I've almost got things working on Ubuntu but I'm having the same issue I did under fedora with the tokens being visible via p11tool but the Openconnect client not being able to pull them. LIBGNUTLS28-DEV is installed.
view at view-virtual-machine:~$ sudo p11tool --list-certs --login
[sudo] password for view:
Token 'MCCLELLAND.MICHAEL.BLAIR.1250312' with URL 'pkcs11:model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312' requires user PIN
Enter PIN:
Object 0:
URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%01;object=CAC%20ID%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC ID Certificate
ID: 00:01
Object 1:
URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%02;object=CAC%20Email%20Signature%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC Email Signature Certificate
ID: 00:02
Object 2:
URL: pkcs11:library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20%00%00%00;library-manufacturer=Mozilla%20Foundation;model=%20;manufacturer=%20;serial=%20;token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate;object-type=cert
Type: X.509 Certificate
Label: CAC Email Encryption Certificate
ID: 00:03
view at view-virtual-machine:~$ openconnect -c 'pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate' https://server.domain
Attempting to connect to 198.253.24.115:443
Failed to open certificate file pkcs11:token=MCCLELLAND.MICHAEL.BLAIR.1250312;id=%00%03;object=CAC%20Email%20Encryption%20Certificate: No such file or directory
Loading certificate failed. Aborting.
Failed to open HTTPS connection to server.domain
Failed to obtain WebVPN cookie
-----Original Message-----
From: mike.t.miller at gmail.com [mailto:mike.t.miller at gmail.com] On Behalf Of Mike Miller
Sent: Friday, July 13, 2012 8:35 AM
To: David Woodhouse
Cc: Mcclelland, Michael B Mr CTR USN USA; openconnect-devel at lists.infradead.org
Subject: Re: CAC modules
On Fri, Jul 13, 2012 at 2:47 AM, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Thu, 2012-07-12 at 22:17 -0400, Mike Miller wrote:
>> Yeah, Michael if you have the time to try with Ubuntu again, please
>> try installing the OpenConnect packages from ppa:mtmiller/openconnect
>> and let us know if that build works for you.
>
> He'll need OpenConnect v4.05. Before that, it would strip out the part
> of the URL which specifies which token to find the key in. And his
> token doesn't even let you *list* the key until you're logged in, so a
> wildcard search just by object ID doesn't work. You have to know the
> token, so you can log into it and *then* you can see that it does
> indeed contain the key.
Yep, I missed that point. 4.05 is cooking right now in ppa:mtmiller/openconnect.
--
mike
