Openconnect supporting SafeNet eToken 5300

Pavel Gavronsky kamm555 at hotmail.com
Tue Jun 21 07:38:21 PDT 2022 

Hello,

I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".

$ uname -a
Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux

Debugging info (GNUTLS_DEBUG_LEVEL=9):

/usr/sbin/openconnect -V
OpenConnect version v8.10-2+b1
Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse

openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
Attempting to connect to server x.x.x.x:443
Connected to x.x.x.x:443
Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Initializing module: opensc-pkcs11
gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
PIN required for xxx
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
Loading certificate failed. Aborting.
Failed to obtain WebVPN cookie




pkcs11-tool --module /usr/lib/libeToken.so  --list-token-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
  token label        : xxxx
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xxxx39
  pin min/max        : 4/16
Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
  token label        : GSTEST01
  token manufacturer : SafeNet, Inc.
  token model        : eToken
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : xx
  pin min/max        : 8/20


pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 0
Using slot with ID 0x0
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
  testing key 0 ()
  ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
Aborting.


pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 1
Using slot with ID 0x1
Logging in to "xxxx".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
  testing key 0 (No Friendly Name Available)
  ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
  testing signature mechanisms:
    RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (No Friendly Name Available)
    RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (No Friendly Name Available)
 -- mechanism can't be used to decrypt, skipping
 -- mechanism can't be used to decrypt, skipping
 -- mechanism can't be used to decrypt, skipping
 -- mechanism can't be used to decrypt, skipping
 -- mechanism can't be used to decrypt, skipping
 -- mechanism can't be used to decrypt, skipping
    RSA-PKCS: OK
    RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
OK
1 errors


Any ideas?

Thank you in advance,
Pavel

More information about the openconnect-devel mailing list