PKCS11 error wile using USB Token vs SmartCard

Question

I am trying to use SafeNet eToken 5300 (manufacturerID: Gemalto; model: ID Prime MD) for client certificate authentication in openconnect VPN client. The connection failed.

When the SmartCard (manufacturerID: SafeNet, Inc.; model: eToken) inserted into Alcor Micro AU9540 reader is used, the connection is established successfully.

Debugging the issue I found that the error comes from PKCS11 module:

[2022-08-10 11:55:47]  Returned:  0 CKR_OK
[2022-08-10 11:55:47]  gnutls[2]: p11: Initializing module: opensc-pkcs11.module.ORIG
[2022-08-10 11:55:47]  P:37956; T:0x139638815061248 11:55:47.201 [opensc-pkcs11] pkcs11-global.c:402:C_GetInfo: C_GetInfo()
[2022-08-10 11:55:47]  gnutls[2]: p11: module opensc-pkcs11.module.ORIG is already loaded.
[2022-08-10 11:55:47]  gnutls[3]: ASSERT: ../../lib/pkcs11.c[auto_load]:951
[2022-08-10 11:55:47]  gnutls[2]: Cannot load PKCS #11 module: opensc-pkcs11.module.ORIG
[2022-08-10 11:55:47]  gnutls[2]: p11: Initializing module: softhsm2
[2022-08-10 11:55:47]  gnutls[3]: ASSERT: ../../lib/pkcs11.c[compat_load]:896
[2022-08-10 11:55:47]  gnutls[2]: p11: No login requested.
[2022-08-10 11:55:47]  Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;object=EFF270AEC07D70DA;type=private
[2022-08-10 11:55:47]  PIN required for Pavel 
[2022-08-10 11:55:48]  Enter PIN:
[2022-08-10 11:55:54]  gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:54]  gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
[2022-08-10 11:55:54]  gnutls[2]: p11: No login requested.
[2022-08-10 11:55:54]  Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;object=EFF270AEC07D70DA;type=private
[2022-08-10 11:55:54]  gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:56]  gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[gnutls_pkcs11_privkey_import_url]:561
[2022-08-10 11:55:56]  Trying PKCS#11 key URL pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;type=private
[2022-08-10 11:55:56]  gnutls[2]: p11: Login result = ok (0)
[2022-08-10 11:55:56]  Using PKCS#11 key pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=09E850133ABF3E39;token=Pavel;id=%68%35%73%BD%14%9B%F5%37%02%8B%BF%CE%48%FB%71%38%B8%59%91%3E;type=private
[2022-08-10 11:55:56]  gnutls[3]: ASSERT: ../../lib/pkcs11_privkey.c[_gnutls_pkcs11_privkey_sign]:416
[2022-08-10 11:56:27]  gnutls[3]: ASSERT: ../../lib/privkey.c[privkey_sign_and_hash_data]:1300
[2022-08-10 11:56:27]  Error signing test data with private key: PKCS #11 error.  
[2022-08-10 11:56:27]  Loading certificate failed. Aborting. <-------- Here is the problem
[2022-08-10 11:56:27]  Failed to complete authentication

Both USB Token and the SmartCard have the same certificates/key installed, from the same p12 file. They were initially initialized and then the p12 file was applied.

Using pkcs11-dump I found that the only difference between USB Token and the SmartCard is the value of CKA_SIGN_RECOVER attribute for Private Key:

CKA_SIGN_RECOVER: TRUE - for SmartCard

CKA_SIGN_RECOVER: FALSE - for USB Token

Since CKA_MODIFIABLE attribute is TRUE for both tokens, I am looking for a way to change the CKA_SIGN_RECOVER value for USB Token (according to the documents, it is possible). then I will re-attempt the connection with openconnect.

Any ideas?

Thank you in advance for your help.

Regards, Pavel