<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>Try those URIs with OpenConnect anyway.</div><div><br></div><div><br></div><div><br></div><div id="composer_signature"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">-- <div>Apologies for HTML and top-posting; Android mailer is broken.</div></div><div style="font-size:100%;color:#000000"><div>-------- Original message --------</div><div>From: Mithat Bozkurt <mithatbozkurt@gmail.com> </div><div>Date: 24/02/2016 13:19 (GMT+00:00) </div><div>To: David Woodhouse <dwmw2@infradead.org> </div><div>Cc: p11-glue@lists.freedesktop.org, openconnect-devel@lists.infradead.org </div><div>Subject: Re: read cert from smart card </div><div><br></div></div>I am running on ubuntu<br><br>mithat@adige:/etc/pkcs11/modules$ p11tool --export<br>'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' |<br>openssl x509 -noout -text<br>Error in pkcs11_export:257: The requested data were not available.<br>unable to load certificate<br>139988361840272:error:0906D06C:PEM routines:PEM_read_bio:no start<br>line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE<br><br>mithat@adige:/etc/pkcs11/modules$ p11tool --export<br>'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' |<br>openssl x509 -noout -text<br>Error in pkcs11_export:257: The requested data were not available.<br>unable to load certificate<br>140102225475216:error:0906D06C:PEM routines:PEM_read_bio:no start<br>line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE<br><br><br><br>2016-02-24 15:00 GMT+02:00 David Woodhouse <dwmw2@infradead.org>:<br>> On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote:<br>>> I completely understand what you say now. I wil contact with TUBITAK<br>>> on that why i .<br>>><br>>> mithat@adige:/etc/pkcs11/modules$ p11tool --list-all --login pkcs11:serial=0036218D34081A32<br>><br>> ...<br>><br>> OK, so you have two certificates in your device, and it's given you the<br>> *full* PKCS#11 URI for each of them. Note that you don't have to use<br>> the full URI to specify it — you only need enough to be unique. Which<br>> is why you could specify the token by only its serial number; you<br>> didn't need to include the messy model/manufacturer/token fields too.<br>><br>> Likewise, it looks like you can specify your certificates/keys by only<br>> their label (the object=xxx part), and don't need to specify the ID.<br>><br>> A simple PKCS#11 URI you can use with OpenConnect is either<br>> pkcs11:serial=0036218D34081A32;object=62917107586SIGN0<br>> or<br>> pkcs11:serial=0036218D34081A32;object=62917107586NES0<br>><br>> (Because of the semicolon, make sure you put it in quotes on the<br>> OpenConnect command line).<br>><br>> If you compare with your p11tool output, you'll note that each partial<br>> URI above actually matches one than one object. When OpenConnect<br>> automatically adds ';type=cert' it gets the X.509 certificate, and when<br>> it adds 'type=private' it gets the corresponding private key.<br>><br>> To work out *which* of those two cert+key pairs you need, either just<br>> try each one, or you can inspect the certs by running:<br>><br>> p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text<br>> or<br>> p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text<br>><br>><br>> If you are running on Fedora, at this point it is considered a bug for<br>> *any* application which accepts certs in filenames, not to accept the<br>> above PKCS#11 URIs instead of a filename. Please file bugs if you find<br>> any such applications, and Cc me.<br>><br>> --<br>> David Woodhouse Open Source Technology Centre<br>> David.Woodhouse@intel.com Intel Corporation<br>><br><br>_______________________________________________<br>openconnect-devel mailing list<br>openconnect-devel@lists.infradead.org<br>http://lists.infradead.org/mailman/listinfo/openconnect-devel<br></body></html>