Openconnect supporting SafeNet eToken 5300

Pavel Gavronsky kamm555 at hotmail.com
Thu Aug 4 07:50:56 PDT 2022 

Hello, 

I found some more differences between the SmartCard and USB Token output in pkcs11-tool test:

# pkcs11-tool --module  /usr/lib/pkcs11/libeTPkcs11.so -L
Available slots:
Slot 0 (0x0): Alcor Micro AU9540 00 00
  token label        : GSTEST
  token manufacturer : SafeNet, Inc.
  token model        : eToken
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 02345aac
  pin min/max        : 8/20
Slot 1 (0x1): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 01 00
  token label        : Pavel Gavronsky
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 09E850133ABF3E39
  pin min/max        : 4/16
Slot 2 (0x2):
  (empty)
Slot 3 (0x3):
  (empty)
Slot 4 (0x4):
  (empty)
Slot 5 (0x5):
  (empty)
Slot 6 (0x6):
  (empty)
Slot 7 (0x7):
  (empty)

pkcs11-tool test for SmartCard - no errors:

# pkcs11-tool --module  /usr/lib/pkcs11/libeTPkcs11.so -t --slot 0 --login
Logging in to "GSTEST".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 0  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 1  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 2  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 3  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 4  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 5  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 6  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 7  -- can't be used for signature, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 8  -- can't be used for signature, skipping
couldn't find the corresponding pubkey
  testing key 9 ()  -- can't be used for signature, skipping: can't obtain modulus
Signatures: no private key found in this slot
Verify (currently only for RSA)
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 0 -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 1 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 2 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 3 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 4 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 5 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 6 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 7 with 1 mechanism -- can't be used to sign/verify, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 8 with 1 mechanism -- can't be used to sign/verify, skipping
  testing key 9 () with 1 mechanism -- can't find corresponding public key, skipping
Decryption (currently only for RSA)
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 0 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 1 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 2 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 3 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 4 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 5 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 6 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 7 -- can't be used to decrypt, skipping
warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5)

warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5)

  testing key 8 -- can't be used to decrypt, skipping
  testing key 9 () -- can't find corresponding public key, skipping
No errors


pkcs11-tool test for USB Token - operation aborted:

# pkcs11-tool --module  /usr/lib/pkcs11/libeTPkcs11.so -t --slot 1 --login
Logging in to "Pavel Gavronsky".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seems to be OK
Digests:
  all 4 digest functions seem to work
  SHA-1: OK
Signatures (currently only for RSA)
  testing key 0 ()
  ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)       <--------------------- problem
Aborting.


I am not sure but maybe  --module  /usr/lib/pkcs11/libeTPkcs11.so is not correct for USB Tokens?
Any help ?

Regards,
Pavel



From: Pavel Gavronsky <kamm555 at hotmail.com>
Sent: Thursday, August 4, 2022 2:43 PM
To: Dimitri Papadopoulos Orfanos <dimitri.papadopoulos at cea.fr>
Cc: openconnect-devel at lists.infradead.org <openconnect-devel at lists.infradead.org>
Subject: Re: Openconnect supporting SafeNet eToken 5300 
 
Hello, Dimitri,

I would like to renew the thread if possible.

I made several changes/upgradeds/etc and now the picture is a little differ. Can you suggest how can I debug this:

Good Example (openconnect using SmartCard, several initial lines):

# /usr/local/sbin/openconnect --protocol=pulse xxx.xxx.xxx.xxx:443/xxx --servercert "pin-sha256:25xxwM=" -c 'pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9' -vvv
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
Using PKCS#11 certificate pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9;type=cert
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Initializing module: opensc-pkcs11
gnutls[2]: p11: Initializing module: softhsm2
gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9;type=private
PIN required for GSTEST
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02345aac;token=GSTEST;object=15833D4D0138E8F9;type=private
gnutls[2]: p11: Login result = ok (0)
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
Trying PKCS#11 key URL pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02345aac;token=GSTEST;id=%3Bdfgsdfv96%B1%32%2C%88%52;type=private
gnutls[2]: p11: Login result = ok (0)


 Bad Example (openconnect using USB SafeNet eToken 5300, several initial lines):

/usr/local/sbin/openconnect --protocol=pulse xxx.xxx.xxx.xxx:443/xxx --servercert "pin-sha256:25xxwM" -c 'pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available' -vvvv
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
Attempting to connect to server xxx.xxx.xxx.xxx:443
Connected to xxx.xxx.xxx.xxx:443
Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=cert
gnutls[2]: Initializing all PKCS #11 modules
gnutls[2]: p11: Initializing module: p11-kit-trust
gnutls[2]: p11: Initializing module: opensc
gnutls[2]: p11: Initializing module: opensc-pkcs11
gnutls[2]: p11: Initializing module: softhsm2
gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
gnutls[2]: p11: No login requested.
Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=private
PIN required for Pavel Gavronsky
Enter PIN:
gnutls[2]: p11: Login result = ok (0)
Using PKCS#11 key pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=private
gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:416
gnutls[3]: ASSERT: ../../lib/privkey.c[privkey_sign_and_hash_data]:1300
Error signing test data with private key: PKCS #11 error. <------------------------------------------------- How can I debug this error?
Loading certificate failed. Aborting.
Failed to complete authentication


Thank you in advance,
Pavel

More information about the openconnect-devel mailing list