Error when the certificate from smart card is used
The following error "Error loading certificate from PKCS#11: The requested data were not available." appears when openconnect tries to use the certificate from the SmartCard
# openconnect --version
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: setting default-priority-string to NORMAL
gnutls[2]: cfg: loaded system priority /etc/gnutls/config mtime 1620812938
OpenConnect version v8.10-2+b1
Using GnuTLS 3.7.1. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
# p11tool --login --provider=/usr/lib/pkcs11/libeTPkcs11.so --list-all pkcs11:model=eToken
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: setting default-priority-string to NORMAL
gnutls[2]: cfg: loaded system priority /etc/gnutls/config mtime 1620812938
Token 'Pxxxx Gxxxxxxxx' with URL 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx' requires user PIN
Enter PIN:
Object 0:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx;id=%64%81%3A%34%FD%67%EA%46%71%xx%CE%xx%6C%xx%D1%D5%xx%E6%xx%3D;object=No%20Friendly%20Name%20Available;type=private
Type: Private key (RSA-2048)
Label: No Friendly Name Available
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE;
ID: 64:81:3a:34:fd:67:ea:46:71:xx:ce:xx:6c:xx:d1:d5:xx:e6:xx:3d
Object 1:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx;id=%64%81%3A%34%FD%67%EA%46%71%xx%CE%xx%6C%xx%D1%D5%xx%E6%xx%3D;type=public
Type: Public key (RSA-2048)
Label:
Flags: CKA_WRAP/UNWRAP;
ID: 64:81:3a:34:fd:67:ea:46:71:xx:ce:xx:6c:xx:d1:d5:xx:e6:xx:3d
Object 2:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx;id=%64%81%3A%34%FD%67%EA%46%71%xx%CE%xx%6C%xx%D1%D5%xx%E6%xx%3D;object=No%20Friendly%20Name%20Available;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Wed Feb 23 12:09:00 2022
Label: No Friendly Name Available
ID: 64:81:3a:34:fd:67:ea:46:71:xx:ce:xx:6c:xx:d1:d5:xx:e6:xx:3d
Object 3:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx;id=%3B%xx%BF%xx%CE%xx%ED%xx%43%xx%5C%xx%70%xx%96%xx%32%2C%88%52;type=private
Type: Private key (RSA-2048)
Label:
Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE;
ID: 3b:xx:bf:xx:ce:xx:ed:xx:43:xx:5c:xx:70:xx:96:b1:32:2c:88:52
Object 4:
URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=02xxxx49;token=Pxxxx%20Gxxxxxxxx;id=%3B%xx%BF%xx%CE%xx%ED%xx%43%xx%5C%xx%70%xx%96%xx%32%2C%88%52;object=6E7C7422C27763E3;type=cert
Type: X.509 Certificate (RSA-2048)
Expires: Thu Jul 1 00:59:59 2021
Label: 6E7C7422C27763E3
ID: 3b:xx:bf:xx:ce:xx:ed:xx:43:xx:5c:xx:70:xx:96:b1:32:2c:88:52
# openconnect --authenticate -c 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;id=%64%81%3A%34%FD%67%EA%46%71%46%CE%D8%6C%7E%D1%D5%FE%E6%85%3D' VPN_Server:port --gnutls-debug=99 -v
gnutls[2]: Enabled GnuTLS 3.7.1 logging...
gnutls[2]: getrandom random generator was detected
gnutls[2]: Intel SSSE3 was detected
gnutls[2]: Intel AES accelerator was detected
gnutls[2]: Intel GCM accelerator was detected
gnutls[2]: cfg: setting default-priority-string to NORMAL
gnutls[2]: cfg: loaded system priority /etc/gnutls/config mtime 1620812938
POST https://VPN_Server:port/
Attempting to connect to server VPN_Server:port
Connected to VPN_Server:port
ASSERT: ../../../lib/x509/dn.c[_gnutls_x509_compare_raw_dn]:1025
Using PKCS#11 certificate pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;id=%64%81%3A%34%FD%67%EA%46%71%xx%CE%xx%6C%xx%D1%D5%xx%E6%xx%3D;type=cert
Initializing all PKCS #11 modules
p11: Initializing module: p11-kit-trust
p11: Initializing module: opensc-pkcs11
ASSERT: ../../lib/pkcs11.c[compat_load]:895
ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2221
ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2349
ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3604
ASSERT: ../../lib/pkcs11.c[find_single_obj_cb]:2221
ASSERT: ../../lib/pkcs11.c[gnutls_pkcs11_obj_import_url]:2349
ASSERT: ../../lib/pkcs11.c[_gnutls_x509_crt_import_pkcs11_url]:3604
Error loading certificate from PKCS#11: The requested data were not available.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to VPN_Server
Failed to obtain WebVPN cookie
Edited by Pavel G