read cert from smart card

David Woodhouse dwmw2 at infradead.org
Wed Feb 24 15:49:12 UTC 2016


On Wed, 2016-02-24 at 15:19 +0200, Mithat Bozkurt wrote:
> I am running on ubuntu
> 
> mithat at adige:/etc/pkcs11/modules$  p11tool --export
> 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' |
> openssl x509 -noout -text
> Error in pkcs11_export:257: The requested data were not available.
> unable to load certificate

That's odd. After p11tool --list-all showed that object:

Object 0:
URL: pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK-UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial=0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff;id=%fd%90%0c%3b%c4%20%b0%b4%39%f7%1e%fa%02%ef%df%45%50%91%8f%c4;object=62917107586SIGN0;type=cert
Type: X.509 Certificate
Label: 62917107586SIGN0
ID: fd:90:0c:3b:c4:20:b0:b4:39:f7:1e:fa:02:ef:df:45:50:91:8f:c4

... I did kind of expect that 'p11tool --export' would also find it.
Can you try with the *full* URI as cited above, with none of the fields
elided?

Also, just *try* it with OpenConnect (either the simplified of the full
versions, albeit without the ;type= part). It might work there even if
p11tool is being recalcitrant.

-- 
dwmw2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5691 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/p11-glue/attachments/20160224/b69599c6/attachment-0001.bin>


More information about the p11-glue mailing list