Issue with recent Belgium Identity Card, openconnect 7.06 and

Sebastien Canart sebastien.canart at onprvp.fgov.be
Thu Apr 9 01:05:02 PDT 2015


Hello,

I'm trying to use openconnect to connect to our corporate vpn.

The command that I'm currently using (I need to go through our internal
proxy):
# openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic
-c 'pkcs11:model=PKCS%2315;mycert[...];object-type=cert' vpnserver

I've the following output:
[2015-04-09 09:24:44] POST vpnserver
[2015-04-09 09:24:44] Attempting to connect to server [::1]:3128
[2015-04-09 09:24:44] Attempting to connect to server 127.0.0.1:3128
[2015-04-09 09:24:44] Requesting HTTP proxy connection to vpnserver:443
[2015-04-09 09:24:44] > CONNECT vpnserver:443 HTTP/1.1
[2015-04-09 09:24:44] > Host: vpnserver
[2015-04-09 09:24:44] > User-Agent: Open AnyConnect VPN Agent v7.06
[2015-04-09 09:24:44] > Proxy-Connection: keep-alive
[2015-04-09 09:24:44] > Connection: keep-alive
[2015-04-09 09:24:44] > Accept-Encoding: identity
[2015-04-09 09:24:44] >
[2015-04-09 09:24:44] Got HTTP response: HTTP/1.1 200 Connection established
[2015-04-09 09:24:44] Connection: close
[2015-04-09 09:24:44] Using PKCS#11 certificate
pkcs11:model=PKCS%2315;mycert[...];type=cert
PIN required for BELPIC (Basic PIN)
Enter PIN:
[2015-04-09 09:24:52] Using PKCS#11 key
pkcs11:model=PKCS%2315;mycert[...];type=private
[2015-04-09 09:24:52] Error signing test data with private key: PKCS #11
unsupported feature
[2015-04-09 09:24:52] Loading certificate failed. Aborting.
[2015-04-09 09:24:52] Failed to open HTTPS connection to vpnserver

When I'm using an older identity card, I've the following output:
# openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic
-c 'pkcs11:model=PKCS%2315;othercert;type=cert' vpnserver
[2015-04-09 09:30:49] POST vpnserver
[2015-04-09 09:30:49] Attempting to connect to server [::1]:3128
[2015-04-09 09:30:49] Attempting to connect to server 127.0.0.1:3128
[2015-04-09 09:30:49] Requesting HTTP proxy connection to
damona.onprvp.fgov.be:443
[2015-04-09 09:30:49] > CONNECT vpnserver:443 HTTP/1.1
[2015-04-09 09:30:49] > Host: vpnserver
[2015-04-09 09:30:49] > User-Agent: Open AnyConnect VPN Agent v7.06
[2015-04-09 09:30:49] > Proxy-Connection: keep-alive
[2015-04-09 09:30:49] > Connection: keep-alive
[2015-04-09 09:30:49] > Accept-Encoding: identity
[2015-04-09 09:30:49] >
[2015-04-09 09:30:49] Got HTTP response: HTTP/1.1 200 Connection established
[2015-04-09 09:30:49] Connection: close
[2015-04-09 09:30:49] Using PKCS#11 certificate
pkcs11:model=PKCS%2315;othercert;type=cert
PIN required for BELPIC (Basic PIN)
Enter PIN:
[2015-04-09 09:30:58] Using PKCS#11 key
pkcs11:model=PKCS%2315;othercert;type=private
[2015-04-09 09:30:59] Using client certificate 'Firstname Lastname
(Authentication)'
[2015-04-09 09:31:02] Got next CA 'Citizen CA' from PKCS11
[2015-04-09 09:31:02] Got next CA 'Belgium Root CA2' from PKCS11
[2015-04-09 09:31:02] Adding supporting CA 'Citizen CA'
[2015-04-09 09:31:03] SSL negotiation with vnpserver

To retrieve the PKCS#11 url, I'm using the following commands:
# p11tool --list-certs
warning: no token URL was provided for this operation; the available
tokens are:
Token 0:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Token 1: pkcs11:model=PKCS%2315;mycert

With the token 1:

# p11tool --list-all --login 'pkcs11:model=PKCS%2315;mycert'
Object 0:
        URL:
pkcs11:model=PKCS%2315;mycert;object=Authentication;type=private
        Type: Private key
        Label: Authentication
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 02

Object 1:
        URL: pkcs11:model=PKCS%2315;mycert;object=Authentication;type=cert
        Type: X.509 Certificate
        Label: Authentication
        Flags: CKA_PRIVATE;
        ID: 02

Object 2:
        URL: pkcs11:model=PKCS%2315;mycert;object=Authentication;type=public
        Type: Public key
        Label: Authentication
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 02

Object 3:
        URL: pkcs11:model=PKCS%2315;mycert;object=Signature;type=private
        Type: Private key
        Label: Signature
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 03

Object 4:
        URL: pkcs11:model=PKCS%2315;mycert;object=Signature;type=cert
        Type: X.509 Certificate
        Label: Signature
        Flags: CKA_PRIVATE;
        ID: 03

Object 5:
        URL: pkcs11:model=PKCS%2315;mycert;object=Signature;type=public
        Type: Public key
        Label: Signature
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 03

Object 6:
        URL: pkcs11:model=PKCS%2315;mycert;object=CA;type=cert
        Type: X.509 Certificate
        Label: CA
        Flags: CKA_PRIVATE; CKA_TRUSTED;
        ID: 04

Object 7:
        URL: pkcs11:model=PKCS%2315;mycert;object=CA;type=public
        Type: Public key
        Label: CA
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 04

Object 8:
        URL: pkcs11:model=PKCS%2315;mycert;object=Root;type=cert
        Type: X.509 Certificate
        Label: Root
        Flags: CKA_PRIVATE; CKA_TRUSTED;
        ID: 06

Object 9:
        URL: pkcs11:model=PKCS%2315;mycert;object=Root;type=public
        Type: Public key
        Label: Root
        Flags: CKA_PRIVATE; CKA_SENSITIVE;
        ID: 06

And then I'm taking the Object 1, which is a X.509
Certificate/Authentication (it's the same object for both old and new
identity card).

There is currently two batch of identity cards in Belgium:
- the ones with a validity of 5 years (which seems to be working),
- the recent ones with a validity of 10 years (which doesn't seems to be
working).


I'm currently using:
- # uname -a
Linux lp-20140069-linux 3.18.7-gentoo #14 SMP Thu Apr 2 09:46:15 CEST
2015 x86_64 Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz GenuineIntel GNU/Linux
- openconnect --version
OpenConnect version v7.06
Using GnuTLS. Features present: PKCS#11, HOTP software token, TOTP
software token, Yubikey OATH, DTLS
- gnutls 3.3.12
- # pcscd --version
pcsc-lite version 1.8.13.

>From the error I'm getting (Error signing test data with private key:
PKCS #11
unsupported feature), I'm guessing that the error is coming directly
from gnutls.
I've tried upgrading to gnutls-3.3.14 with no luck.
gnutls-3.4.0 has been released yesterday (2015-04-08), but I've haven't
any package on my package manager to install it.

Does anybody have any ideas how I can investigate some more on it?

Thanks,

-- 
Sebastien Canart <sebastien.canart at onprvp.fgov.be>



More information about the openconnect-devel mailing list