read cert from smart card

David Woodhouse dwmw2 at infradead.org
Wed Feb 24 04:24:01 PST 2016


Adding p11-glue list to Cc. There are a couple of issues here, albeit
bugs in a crappy proprietary PKCS#11 token, that we might want to work
around in libp11-kit.

On Wed, 2016-02-24 at 14:06 +0200, Mithat Bozkurt wrote:
> Tubitak haven't return back yet. but i think no need this. because
> after install opensc from ubuntu software center and run following
> command i can see
> 
> 
> mithat at adige:~$ pkcs11-tool --module /usr/lib/libakisp11.so -O -l
> Using slot 0 with a present token (0x1)
> Logging in to "Akis".
> Please enter User PIN:
> Public Key Object; RSA 2048 bits
>   label:      62917107586NES0
>   ID:         009020159e08d3abe24bd1a0742328c28b0c1104
>   Usage:      verify
> Public Key Object; RSA 2048 bits
>   label:      62917107586SIGN0
>   ID:         fd900c3bc420b0b439f71efa02efdf4550918fc4
>   Usage:      verify
> Certificate Object, type = X.509 cert
>   label:      62917107586SIGN0
>   ID:         fd900c3bc420b0b439f71efa02efdf4550918fc4
> Certificate Object, type = X.509 cert
>   label:      62917107586NES0
>   ID:         009020159e08d3abe24bd1a0742328c28b0c1104
> Private Key Object; RSA
>   label:      62917107586NES0
>   ID:         009020159e08d3abe24bd1a0742328c28b0c1104
>   Usage:      sign
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE)
> failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
> 
> Private Key Object; RSA
>   label:      62917107586SIGN0
>   ID:         fd900c3bc420b0b439f71efa02efdf4550918fc4
>   Usage:      sign
> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE)
> failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

OK, so you're not actually using the OpenSC PKCS#11 module here; you're
only using the pkcs11-tool from OpenSC, to operate on the Tubitak
module. Which works OK in this environment.

> With this config it seems ok
> mithat at adige:/etc/pkcs11/modules$ more akis.module
> module: /usr/lib/libakisp11.so
> #module: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
> managed: no

... and when p11-kit uses that *same* Tubitak module in non-managed
mode, the module *does* work.

(Repeating for the benefit of the p11-kit list: It's only in managed
mode, where we pass a NULL argument to C_Initialize(), that the Tubitak
module fails as follows:

>> C_Initialize
>>   IN: pInitArgs = NULL
>> C_Initialize = CKR_ARGUMENTS_BAD
>> p11-kit: akis: module failed to initialize, skipping: Invalid arguments

)

> mithat at adige:/etc/pkcs11/modules$ p11tool --list-tokens
> p11-kit: the 'log-calls' option for module 'akis' is only supported
> for managed modules
> ....//trimmed
> Token 1:
> URL:
> pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-
> UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial
> =0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%
> ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff
> Label: Akis
> Type: Hardware token, Trust module
> Manufacturer: TUBITAK-UEKAE
> Model: AKIS V1.2
> Serial: 0036218D34081A32
> .....//trimmed
> 
> But this time i cant read cert

Define "can't read cert". Do you just mean that you didn't see any
certs listed in the output of p11-tool as shown above? That's expected;
you only asked it to list the *tokens*. 

Try:
 p11tool --list-all --login pkcs11:serial=0036218D34081A32

(I spy other bugs in your proprietary PKCS#11 module there too; the
model, manufacturer and token fields are all stuffed with nonsense when
they *should* be padded with space characters.)

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160224/7ad1ae0b/attachment-0001.bin>


More information about the openconnect-devel mailing list