Hello, I found some more differences between the SmartCard and USB Token output in pkcs11-tool test:
# pkcs11-tool --module /usr/lib/pkcs11/libeTPkcs11.so -L Available slots: Slot 0 (0x0): Alcor Micro AU9540 00 00 token label : GSTEST token manufacturer : SafeNet, Inc. token model : eToken token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 02345aac pin min/max : 8/20 Slot 1 (0x1): SafeNet eToken 5300 [eToken 5300] (FFFFFFFFFFFF) 01 00 token label : Pavel Gavronsky token manufacturer : Gemalto token model : ID Prime MD token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 09E850133ABF3E39 pin min/max : 4/16 Slot 2 (0x2): (empty) Slot 3 (0x3): (empty) Slot 4 (0x4): (empty) Slot 5 (0x5): (empty) Slot 6 (0x6): (empty) Slot 7 (0x7): (empty) pkcs11-tool test for SmartCard - no errors: # pkcs11-tool --module /usr/lib/pkcs11/libeTPkcs11.so -t --slot 0 --login Logging in to "GSTEST". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seems to be OK Digests: all 4 digest functions seem to work SHA-1: OK Signatures (currently only for RSA) warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 0 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 1 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 2 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 3 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 4 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 5 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 6 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 7 -- can't be used for signature, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 8 -- can't be used for signature, skipping couldn't find the corresponding pubkey testing key 9 () -- can't be used for signature, skipping: can't obtain modulus Signatures: no private key found in this slot Verify (currently only for RSA) warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 0 -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 1 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 2 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 3 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 4 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 5 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 6 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 7 with 1 mechanism -- can't be used to sign/verify, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(SIGN) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 8 with 1 mechanism -- can't be used to sign/verify, skipping testing key 9 () with 1 mechanism -- can't find corresponding public key, skipping Decryption (currently only for RSA) warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 0 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 1 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 2 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 3 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 4 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 5 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 6 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 7 -- can't be used to decrypt, skipping warning: PKCS11 function C_GetAttributeValue(LABEL) failed: rv = CKR_GENERAL_ERROR (0x5) warning: PKCS11 function C_GetAttributeValue(DECRYPT) failed: rv = CKR_GENERAL_ERROR (0x5) testing key 8 -- can't be used to decrypt, skipping testing key 9 () -- can't find corresponding public key, skipping No errors pkcs11-tool test for USB Token - operation aborted: # pkcs11-tool --module /usr/lib/pkcs11/libeTPkcs11.so -t --slot 1 --login Logging in to "Pavel Gavronsky". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seems to be OK Digests: all 4 digest functions seem to work SHA-1: OK Signatures (currently only for RSA) testing key 0 () ERR: C_SignUpdate failed: CKR_KEY_FUNCTION_NOT_PERMITTED (0x68) error: PKCS11 function C_Sign failed: rv = CKR_FUNCTION_FAILED (0x6) <--------------------- problem Aborting. I am not sure but maybe --module /usr/lib/pkcs11/libeTPkcs11.so is not correct for USB Tokens? Any help ? Regards, Pavel From: Pavel Gavronsky <kamm...@hotmail.com> Sent: Thursday, August 4, 2022 2:43 PM To: Dimitri Papadopoulos Orfanos <dimitri.papadopou...@cea.fr> Cc: openconnect-devel@lists.infradead.org <openconnect-devel@lists.infradead.org> Subject: Re: Openconnect supporting SafeNet eToken 5300 Hello, Dimitri, I would like to renew the thread if possible. I made several changes/upgradeds/etc and now the picture is a little differ. Can you suggest how can I debug this: Good Example (openconnect using SmartCard, several initial lines): # /usr/local/sbin/openconnect --protocol=pulse xxx.xxx.xxx.xxx:443/xxx --servercert "pin-sha256:25xxwM=" -c 'pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9' -vvv gnutls[2]: Enabled GnuTLS 3.7.1 logging... gnutls[2]: getrandom random generator was detected gnutls[2]: Intel SSSE3 was detected gnutls[2]: Intel AES accelerator was detected gnutls[2]: Intel GCM accelerator was detected gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 Attempting to connect to server xxx.xxx.xxx.xxx:443 Connected to xxx.xxx.xxx.xxx:443 Using PKCS#11 certificate pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9;type=cert gnutls[2]: Initializing all PKCS #11 modules gnutls[2]: p11: Initializing module: p11-kit-trust gnutls[2]: p11: Initializing module: opensc gnutls[2]: p11: Initializing module: opensc-pkcs11 gnutls[2]: p11: Initializing module: softhsm2 gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896 gnutls[2]: p11: No login requested. Trying PKCS#11 key URL pkcs11:model=eToken;serial=02345aac;object=15833D4D0138E8F9;type=private PIN required for GSTEST Enter PIN: gnutls[2]: p11: Login result = ok (0) gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 gnutls[2]: p11: No login requested. Trying PKCS#11 key URL pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02345aac;token=GSTEST;object=15833D4D0138E8F9;type=private gnutls[2]: p11: Login result = ok (0) gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561 Trying PKCS#11 key URL pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02345aac;token=GSTEST;id=%3Bdfgsdfv96%B1%32%2C%88%52;type=private gnutls[2]: p11: Login result = ok (0) Bad Example (openconnect using USB SafeNet eToken 5300, several initial lines): /usr/local/sbin/openconnect --protocol=pulse xxx.xxx.xxx.xxx:443/xxx --servercert "pin-sha256:25xxwM" -c 'pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available' -vvvv gnutls[2]: Enabled GnuTLS 3.7.1 logging... gnutls[2]: getrandom random generator was detected gnutls[2]: Intel SSSE3 was detected gnutls[2]: Intel AES accelerator was detected gnutls[2]: Intel GCM accelerator was detected gnutls[2]: cfg: unable to access: /etc/gnutls/config: 2 Attempting to connect to server xxx.xxx.xxx.xxx:443 Connected to xxx.xxx.xxx.xxx:443 Using PKCS#11 certificate pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=cert gnutls[2]: Initializing all PKCS #11 modules gnutls[2]: p11: Initializing module: p11-kit-trust gnutls[2]: p11: Initializing module: opensc gnutls[2]: p11: Initializing module: opensc-pkcs11 gnutls[2]: p11: Initializing module: softhsm2 gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896 gnutls[2]: p11: No login requested. Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=private PIN required for Pavel Gavronsky Enter PIN: gnutls[2]: p11: Login result = ok (0) Using PKCS#11 key pkcs11:model=ID%20Prime%20MD;serial=09E850133ABF3E39;object=No%20Friendly%20Name%20Available;type=private gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:416 gnutls[3]: ASSERT: ../../lib/privkey.c[privkey_sign_and_hash_data]:1300 Error signing test data with private key: PKCS #11 error. <------------------------------------------------- How can I debug this error? Loading certificate failed. Aborting. Failed to complete authentication Thank you in advance, Pavel _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
