UICC ISO Reader 5ef02fb8 0
  (token not recognized)
Slot 1 (0x4): Yubico YubiKey FIDO+CCID 0
  token label        : John Doe
  token manufacturer : piv_II
  token model        : PKCS#15 emulated
  token flags        : login required, rng, token initialized, PIN initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 6aed8be786e35738
  pin min/max        : 4/8
  uri                : pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=6aed8be786e35738;token=John%20Doe

To Reproduce
Use Openvpn client with pkcs11-providers and point to opensc-pkcs11.dll. Have certificate on yubikey in slot 82.

Expected behavior
OpenVPN menu should show all available certs on yubikey.

Version information (please complete the following information):
Windows 11, latest openvpn 64 bit.

Additional context

Looks like, it shows only certs in the common slots 9a,9b,9c,9d, not the additional slots 82....95.

[cron2]

It says Slot 82 (RETIRED1). So maybe the RETIRED means something like expired, do not use?

[selvanair]

If pkcs11 tool does not enumerate it, OpenVPN also would not. Looks like a compatibility issue of yubikey with pkcs11. May be related to the need for key history object in PIV to enumerate retired key slots which yubikey does not populate by default. See OpenSC/OpenSC#847 and yubikey docs on how to fix.

As you are on Windows you may be able to use those certificates as is using the cryptoapicert option instead of pkcs11.