Try those URIs with OpenConnect anyway.
-- Apologies for HTML and top-posting; Android mailer is broken.-------- Original message --------From: Mithat Bozkurt <mithatbozk...@gmail.com> Date: 24/02/2016 13:19 (GMT+00:00) To: David Woodhouse <dw...@infradead.org> Cc: p11-glue@lists.freedesktop.org, openconnect-de...@lists.infradead.org Subject: Re: read cert from smart card I am running on ubuntu mithat@adige:/etc/pkcs11/modules$ p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl x509 -noout -text Error in pkcs11_export:257: The requested data were not available. unable to load certificate 139988361840272:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE mithat@adige:/etc/pkcs11/modules$ p11tool --export 'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl x509 -noout -text Error in pkcs11_export:257: The requested data were not available. unable to load certificate 140102225475216:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE 2016-02-24 15:00 GMT+02:00 David Woodhouse <dw...@infradead.org>: > On Wed, 2016-02-24 at 14:39 +0200, Mithat Bozkurt wrote: >> I completely understand what you say now. I wil contact with TUBITAK >> on that why i . >> >> mithat@adige:/etc/pkcs11/modules$ p11tool --list-all --login >> pkcs11:serial=0036218D34081A32 > > ... > > OK, so you have two certificates in your device, and it's given you the > *full* PKCS#11 URI for each of them. Note that you don't have to use > the full URI to specify it — you only need enough to be unique. Which > is why you could specify the token by only its serial number; you > didn't need to include the messy model/manufacturer/token fields too. > > Likewise, it looks like you can specify your certificates/keys by only > their label (the object=xxx part), and don't need to specify the ID. > > A simple PKCS#11 URI you can use with OpenConnect is either > pkcs11:serial=0036218D34081A32;object=62917107586SIGN0 > or > pkcs11:serial=0036218D34081A32;object=62917107586NES0 > > (Because of the semicolon, make sure you put it in quotes on the > OpenConnect command line). > > If you compare with your p11tool output, you'll note that each partial > URI above actually matches one than one object. When OpenConnect > automatically adds ';type=cert' it gets the X.509 certificate, and when > it adds 'type=private' it gets the corresponding private key. > > To work out *which* of those two cert+key pairs you need, either just > try each one, or you can inspect the certs by running: > > p11tool --export >'pkcs11:serial=0036218D34081A32;object=62917107586NES0;type=cert' | openssl >x509 -noout -text > or > p11tool --export >'pkcs11:serial=0036218D34081A32;object=62917107586SIGN0;type=cert' | openssl >x509 -noout -text > > > If you are running on Fedora, at this point it is considered a bug for > *any* application which accepts certs in filenames, not to accept the > above PKCS#11 URIs instead of a filename. Please file bugs if you find > any such applications, and Cc me. > > -- > David Woodhouse Open Source Technology Centre > david.woodho...@intel.com Intel Corporation > _______________________________________________ openconnect-devel mailing list openconnect-de...@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
_______________________________________________ p11-glue mailing list p11-glue@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/p11-glue
