read cert from smart card
Mithat Bozkurt
mithatbozkurt at gmail.com
Thu Feb 25 03:39:55 PST 2016
Hello Nikos
however i tried --login parameter no pin input appears. result is same
mithat at adige:~$ p11tool -d 4 --export
'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert'--login
Setting log level to 4
|<2>| p11: Initializing module: p11-kit-trust
|<2>| p11: Initializing module: akis
|<2>| p11: Initializing module: gnome-keyring
|<3>| ASSERT: pkcs11.c:503
|<2>| Initializing PKCS #11 modules
|<3>| ASSERT: pkcs11.c:1685
|<3>| ASSERT: pkcs11.c:1824
Error in pkcs11_export:257: The requested data were not available.
BTW I am getting e-mail with subject is " Your message to p11-glue
awaits moderator approval" from p11-glue.
Do I remove the p11-glue from recipients or remain same?
2016-02-25 13:25 GMT+02:00 Mithat Bozkurt <mithatbozkurt at gmail.com>:
> mithat at adige:~$ opensc-tool -l
> # Detected readers (pcsc)
> Nr. Card Features Name
> 0 Yes ACS ACR38U-CCID 00 00
>
> mithat at adige:~$ opensc-tool --atr
> Using reader with a card: ACS ACR38U-CCID 00 00
> 3b:9f:96:81:31:fe:45:80:67:55:45:4b:41:45:12:92:31:80:73:b3:a1:80:6a
>
> mithat at adige:~$ opensc-tool --name
> Using reader with a card: ACS ACR38U-CCID 00 00
> Unsupported card
>
> 2016-02-25 10:45 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
>> On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote:
>>>
>>> I don't understand why I export cert to file. I think device should
>>> block this action because this is my e-signature cert.
>>
>> No, the non-exportable part is the private key. The certificate is
>> public, and declares that anyone who can prove that they have that
>> private key, is whoever is identified as the subject of the
>> certificate.
>>
>> If you go to secure web sites, you can inspect their *certificates* to
>> check who they are. That's kind of the point. What you can't get is
>> their matching private key.
>>
>> And later...
>>
>> On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote:
>>> Do I need specify 'type=private' to say 'use my private cert for user
>>> cert'?
>>
>> No, OpenConnect needs to use *both* the certificate and the
>> corresponding private key. It will append ';type=cert' or
>> ';type=private' to the URI you give it, as appropriate. Note that it
>> still isn't *exporting* the private key; it's using it in-place.
>>
>> TBH if OpenSC is supposed to drive this card, I really think you're
>> better off pursuing that approach rather than persisting with the
>> broken proprietary PKCS#11 token.
>>
>> Can you try
>> opensc-tool -l
>> opensc-tool --atr
>> opensc-tool --name
>>
>> as described in the 'Debugging OpenSC' link I gave you?
>>
>> --
>> dwmw2
>>
More information about the openconnect-devel
mailing list