read cert from smart card

David Woodhouse dwmw2 at infradead.org
Wed Feb 24 05:00:48 PST 2016 

On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:
> I completely understand what you say now. I wil contact with TUBITAK
> on that why i  .
> 
> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32

...

OK, so you have two certificates in your device, and it's given you the
*full* PKCS#11 URI for each of them. Note that you don't have to use
the full URI to specify it — you only need enough to be unique. Which
is why you could specify the token by only its serial number; you
didn't need to include the messy model/manufacturer/token fields too.

Likewise, it looks like you can specify your certificates/keys by only
their label (the object=xxx part), and don't need to specify the ID.

A simple PKCS#11 URI you can use with OpenConnect is either
 pkcs11:serial=0036218D34081A32;object=62917107586SIGN0
or
 pkcs11:serial=0036218D34081A32;object=62917107586NES0

(Because of the semicolon, make sure you put it in quotes on the
OpenConnect command line).

If you compare with your p11tool output, you'll note that each partial
URI above actually matches one than one object. When OpenConnect
automatically adds ';type=cert' it gets the X.509 certificate, and when
it adds 'type=private' it gets the corresponding private key.

To work out *which* of those two cert+key pairs you need, either just
try each one, or you can inspect the certs by running:

 p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text
or
 p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text


If you are running on Fedora, at this point it is considered a bug for
*any* application which accepts certs in filenames, not to accept the
above PKCS#11 URIs instead of a filename. Please file bugs if you find
any such applications, and Cc me.

-- 
David Woodhouse                            Open Source Technology Centre
David.Woodhouse at intel.com                              Intel Corporation

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160224/d0e0b514/attachment-0001.bin>

More information about the openconnect-devel mailing list