Hi Christian > > >The problem is this: the usual case seems to be someone tells the > > >application to use private-key with ID 1, and the application also > > >uses the cert with ID 1 for that communication. Due to a different > > >use of certs in this card here that doesnt work out: i have to use > > >private-key with ID 1 and in the same operation the cert with ID 2. > > > > doesn't the cert with the id 1 belong to the private key with the > > id 1 (or what is the exactly problem) ? > Yes, that was the problem here. > > > > >Ive had a look at the debugging-output that gets generated from > > >'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite > > >the path to the cert-file that is read out. > > > > the binding between the certs and keys is defined in pkcs15-tcos.c > > ( in src/libopensc/ ) as this is most likely not a pkcs15 compliant > > card. > > Thanks a lot! That worked, pkcs15-tool gives me now the cert i need, > not the that is requested, libopensc appears to behave the same way > now. > Unfortunatelly the other side of the OpenSwan-connection still doesnt > accept my authentication, but OpenSwan-debugging show now the cert > with the right subject is used. > > On OpenSC-side everything looks good now, guess i will have to look > at the firewall-debug-logs now.
That's a quick (and dirty) hack. Could you please supply more details what exactly you are trying to do. A NetKey card has 3 keys, 3 read-only certificates and 6 empty certificate files where you can store your own certificates. It's quite normal that a card has more than one certificate per key so you normally don't have a one-to-one mapping between key-ids and cert-ids. What happens very often is that your card does not contain public keys. In this case the public key corresponding to private key X will be extracted from certificate X. This means that for each private key there must exist either a public key or a certificate with the same ID. Your software should be able to use a certificate even if the private key that corresponds to your certificate has a different id. If you want to use the private key that corresponds to a certificate with a certain id do NOT assume that this private key has the same id. Peter -- DSL-Aktion wegen großer Nachfrage bis 28.2.2006 verlängert: GMX DSL-Flatrate 1 Jahr kostenlos* http://www.gmx.net/de/go/dsl _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
