Openconnect supporting SafeNet eToken 5300
Dimitri Papadopoulos
dimitri.papadopoulos at cea.fr
Tue Jun 21 09:41:27 PDT 2022
Hi,
Is this issue identical to that one filed a year ago?
https://gitlab.com/openconnect/openconnect/-/issues/242
Have you tried a newer version of OpenConnect as suggested in this issue?
Best Regards,
Dimitri
Le 21/06/2022 à 16:38, Pavel Gavronsky a écrit :
> Hello,
>
> I am using Openconnect with PULSE appliance where the authentication is done by SmartCard (ACS ACR39U ICC Reader). The connection is established without any issue.
> When trying to use SafeNet USB eToken 5300 - there is an error "Loading certificate failed. Aborting. Failed to obtain WebVPN cookie".
>
> $ uname -a
> Linux xxx-xx-A 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
>
> Debugging info (GNUTLS_DEBUG_LEVEL=9):
>
> /usr/sbin/openconnect -V
> OpenConnect version v8.10-2+b1
> Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
> Supported protocols: anyconnect (default), nc, gp, pulse
>
> openconnect --protocol=pulse pdc.xxx.xxx:443/xxxx --servercert "pin-sha256:xxxxcXCTMPxxx" -c 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert' -vvv
> gnutls[2]: Enabled GnuTLS 3.7.1 logging...
> gnutls[2]: getrandom random generator was detected
> gnutls[2]: Intel SSSE3 was detected
> gnutls[2]: Intel AES accelerator was detected
> gnutls[2]: Intel GCM accelerator was detected
> gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2
> Attempting to connect to server x.x.x.x:443
> Connected to x.x.x.x:443
> Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=cert
> gnutls[2]: Initializing all PKCS #11 modules
> gnutls[2]: p11: Initializing module: p11-kit-trust
> gnutls[2]: p11: Initializing module: opensc
> gnutls[2]: p11: Initializing module: opensc-pkcs11
> gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> PIN required for xxx
> Enter PIN:
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> gnutls[2]: p11: No login requested.
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private
> gnutls[2]: p11: Login result = ok (0)
> gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
> Error importing PKCS#11 URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=xxxx39;token=xxxxx;id=%B6%Axxxxx19%65%D6%5C%0C%FD%7E;object=PGCert;type=private: The requested data were not available.
> Loading certificate failed. Aborting.
> Failed to obtain WebVPN cookie
>
>
>
>
> pkcs11-tool --module /usr/lib/libeToken.so --list-token-slots
> Available slots:
> Slot 0 (0x0): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 00 00
> token label : xxxx
> token manufacturer : Gemalto
> token model : ID Prime MD
> token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
> hardware version : 0.0
> firmware version : 0.0
> serial num : xxxx39
> pin min/max : 4/16
> Slot 1 (0x1): ACS ACR39U ICC Reader 01 00
> token label : GSTEST01
> token manufacturer : SafeNet, Inc.
> token model : eToken
> token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
> hardware version : 0.0
> firmware version : 0.0
> serial num : xx
> pin min/max : 8/20
>
>
> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 0
> Using slot with ID 0x0
> Logging in to "xxxx".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
> seems to be OK
> Digests:
> all 4 digest functions seem to work
> SHA-1: OK
> Signatures (currently only for RSA)
> testing key 0 ()
> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
> error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6)
> Aborting.
>
>
> pkcs11-tool --module /usr/lib/libeTokenHID.so -v -l -t --slot 1
> Using slot with ID 0x1
> Logging in to "xxxx".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
> seems to be OK
> Digests:
> all 4 digest functions seem to work
> SHA-1: OK
> Signatures (currently only for RSA)
> testing key 0 (No Friendly Name Available)
> ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68)
> testing signature mechanisms:
> RSA-PKCS: OK
> SHA256-RSA-PKCS: OK
> Verify (currently only for RSA)
> testing key 0 (No Friendly Name Available)
> RSA-PKCS: OK
> Decryption (currently only for RSA)
> testing key 0 (No Friendly Name Available)
> -- mechanism can't be used to decrypt, skipping
> -- mechanism can't be used to decrypt, skipping
> -- mechanism can't be used to decrypt, skipping
> -- mechanism can't be used to decrypt, skipping
> -- mechanism can't be used to decrypt, skipping
> -- mechanism can't be used to decrypt, skipping
> RSA-PKCS: OK
> RSA-PKCS-OAEP: mgf not set, defaulting to MGF1-SHA256
> OAEP parameters: hashAlg=SHA256, mgf=MGF1-SHA256, source_type=0, source_ptr=(nil), source_len=0
> OK
> 1 errors
>
>
> Any ideas?
>
> Thank you in advance,
> Pavel
> _______________________________________________
> openconnect-devel mailing list
> openconnect-devel at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/openconnect-devel
More information about the openconnect-devel
mailing list