Openconnect supporting SafeNet eToken 5300

Dimitri Papadopoulos dimitri.papadopoulos at cea.fr
Tue Jun 21 09:41:27 PDT 2022


Hi,

Is this issue identical to that one filed a year ago?

	https://gitlab.com/openconnect/openconnect/-/issues/242

Have you tried a newer version of OpenConnect as suggested in this issue?

Best Regards,
Dimitri

Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :
> Hello,
> 
> I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
> When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".
> 
> $ uname -a
> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
> 
> Debugging info (GNUTLS_DEBUG_LEVEL=9):
> 
> /usr/sbin/openconnect -V
> OpenConnect version v8.10-2+b1
> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse
> 
> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
> gnutls[2]: Enabled GnuTLS 3.7.1 logging...
> gnutls[2]: getrandom random generator was detected
> gnutls[2]: Intel SSSE3 was detected
> gnutls[2]: Intel AES accelerator was detected
> gnutls[2]: Intel GCM accelerator was detected
> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
> Attempting to connect to server x.x.x.x:443
> Connected to x.x.x.x:443
> Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
> gnutls[2]: Initializing all PKCS #11 modules
> gnutls[2]: p11: Initializing module: p11-kit-trust
> gnutls[2]: p11: Initializing module: opensc
> gnutls[2]: p11: Initializing module: opensc-pkcs11
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> PIN required for xxx
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
> Loading certificate failed. Aborting.
> Failed to obtain WebVPN cookie
> 
> 
> 
> 
> pkcs11-tool --module /usr/lib/libeToken.so  --list-token-slots
> Available slots:
> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
>    token label        : xxxx
>    token manufacturer : Gemalto
>    token model        : ID Prime MD
>    token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>    hardware version   : 0.0
>    firmware version   : 0.0
>    serial num         : xxxx39
>    pin min/max        : 4/16
> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
>    token label        : GSTEST01
>    token manufacturer : SafeNet, Inc.
>    token model        : eToken
>    token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
>    hardware version   : 0.0
>    firmware version   : 0.0
>    serial num         : xx
>    pin min/max        : 8/20
> 
> 
> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 0
> Using slot with ID 0x0
> Logging in to "xxxx".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
>    seems to be OK
> Digests:
>    all 4 digest functions seem to work
>    SHA-1: OK
> Signatures (currently only for RSA)
>    testing key 0 ()
>    ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
> Aborting.
> 
> 
> pkcs11-tool --module /usr/lib/libeTokenHID.so  -v -l -t --slot 1
> Using slot with ID 0x1
> Logging in to "xxxx".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
>    seems to be OK
> Digests:
>    all 4 digest functions seem to work
>    SHA-1: OK
> Signatures (currently only for RSA)
>    testing key 0 (No Friendly Name Available)
>    ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
>    testing signature mechanisms:
>      RSA-PKCS: OK
>      SHA256-RSA-PKCS: OK
> Verify (currently only for RSA)
>    testing key 0 (No Friendly Name Available)
>      RSA-PKCS: OK
> Decryption (currently only for RSA)
>    testing key 0 (No Friendly Name Available)
>   -- mechanism can't be used to decrypt, skipping
>   -- mechanism can't be used to decrypt, skipping
>   -- mechanism can't be used to decrypt, skipping
>   -- mechanism can't be used to decrypt, skipping
>   -- mechanism can't be used to decrypt, skipping
>   -- mechanism can't be used to decrypt, skipping
>      RSA-PKCS: OK
>      RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
> OK
> 1 errors
> 
> 
> Any ideas?
> 
> Thank you in advance,
> Pavel
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel



More information about the openconnect-devel mailing list