CAC modules

David Woodhouse dwmw2 at infradead.org
Thu Jul 12 11:50:58 EDT 2012 

On Thu, 2012-07-12 at 10:54 -0400, Mcclelland, Michael B wrote:
> Trying to get over the last hill but I'm coming up short.  I've tried
> multiple combinations of syntax but what I'm inputting doesn't seem to
> work.  I'll retry the Ubuntu build based on your suggestions as soon
> as possible I'm just tunnel vision on Fedora since I'm so close.  
> 
> openconnect -c 'pkcs11:id=%00%01;object=CAC%20ID%20Certificate;'
> https://testtesttest.test

I think I *might* have fixed this in the 4.05 release. There's a Fedora
17 build at http://koji.fedoraproject.org/koji/taskinfo?taskID=4236846
or you can build from source.

I now have a hardware token that I can test with, and it doesn't even
let you *list* the private key if you're not logged in. The certificate
(;object-type=cert) can be seen, but the corresponding private key
(;object-type=private) isn't visible unless you've logged in to the
token with the PIN. You can't even tell it's *there*.

If your key shows up with 'p11tool --list-privkeys --login' but not with
just 'p11tool --list-privkeys', that may well explain it.

So when you *only* specify the object ID/name, and don't specify which
*token* as well, the system doesn't actually know which token to find it
in. And it won't go logging in to *every* token on the system, just to
find out if it magically shows up in the list after doing so.

So you might try providing the *full* PKCS#11 URL that p11tool showed
you (without the ;object-type= part). It needs to include at least the
token= part. *AND* you need to update to OpenConnect 4.05 because before
that, OpenConnect would helpfully *strip* the part of the URL which
specified which token to look in, before trying to load it :)

So update to 4.05, then try:
openconnect -c pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%01;object=CAC%20ID%20Certificate' $YOURSERVER

(You can try connecting to random HTTPS web sites while you're testing,
if it was actually your *VPN* account which ended up being locked out,
not the hardware token itself.)

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6171 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120712/e62e83aa/attachment.bin>

More information about the openconnect-devel mailing list