I haven't had much respons to my previous posting "Coolkey use problems on opensuse 11.3 with latest coolkey & opensc packages", so here's another try.
I use ActivIdentity's Activkey Sim usb stick.
I switched to Fedora 14 to try my luck there but I still can't make pkcs1_inspect nor pkcs11_listcerts work. All I get is "no token available".
On an older system with Opensuse 11.0 (coolkey-1.1.0-79.1, pam_pkcs11-0.6.0-93.1) I am prompted for the device's password en get this :
[root@gz pam_pkcs11]# pkcs11_inspect debug
DEBUG:pam_config.c:208: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:94: Error parsing file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:298: argument pkcs11_listcerts is not supported by this module
DEBUG:pkcs11_lib.c:118: Initializing NSS ...
DEBUG:pkcs11_lib.c:128: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:146: ... NSS Complete
DEBUG:pkcs11_listcerts.c:64: loading pkcs #11 module...
DEBUG:pkcs11_listcerts.c:72: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:47: PIN = [xxxxxxxx]
DEBUG:pkcs11_lib.c:528: cert 0: found (Guy Zelck:CAC ID Certificate), "E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company"
DEBUG:pkcs11_listcerts.c:112: Found '1' certificate(s)
DEBUG:pkcs11_listcerts.c:117: Certificate #1:
DEBUG:pkcs11_listcerts.c:119: - Subject:ÂÂ E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company
DEBUG:pkcs11_listcerts.c:121: - Issuer:ÂÂÂ CN=Hewlett-Packard Primary Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT Infrastructure,O=hp.com
DEBUG:pkcs11_listcerts.c:123: - Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:32: Verifying Cert: Guy Zelck:CAC ID Certificate (E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company)
DEBUG:pkcs11_listcerts.c:147: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:150: Process completed
On Fedora 14 I never get the prompt :
[root@gz pam_pkcs11]# pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x8f556f0 next = 0x8f63fa8
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
DEBUG:pkcs11_lib.c:226: dllName= <null>
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
DEBUG:pkcs11_lib.c:225: modList = 0x8f63fa8 next = 0x0
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
DEBUG:pkcs11_lib.c:226: dllName= /usr/lib/libcoolkeypk11.so
ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_inspect.c:95: no token available
The coolkey log :
[root@gz pam_pkcs11]# cat /tmp/coolkey.txt
Initialize called, hello 5
C_GetInfo called
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 0 ms
time connnect: Begin transaction 0 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:Â 68 ms
CAC Cert 0: fetch CAC Cert:Â 146 ms
CAC Cert 0: Fetch rest :Â 60700 ms
CAC Cert 0: Cert has been read:Â 60700 ms
CAC Cert 0: Cert has been uncompressed:Â 60700 ms
CAC Cert 1: select CAC applet:Â 72 ms
Connection Error = 0x0
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 0 ms
time connnect: Begin transaction 0 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:Â 68 ms
CAC Cert 0: fetch CAC Cert:Â 146 ms
CAC Cert 0: Fetch rest :Â 639 ms
CAC Cert 0: Cert has been read:Â 639 ms
CAC Cert 0: Cert has been uncompressed:Â 639 ms
CAC Cert 1: select CAC applet:Â 70 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:Â 67 ms
CAC Cert 0: fetch CAC Cert:Â 146 ms
CAC Cert 0: Fetch rest :Â 639 ms
CAC Cert 0: Cert has been read:Â 639 ms
CAC Cert 0: Cert has been uncompressed:Â 639 ms
CAC Cert 1: select CAC applet:Â 71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 1 ms
time connect: Read Slot 1 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:Â 68 ms
CAC Cert 0: fetch CAC Cert:Â 146 ms
CAC Cert 0: Fetch rest :Â 639 ms
CAC Cert 0: Cert has been read:Â 639 ms
CAC Cert 0: Cert has been uncompressed:Â 639 ms
CAC Cert 1: select CAC applet:Â 72 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:Â 67 ms
CAC Cert 0: fetch CAC Cert:Â 145 ms
CAC Cert 0: Fetch rest :Â 635 ms
CAC Cert 0: Cert has been read:Â 635 ms
CAC Cert 0: Cert has been uncompressed:Â 636 ms
CAC Cert 1: select CAC applet:Â 71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_CloseAllSessions(0x1) called
Finalizing...
My pam_pkcs11.conf :
 pkcs11_module coolkey {
ÂÂÂ module = /usr/lib/libcoolkeypk11.so;
ÂÂÂ description = "Cool Key"
ÂÂÂ # Slot-number to use. One for the first, two for the second and so
ÂÂÂ # on. The default value is zero which means to use the first slot
ÂÂÂ # with an available token.
ÂÂÂ slot_description = "Activkey Sim 00 00";
ÂÂÂ #slot_num = 0;
ÂÂÂ # Path to the directory where the CA certificates are stored. The
ÂÂÂ # directory must contain an openssl hash-link to each certificate.
ÂÂÂ # The default value is /etc/pam_pkcs11/cacerts.
ÂÂÂ #ca_dir = /etc/pam_pkcs11/cacerts;
ÂÂÂ ca_dir = /etc/pki/CA/cacerts;
ÂÂÂ nss_dir = /etc/pki/nssdb;
Â
ÂÂÂ # Path to the directory where the CRLs are stored. The directory
ÂÂÂ # must contain an openssl hash-link to each CRL. The default value
ÂÂÂ # is /etc/pam_pkcs11/crls.
ÂÂÂ #crl_dir = /etc/pam_pkcs11/crls;
ÂÂÂ crl_dir = /etc/pki/CA/crls;
ÂÂÂ # Sets the Certificate verification policy.
ÂÂÂ # "none"ÂÂÂÂÂÂÂ Performs no verification
ÂÂÂ # "ca"ÂÂÂÂÂÂÂÂÂ Does CA check
ÂÂÂ # "crl_online"Â Downloads the CRL form the location given by the
ÂÂÂ #ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ CRL distribution point extension of the certificate
ÂÂÂ # "crl_offline" Uses the locally stored CRLs
ÂÂÂ # "crl_auto"ÂÂÂ Is a combination of online and offline; it first
ÂÂÂ #ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ tries to download the CRL from a possibly given CRL
ÂÂÂ #ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ distribution point and if this fails, uses the local
ÂÂÂ #ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ CRLs
ÂÂÂ # "ocsp_on"ÂÂÂÂ Turn on OCSP.
ÂÂÂ # "signature"ÂÂ Does also a signature check to ensure that private
ÂÂÂ #ÂÂÂÂÂÂÂÂÂÂÂÂÂÂ and public key matches
ÂÂÂ # You can use a combination of ca,crl, and signature flags, or just
ÂÂÂ # use "none".
ÂÂÂ #cert_policy=ca, signature;
ÂÂÂ cert_policy=none;
 }
Can anybody help?
Cheers,
Guy.
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
