Openconnect with PKCS11 on Ubunbtu 12.10

Lee Matthews lee_matthews at frontiernet.net
Fri Sep 21 13:25:23 EDT 2012


David Woodhouse <dwmw2 <at> infradead.org> writes:

> 
> On Wed, 2012-09-19 at 19:03 +0000, Lee Matthews wrote:
> > 
> > David Woodhouse <dwmw2 <at> infradead.org> writes:
> 
> > Sorry about not posting the URL, 
> > the lines longer than 80 character thing was killing me...
> 
> So ignore it and post long lines :)
> 
> > Here is the URL:
> > Using PKCS#11 certificate pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%
28%c0;object-type=cert;pin-source=openconnect%3a0xb8ce0ee8
> > Using PKCS#11 key pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%
c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8
> > Error importing PKCS#11 URL pkcs11:model=1.0;manufacturer=Gnome%
20Keyring;token=Gnome2%20Key%20Storage;id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%
40B%28%c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8:
> 
> OK, so it looks like you specified only the id= part of the URL;
> OpenConnect itself added the object-type and pin-source parts.
> 
> However, if the private key isn't visible without a login (which I'm
> inferring is true since you were trying p11tool --login), looking it up
> by its ID doesn't work. You have to specify the token too.
> 
> OpenConnect tries to work around this by *guessing* which token it's in.
> By looking for a visible *certificate* with the same ID. I'm guessing
> there is such a certificate in your GNOME Keyring token?
> 
> Try adding an appropriate model= or token= parameter to the URL that you
> give on the command line. And if you can send me the output of a working
> --list-all-certs command, that might be enlightening. I'd like to know
> if OpenConnect is doing something *wrong* when it tries to guess which
> token to find the key in.
> 


I have made some progress. My 1st issue was there was 
no /etc/gnutls/pkcs11.conf.
Once I created that and added load=/usr/lib/opensc-pksc11.so things started to 
progress.
sudo ptool11 --list-all --login does not give the segmentation fault now.
I figured out what to pass in the pkcs11 URL and I am getting farther along 
now.

Thanks again for your help, suggestions, patience and quick responses. I will 
test some more tonight when offsite.

Lee






More information about the openconnect-devel mailing list