read cert from smart card
David Woodhouse
dwmw2 at infradead.org
Wed Feb 24 05:00:48 PST 2016
On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:
> I completely understand what you say now. I wil contact with TUBITAK
> on that why i .
>
> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32
...
OK, so you have two certificates in your device, and it's given you the
*full* PKCS#11 URI for each of them. Note that you don't have to use
the full URI to specify it — you only need enough to be unique. Which
is why you could specify the token by only its serial number; you
didn't need to include the messy model/manufacturer/token fields too.
Likewise, it looks like you can specify your certificates/keys by only
their label (the object=xxx part), and don't need to specify the ID.
A simple PKCS#11 URI you can use with OpenConnect is either
pkcs11:serial=0036218D34081A32;object=62917107586SIGN0
or
pkcs11:serial=0036218D34081A32;object=62917107586NES0
(Because of the semicolon, make sure you put it in quotes on the
OpenConnect command line).
If you compare with your p11tool output, you'll note that each partial
URI above actually matches one than one object. When OpenConnect
automatically adds ';type=cert' it gets the X.509 certificate, and when
it adds 'type=private' it gets the corresponding private key.
To work out *which* of those two cert+key pairs you need, either just
try each one, or you can inspect the certs by running:
p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text
or
p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text
If you are running on Fedora, at this point it is considered a bug for
*any* application which accepts certs in filenames, not to accept the
above PKCS#11 URIs instead of a filename. Please file bugs if you find
any such applications, and Cc me.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse at intel.com Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160224/d0e0b514/attachment-0001.bin>
More information about the openconnect-devel
mailing list