read cert from smart card
Mithat Bozkurt
mithatbozkurt at gmail.com
Wed Feb 24 04:39:39 PST 2016
I completely understand what you say now. I wil contact with TUBITAK
on that why i .
mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login
pkcs11:serial=0036218D34081A32
p11-kit: the 'log-calls' option for module 'akis' is only supported
for managed modules
Token 'Akis' with URL
'pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff'
requires user PIN
Object 0:
URL: pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff;id=%fd%90%0c%3b%c4%20%b0%b4%39%f7%1e%fa%02%ef%df%45%50%91%8f%c4;object=62917107586SIGN0;type=cert
Type: X.509 Certificate
Label: 62917107586SIGN0
ID: fd:90:0c:3b:c4:20:b0:b4:39:f7:1e:fa:02:ef:df:45:50:91:8f:c4
Object 1:
URL: pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff;id=%00%90%20%15%9e%08%d3%ab%e2%4b%d1%a0%74%23%28%c2%8b%0c%11%04;object=62917107586NES0;type=cert
Type: X.509 Certificate
Label: 62917107586NES0
ID: 00:90:20:15:9e:08:d3:ab:e2:4b:d1:a0:74:23:28:c2:8b:0c:11:04
Object 2:
URL: pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff;id=%00%90%20%15%9e%08%d3%ab%e2%4b%d1%a0%74%23%28%c2%8b%0c%11%04;object=62917107586NES0;type=private
Type: Private key
Label: 62917107586NES0
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID: 00:90:20:15:9e:08:d3:ab:e2:4b:d1:a0:74:23:28:c2:8b:0c:11:04
Object 3:
URL: pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff;id=%fd%90%0c%3b%c4%20%b0%b4%39%f7%1e%fa%02%ef%df%45%50%91%8f%c4;object=62917107586SIGN0;type=private
Type: Private key
Label: 62917107586SIGN0
Flags: CKA_PRIVATE; CKA_SENSITIVE;
ID: fd:90:0c:3b:c4:20:b0:b4:39:f7:1e:fa:02:ef:df:45:50:91:8f:c4
mithat at adige:/etc/pkcs11/modules$ openconnect -c
'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=private'
xxx.xx.x.xx
POST https://xx.x.x.x./
Attempting to connect to server xx.x.x.x:443
p11-kit: the 'log-calls' option for module 'akis' is only supported
for managed modules
PIN required for Akis
Enter PIN:
Error loading certificate from PKCS#11: ASN1 parser: Error in TAG.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to xx.x.x.x
Failed to obtain WebVPN cookie
2016-02-24 14:24 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> Adding p11-glue list to Cc. There are a couple of issues here, albeit
> bugs in a crappy proprietary PKCS#11 token, that we might want to work
> around in libp11-kit.
>
> On Wed, 2016-02-24 at 14:06 +0200, Mithat Bozkurt wrote:
>> Tubitak haven't return back yet. but i think no need this. because
>> after install opensc from ubuntu software center and run following
>> command i can see
>>
>>
>> mithat at adige:~$ pkcs11-tool --module /usr/lib/libakisp11.so -O -l
>> Using slot 0 with a present token (0x1)
>> Logging in to "Akis".
>> Please enter User PIN:
>> Public Key Object; RSA 2048 bits
>> label: 62917107586NES0
>> ID: 009020159e08d3abe24bd1a0742328c28b0c1104
>> Usage: verify
>> Public Key Object; RSA 2048 bits
>> label: 62917107586SIGN0
>> ID: fd900c3bc420b0b439f71efa02efdf4550918fc4
>> Usage: verify
>> Certificate Object, type = X.509 cert
>> label: 62917107586SIGN0
>> ID: fd900c3bc420b0b439f71efa02efdf4550918fc4
>> Certificate Object, type = X.509 cert
>> label: 62917107586NES0
>> ID: 009020159e08d3abe24bd1a0742328c28b0c1104
>> Private Key Object; RSA
>> label: 62917107586NES0
>> ID: 009020159e08d3abe24bd1a0742328c28b0c1104
>> Usage: sign
>> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE)
>> failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>
>> Private Key Object; RSA
>> label: 62917107586SIGN0
>> ID: fd900c3bc420b0b439f71efa02efdf4550918fc4
>> Usage: sign
>> warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE)
>> failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>
> OK, so you're not actually using the OpenSC PKCS#11 module here; you're
> only using the pkcs11-tool from OpenSC, to operate on the Tubitak
> module. Which works OK in this environment.
>
>> With this config it seems ok
>> mithat at adige:/etc/pkcs11/modules$ more akis.module
>> module: /usr/lib/libakisp11.so
>> #module: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>> managed: no
>
> ... and when p11-kit uses that *same* Tubitak module in non-managed
> mode, the module *does* work.
>
> (Repeating for the benefit of the p11-kit list: It's only in managed
> mode, where we pass a NULL argument to C_Initialize(), that the Tubitak
> module fails as follows:
>
>>> C_Initialize
>>> IN: pInitArgs = NULL
>>> C_Initialize = CKR_ARGUMENTS_BAD
>>> p11-kit: akis: module failed to initialize, skipping: Invalid arguments
>
> )
>
>> mithat at adige:/etc/pkcs11/modules$ p11tool --list-tokens
>> p11-kit: the 'log-calls' option for module 'akis' is only supported
>> for managed modules
>> ....//trimmed
>> Token 1:
>> URL:
>> pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-
>> UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial
>> =0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%
>> ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff
>> Label: Akis
>> Type: Hardware token, Trust module
>> Manufacturer: TUBITAK-UEKAE
>> Model: AKIS V1.2
>> Serial: 0036218D34081A32
>> .....//trimmed
>>
>> But this time i cant read cert
>
> Define "can't read cert". Do you just mean that you didn't see any
> certs listed in the output of p11-tool as shown above? That's expected;
> you only asked it to list the *tokens*.
>
> Try:
> p11tool --list-all --login pkcs11:serial=0036218D34081A32
>
> (I spy other bugs in your proprietary PKCS#11 module there too; the
> model, manufacturer and token fields are all stuffed with nonsense when
> they *should* be padded with space characters.)
>
> --
> dwmw2
>
More information about the openconnect-devel
mailing list