PKCS11 SmartCard Question...

Sean smalder73 at gmail.com
Wed Sep 28 13:40:18 PDT 2016 

Hello,

I'm new to the list and have looked back at 6 or so months of archives
for threads looking like they deal with smart cards and not discovered
what I'm looking for.  Please forgive me if this is answered and I
missed it, I'll happily take the link!

I'm working to enable linux clients - who use pam_pkcs11, esc,
coolkey, etc. to log into their workstations with smart cards to be
able to connect to a smart card enabled Cisco VPN.  We're using
SCR3310 readers (mostly) already have the browsers using libcoolkey to
access smartcard enabled intranet sites like Outlook Web Access on
these clients.  The smart cards are generated completely internally,
so when I use p11tool there is no manufacturer or model, there is only
URL, Label and Type fields populated.  The certificates are all signed
by an internal authority.

Here's a small part of the token list:

$ p11tool --list-tokens
Token 0:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1

Token 1:
URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
Label: Default Trust
Type: Trust module
Manufacturer: PKCS#11 Kit
Model: p11-kit-trust
Serial: 1

Token 2:
URL: pkcs11:model=;manufacturer=;serial=;token=<my token name>
Label: <my token name>
Type: Hardware token
Manufacturer:
Model:
Serial:

The rest of the tokens are from Gnome Keyring

Here's what I've tried:

$ openconnect -c 'pkcs11:model=;manufacturer=;serial=;token=<my token
name>' vpn.example.com
POST https://vpn.example.com/
Attempting to connect to server 192.168.1.251:443
PIN required for <my token name>
Enter PIN: <XXXXXX>
Error loading certificate from PKCS#11: The requested data were not available
Loading certificate failed. Aborting.

I have also tried the same command with
--cafile=/etc/pki/nssdb/cert8.db set since the client system as a
whole already has the CAs integrated into the nssdb.  Both method
produce the same result.  It does not appear that the card reader is
being accessed at all after entering the PIN.  I have to be careful
here because too many PIN failures with lock the card itself.
Unfortunately, my organization is large we have several active root
ca's and about 35 active intermediates, so I will have to have many
certs in this file if NSSdb can't be used.

Questions:
1. Does this look like a CA Trust Failure?
2. What format should the cafile be in?
3. Can we have multiple Roots and Intermediates in the file?

Thank you kindly for listening!

More information about the openconnect-devel mailing list