read cert from smart card

Mithat Bozkurt mithatbozkurt at gmail.com
Sun Feb 21 11:30:20 PST 2016


Dear David

First of all thank you very much for your reply.

As far as I understand from your mail I can use workaround If I get
the URI of PKCS#11.

Product site says that it has its own PKCS#11 library(libakisp11.so)
however It is also supported by OpenSC libraries. AKİS (Smart Card
Operating System) is PKCS#11 library that complies with  Common
Criteria (CC) EAL4+ , Common Criteria (CC) EAL5+  and ISO/IEC 7816
with DES , 3DES RSA 1024-2048 bit key length. Device produced by
Advanced Card System is associate member of PCSC Lite project. SIM
card is produced by TUBITAK with its own PKCS#11 proprietary  library.

 I also examined deb package of library which has following info

"This package includes :
PKCS#11 proprietary library akisp11 and its dependent libraries
asn1ber and asn1rt.
Akia : Akis  Smartcard monitoring and management tool with GUI.
Dependencies : libccid, libc6, libpcsclite1, pcscd"

I can access device through Thunderbird Mail and a Java based Editor
using product's java API.

Finally I apply at https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html

Step 1: I created /etc/pkcs11/pkcs11.conf   with content

# This is an example /etc/pkcs11/pkcs11.conf file. Copy it into
# place before use.

# This setting controls whether to load user configuration from the
# ~/.config/pkcs11 directory. Possible values:
#    none: No user configuration
#    merge: Merge the user config over the system configuration (default)
#    only: Only user configuration, ignore system configuration
user-config: merge

Step 2: I created module config at /etc/pkcs11/modules/akis.module with content

#AKIS is acronym of Smart Card Operating System in Turkish
module: /usr/lib/libakisp11.so
managed: yes
trust-policy: yes
log-calls: yes

Step 3: after then run p11-kit list-modules commands print err

C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_ARGUMENTS_BAD
p11-kit: akis: module failed to initialize, skipping: Invalid arguments

----------------------------------------------------------
mithat at adige:~$ p11-kit list-modules
C_Initialize
  IN: pInitArgs = NULL
C_Initialize = CKR_ARGUMENTS_BAD
p11-kit: akis: module failed to initialize, skipping: Invalid arguments
p11-kit-trust: p11-kit-trust.so
    library-description: PKCS#11 Kit Trust Module
    library-manufacturer: PKCS#11 Kit
    library-version: 0.23
    token: System Trust
        manufacturer: PKCS#11 Kit
        model: p11-kit-trust
        serial-number: 1
        hardware-version: 0.23
        flags:
               write-protected
               token-initialized
gnome-keyring: gnome-keyring-pkcs11.so
    library-description: GNOME Keyring Daemon Core
    library-manufacturer: GNOME Keyring
    library-version: 1.1
    token: SSH Keys
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SSH:HOME
        flags:
               write-protected
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Secret Store
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:SECRET:MAIN
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: Gnome2 Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:USER:DEFAULT
        flags:
               login-required
               user-pin-initialized
               protected-authentication-path
               token-initialized
    token: User Key Storage
        manufacturer: Gnome Keyring
        model: 1.0
        serial-number: 1:XDG:DEFAULT
        flags:
               protected-authentication-path
               token-initialized


--------------------------------------------------

Best Regards
Mithat Bozkurt

2016-02-21 18:31 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Sat, 2016-02-20 at 21:35 +0200, Mithat Bozkurt wrote:
>> Hello
>>
>> However I read your html pages mentioned PKCS#11 I couldn't find a way
>> to use smart
>> card(ACS 38T) with openconnect.
>>
>> My client certificate is in PKCS#11 compliance device and I couldn't
>> export it due
>> to it is e-signature cert.
>>
>> I installed network-manager-openconnect-gnome and I see only the
>> following selection.
>> RSA SecureID read from ~/.stokenrc
>> RSA SecureID (manually entered)
>> TOTP (manually entered)
>> HOTP (manually entered)
>>
>>
>> Do I see PKCS#11 also?
>
> No. NetworkManager is completely lacking any GUI to let you select
> certificates from PKCS#11. This is https://bugzilla.gnome.org/679860
>
> Thankfully there's a simple workaround. Just configure the connection
> with a (dummy) file and then edit the resulting configuration file
> manually and enter the PKCS#11 URI for your certificate.
>
> However...
>
>> output of "p11tool --list-tokens". There is no my token manufacturer.
>
> That looks like your PKCs#11 module hasn't been installed correctly.
> What is it? Are you using OpenSC (in which case the Ubuntu package
> seems to be broken), or some third-party device with its own PKCS#11
> library that you have to install (in which case their install
> instructions are broken).
>
> You should have a file somewhere like /usr/share/p11-kit/modules which
> directs p11-kit to load the module in question.
> https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
>
>> And I can access my certificate for signing a document without any problem.
>
> Using what software, and how does it find your PKCS#11 token. Sounds
> like the software that is working is actually "broken" in some sense of
> the word too, since it seems *not* to be using the system's p11-kit
> configuration as it should.
>
> --
> dwmw2
>



More information about the openconnect-devel mailing list