Dear David First of all thank you very much for your reply. As far as I understand from your mail I can use workaround If I get the URI of PKCS#11. Product site says that it has its own PKCS#11 library(libakisp11.so) however It is also supported by OpenSC libraries. AK?S (Smart Card Operating System) is PKCS#11 library that complies with Common Criteria (CC) EAL4+ , Common Criteria (CC) EAL5+ and ISO/IEC 7816 with DES , 3DES RSA 1024-2048 bit key length. Device produced by Advanced Card System is associate member of PCSC Lite project. SIM card is produced by TUBITAK with its own PKCS#11 proprietary library. I also examined deb package of library which has following info "This package includes : PKCS#11 proprietary library akisp11 and its dependent libraries asn1ber and asn1rt. Akia : Akis Smartcard monitoring and management tool with GUI. Dependencies : libccid, libc6, libpcsclite1, pcscd" I can access device through Thunderbird Mail and a Java based Editor using product's java API. Finally I apply at https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html Step 1: I created /etc/pkcs11/pkcs11.conf with content # This is an example /etc/pkcs11/pkcs11.conf file. Copy it into # place before use. # This setting controls whether to load user configuration from the # ~/.config/pkcs11 directory. Possible values: # none: No user configuration # merge: Merge the user config over the system configuration (default) # only: Only user configuration, ignore system configuration user-config: merge Step 2: I created module config at /etc/pkcs11/modules/akis.module with content #AKIS is acronym of Smart Card Operating System in Turkish module: /usr/lib/libakisp11.so managed: yes trust-policy: yes log-calls: yes Step 3: after then run p11-kit list-modules commands print err C_Initialize IN: pInitArgs = NULL C_Initialize = CKR_ARGUMENTS_BAD p11-kit: akis: module failed to initialize, skipping: Invalid arguments ---------------------------------------------------------- mithat at adige:~$ p11-kit list-modules C_Initialize IN: pInitArgs = NULL C_Initialize = CKR_ARGUMENTS_BAD p11-kit: akis: module failed to initialize, skipping: Invalid arguments p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust manufacturer: PKCS#11 Kit model: p11-kit-trust serial-number: 1 hardware-version: 0.23 flags: write-protected token-initialized gnome-keyring: gnome-keyring-pkcs11.so library-description: GNOME Keyring Daemon Core library-manufacturer: GNOME Keyring library-version: 1.1 token: SSH Keys manufacturer: Gnome Keyring model: 1.0 serial-number: 1:SSH:HOME flags: write-protected user-pin-initialized protected-authentication-path token-initialized token: Secret Store manufacturer: Gnome Keyring model: 1.0 serial-number: 1:SECRET:MAIN flags: login-required user-pin-initialized protected-authentication-path token-initialized token: Gnome2 Key Storage manufacturer: Gnome Keyring model: 1.0 serial-number: 1:USER:DEFAULT flags: login-required user-pin-initialized protected-authentication-path token-initialized token: User Key Storage manufacturer: Gnome Keyring model: 1.0 serial-number: 1:XDG:DEFAULT flags: protected-authentication-path token-initialized -------------------------------------------------- Best Regards Mithat Bozkurt 2016-02-21 18:31 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>: > On Sat, 2016-02-20 at 21:35 +0200, Mithat Bozkurt wrote: >> Hello >> >> However I read your html pages mentioned PKCS#11 I couldn't find a way >> to use smart >> card(ACS 38T) with openconnect. >> >> My client certificate is in PKCS#11 compliance device and I couldn't >> export it due >> to it is e-signature cert. >> >> I installed network-manager-openconnect-gnome and I see only the >> following selection. >> RSA SecureID read from ~/.stokenrc >> RSA SecureID (manually entered) >> TOTP (manually entered) >> HOTP (manually entered) >> >> >> Do I see PKCS#11 also? > > No. NetworkManager is completely lacking any GUI to let you select > certificates from PKCS#11. This is https://bugzilla.gnome.org/679860 > > Thankfully there's a simple workaround. Just configure the connection > with a (dummy) file and then edit the resulting configuration file > manually and enter the PKCS#11 URI for your certificate. > > However... > >> output of "p11tool --list-tokens". There is no my token manufacturer. > > That looks like your PKCs#11 module hasn't been installed correctly. > What is it? Are you using OpenSC (in which case the Ubuntu package > seems to be broken), or some third-party device with its own PKCS#11 > library that you have to install (in which case their install > instructions are broken). > > You should have a file somewhere like /usr/share/p11-kit/modules which > directs p11-kit to load the module in question. > https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html > >> And I can access my certificate for signing a document without any problem. > > Using what software, and how does it find your PKCS#11 token. Sounds > like the software that is working is actually "broken" in some sense of > the word too, since it seems *not* to be using the system's p11-kit > configuration as it should. > > -- > dwmw2 >
