On Wed, 2012-09-19 at 19:03 +0000, Lee Matthews wrote: > > David Woodhouse <dwmw2 <at> infradead.org> writes: > Sorry about not posting the URL, > the lines longer than 80 character thing was killing me... So ignore it and post long lines :) > Here is the URL: > Using PKCS#11 certificate pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=cert;pin-source=openconnect%3a0xb8ce0ee8 > Using PKCS#11 key pkcs11:id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8 > Error importing PKCS#11 URL pkcs11:model=1.0;manufacturer=Gnome%20Keyring;token=Gnome2%20Key%20Storage;id=u%deN%e7Oh%0e%c6S%dbA%b0%bc%017%5c%40B%28%c0;object-type=private;pin-source=openconnect%3a0xb8ce0ee8: OK, so it looks like you specified only the id= part of the URL; OpenConnect itself added the object-type and pin-source parts. However, if the private key isn't visible without a login (which I'm inferring is true since you were trying p11tool --login), looking it up by its ID doesn't work. You have to specify the token too. OpenConnect tries to work around this by *guessing* which token it's in. By looking for a visible *certificate* with the same ID. I'm guessing there is such a certificate in your GNOME Keyring token? Try adding an appropriate model= or token= parameter to the URL that you give on the command line. And if you can send me the output of a working --list-all-certs command, that might be enlightening. I'd like to know if OpenConnect is doing something *wrong* when it tries to guess which token to find the key in. -- dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 6171 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20120919/1b9ae82b/attachment-0001.bin>
