Issue with recent Belgium Identity Card, openconnect 7.06 and

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Thu Apr 9 01:20:16 PDT 2015


On Thu, Apr 9, 2015 at 10:05 AM, Sebastien Canart
<sebastien.canart at onprvp.fgov.be> wrote:
> Hello,
> The command that I'm currently using (I need to go through our internal
> proxy):
> # openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic
> -c 'pkcs11:model=PKCS%2315;mycert[...];object-type=cert' vpnserver
[...]
> From the error I'm getting (Error signing test data with private key:
> PKCS #11
> unsupported feature), I'm guessing that the error is coming directly
> from gnutls.

The error is from the PKCS #11 library (I guess it is opensc) and
probably the card itself.
Do you see any difference in "p11tool --list-mechanisms" with the new
and old card? It may
be that the new key is not allowed to sign using RSA-PKCS.

You can verify whether signing works with pkcs11-tool (from opensc)
using something like:
pkcs11-tool --module /path/to/opensc-pkcs11.so -s -M
pkcs11-tool --module /path/to/opensc-pkcs11.so -s -m RSA-PKCS --id 02

regards,
Nikos



More information about the openconnect-devel mailing list