read cert from smart card

David Woodhouse dwmw2 at infradead.org
Wed Feb 24 14:11:23 UTC 2016 

Try those URIs with OpenConnect anyway.


-- Apologies for HTML and top-posting; Android mailer is broken.-------- Original message --------From: Mithat Bozkurt <mithatbozkurt at gmail.com> Date: 24/02/2016  13:19  (GMT+00:00) To: David Woodhouse <dwmw2 at infradead.org> Cc: p11-glue at lists.freedesktop.org, openconnect-devel at lists.infradead.org Subject: Re: read cert from smart card 
I am running on ubuntu

mithat at adige:/etc/pkcs11/modules$  p11tool --export
'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' |
openssl x509 -noout -text
Error in pkcs11_export:257: The requested data were not available.
unable to load certificate
139988361840272:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

mithat at adige:/etc/pkcs11/modules$ p11tool --export
'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' |
openssl x509 -noout -text
Error in pkcs11_export:257: The requested data were not available.
unable to load certificate
140102225475216:error:0906D06C:PEM routines:PEM_read_bio:no start
line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE



2016-02-24 15:00 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:
>> I completely understand what you say now. I wil contact with TUBITAK
>> on that why i  .
>>
>> mithat at adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32
>
> ...
>
> OK, so you have two certificates in your device, and it's given you the
> *full* PKCS#11 URI for each of them. Note that you don't have to use
> the full URI to specify it — you only need enough to be unique. Which
> is why you could specify the token by only its serial number; you
> didn't need to include the messy model/manufacturer/token fields too.
>
> Likewise, it looks like you can specify your certificates/keys by only
> their label (the object=xxx part), and don't need to specify the ID.
>
> A simple PKCS#11 URI you can use with OpenConnect is either
>  pkcs11:serial=0036218D34081A32;object=62917107586SIGN0
> or
>  pkcs11:serial=0036218D34081A32;object=62917107586NES0
>
> (Because of the semicolon, make sure you put it in quotes on the
> OpenConnect command line).
>
> If you compare with your p11tool output, you'll note that each partial
> URI above actually matches one than one object. When OpenConnect
> automatically adds ';type=cert' it gets the X.509 certificate, and when
> it adds 'type=private' it gets the corresponding private key.
>
> To work out *which* of those two cert+key pairs you need, either just
> try each one, or you can inspect the certs by running:
>
>  p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text
> or
>  p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text
>
>
> If you are running on Fedora, at this point it is considered a bug for
> *any* application which accepts certs in filenames, not to accept the
> above PKCS#11 URIs instead of a filename. Please file bugs if you find
> any such applications, and Cc me.
>
> --
> David Woodhouse                            Open Source Technology Centre
> David.Woodhouse at intel.com                              Intel Corporation
>

_______________________________________________
openconnect-devel mailing list
openconnect-devel at lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/p11-glue/attachments/20160224/4c716345/attachment.html>

More information about the p11-glue mailing list