CAC modules

Mcclelland, Michael B Mr CTR USN USA michael.b.mcclelland at us.army.mil
Mon Jul 16 13:17:49 EDT 2012 

I've almost got things working on Ubuntu but I'm having the same issue I did under fedora with the tokens being visible via p11tool but the Openconnect client not being able to pull them.  LIBGNUTLS28-DEV is installed.

view at view-virtual-machine:~$ sudo p11tool --list-certs --login
[sudo] password for view: 
Token 'MCCLELLAND.MICHAEL.BLAIR.1250312' with URL 'pkcs11:model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312' requires user PIN
Enter PIN: 
Object 0:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%01;object=CAC%20ID%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC ID Certificate
    ID: 00:01

Object 1:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC Email Signature Certificate
    ID: 00:02

Object 2:
    URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
    Type: X.509 Certificate
    Label: CAC Email Encryption Certificate
    ID: 00:03

view at view-virtual-machine:~$ openconnect -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate' https://server.domain
Attempting to connect to 198.253.24.115:443
Failed to open certificate file pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate: No such file or directory
Loading certificate failed. Aborting.
Failed to open HTTPS connection to server.domain
Failed to obtain WebVPN cookie

-----Original Message-----
From: mike.t.miller at gmail.com [mailto:mike.t.miller at gmail.com] On Behalf Of Mike Miller
Sent: Friday, July 13, 2012 8:35 AM
To: David Woodhouse
Cc: Mcclelland, Michael B Mr CTR USN USA; openconnect-devel at lists.infradead.org
Subject: Re: CAC modules

On Fri, Jul 13, 2012 at 2:47 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Thu, 2012-07-12 at 22:17 -0400, Mike Miller wrote:
>> Yeah, Michael if you have the time to try with Ubuntu again, please 
>> try installing the OpenConnect packages from ppa:mtmiller/openconnect 
>> and let us know if that build works for you.
>
> He'll need OpenConnect v4.05. Before that, it would strip out the part 
> of the URL which specifies which token to find the key in. And his 
> token doesn't even let you *list* the key until you're logged in, so a 
> wildcard search just by object ID doesn't work. You have to know the 
> token, so you can log into it and *then* you can see that it does 
> indeed contain the key.

Yep, I missed that point.  4.05 is cooking right now in ppa:mtmiller/openconnect.

--
mike

More information about the openconnect-devel mailing list