Adding p11-glue list to Cc. There are a couple of issues here, albeit bugs in a crappy proprietary PKCS#11 token, that we might want to work around in libp11-kit. On Wed, 2016-02-24 at 14:06 +0200, Mithat Bozkurt wrote: > Tubitak haven't return back yet. but i think no need this. because > after install opensc from ubuntu software center and run following > command i can see > > > mithat at adige:~$ pkcs11-tool --module /usr/lib/libakisp11.so -O -l > Using slot 0 with a present token (0x1) > Logging in to "Akis". > Please enter User PIN: > Public Key Object; RSA 2048 bits > ? label:??????62917107586NES0 > ? ID:?????????009020159e08d3abe24bd1a0742328c28b0c1104 > ? Usage:??????verify > Public Key Object; RSA 2048 bits > ? label:??????62917107586SIGN0 > ? ID:?????????fd900c3bc420b0b439f71efa02efdf4550918fc4 > ? Usage:??????verify > Certificate Object, type = X.509 cert > ? label:??????62917107586SIGN0 > ? ID:?????????fd900c3bc420b0b439f71efa02efdf4550918fc4 > Certificate Object, type = X.509 cert > ? label:??????62917107586NES0 > ? ID:?????????009020159e08d3abe24bd1a0742328c28b0c1104 > Private Key Object; RSA > ? label:??????62917107586NES0 > ? ID:?????????009020159e08d3abe24bd1a0742328c28b0c1104 > ? Usage:??????sign > warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) > failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > Private Key Object; RSA > ? label:??????62917107586SIGN0 > ? ID:?????????fd900c3bc420b0b439f71efa02efdf4550918fc4 > ? Usage:??????sign > warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) > failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) OK, so you're not actually using the OpenSC PKCS#11 module here; you're only using the pkcs11-tool from OpenSC, to operate on the Tubitak module. Which works OK in this environment. > With this config it seems ok > mithat at adige:/etc/pkcs11/modules$ more akis.module > module: /usr/lib/libakisp11.so > #module: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so > managed: no ... and when p11-kit uses that *same* Tubitak module in non-managed mode, the module *does* work. (Repeating for the benefit of the p11-kit list: It's only in managed mode, where we pass a NULL argument to C_Initialize(), that the Tubitak module fails as follows: >> C_Initialize >>???IN: pInitArgs = NULL >> C_Initialize = CKR_ARGUMENTS_BAD >> p11-kit: akis: module failed to initialize, skipping: Invalid arguments ) > mithat at adige:/etc/pkcs11/modules$ p11tool --list-tokens > p11-kit: the 'log-calls' option for module 'akis' is only supported > for managed modules > ....//trimmed > Token 1: > URL: > pkcs11:model=AKIS%20V1.2%00%00%00%00%00%00%00;manufacturer=TUBITAK- > UEKAE%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00;serial > =0036218D34081A32;token=Akis%00A%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff% > ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff%ff > Label: Akis > Type: Hardware token, Trust module > Manufacturer: TUBITAK-UEKAE > Model: AKIS V1.2 > Serial: 0036218D34081A32 > .....//trimmed > > But this time i cant read cert Define "can't read cert". Do you just mean that you didn't see any certs listed in the output of p11-tool as shown above? That's expected; you only asked it to list the *tokens*.? Try: ?p11tool --list-all --login pkcs11:serial=0036218D34081A32 (I spy other bugs in your proprietary PKCS#11 module there too; the model, manufacturer and token fields are all stuffed with nonsense when they *should* be padded with space characters.) --? dwmw2 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20160224/7ad1ae0b/attachment-0001.bin>
