[gnutls-help] GnuTLS always 'scans' all usb tokens

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Mar 11 12:14:16 CET 2017

[resending on list]

On Sat, 2017-03-11 at 04:57 +0530, Mandar Joshi wrote:
> > 
> > Most likely the URI that you provide is generic enough to cover all
> > the tokens, and thus they are all scanned for the object. You will
> > have to specify a URI which can be used to identify a unique token.
> > For example a uri 'pkcs11:id=01' is not unique, any token in the
> > system may match. You'll have at least to specify the token serial
> > and
> > name (my guess is that your tokens have all the same name, but
> > different serial?). Use p11tool --list-tokens to figure out their
> > unique parts.
> Thanks for the quick response NIkos. All the tokens I have are of the
> same make but they do have differente serial numbers.
> This is the output of "p11tool --list-tokens"

Could you send me the output of the following?

export PKCS11SPY=/usr/lib/.../opensc-pkcs11.so
p11tool --provider /usr/lib/.../pkcs11-spy.so --export "a_cert_url"

The output of the export (the certificate) is not needed, only the
PKCS#11 commands that lead to that.

I'm afraid that these tokens as seen as different readers, and as the
scanning goes, any of these could potentially contain any URI. The
readers do not seem to be having any information reflected to the URI.
I can see some optimizations, but I do not believe they will have any
impact in your case.


More information about the Gnutls-help mailing list