I'm using openct+opensc+libp11+engine_pkcs11+openss to do this:
create a certificate signed by the smart card.
with the ubuntu edgy packages this works ok, with all components
current trunk it doesn't work at all:
pkcs15-init -ET
pkcs15-init -CT -p pkcs15+onepin --label "Andreas Jellinghaus" \
--pin 123456 --puk 78907890
pkcs15-init -G rsa/1024 -a 01 --pin 123456
openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \
-keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
engine "pkcs11" set.
iso7816.c:99:iso7816_check_sw: Security status not satisfied
card-flex.c:1073:cryptoflex_compute_signature: Card returned error:
Security status not satisfied
sec.c:53:sc_compute_signature: returning with: Security status not satisfied
pkcs15-sec.c:332:sc_pkcs15_compute_signature: sc_compute_signature()
failed: Security status not satisfied
8869:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged
in:p11_ops.c:96:
8869:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
lib:a_sign.c:276:
I guess the fault is in opensc, but no idea what broke. can someone have
a look and try this with your own card? ( you don't need the pkcs15-init
commands, those erase the card and create new pkcs#15 format and a key
and are only included for demonstration purpose - and for me so I can
easily switch from 2048 bit to 1024 bit key).
the openssl config file is:
cat > openssl.conf << EOF
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
PIN = 123456
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
EOF
Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
