On Sat, 2006-11-18 at 00:17 +0100, Andreas Jellinghaus wrote: > I'm using openct+opensc+libp11+engine_pkcs11+openss to do this: > create a certificate signed by the smart card. > > with the ubuntu edgy packages this works ok, with all components > current trunk it doesn't work at all: > pkcs15-init -ET > pkcs15-init -CT -p pkcs15+onepin --label "Andreas Jellinghaus" \ > --pin 123456 --puk 78907890 > pkcs15-init -G rsa/1024 -a 01 --pin 123456 > > > openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \ > -keyform engine -out req.pem -text -x509 \ > -subj "/CN=Andreas Jellinghaus" > > engine "pkcs11" set. > iso7816.c:99:iso7816_check_sw: Security status not satisfied > card-flex.c:1073:cryptoflex_compute_signature: Card returned error: > Security status not satisfied > sec.c:53:sc_compute_signature: returning with: Security status not satisfied > pkcs15-sec.c:332:sc_pkcs15_compute_signature: sc_compute_signature() > failed: Security status not satisfied > 8869:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged > in:p11_ops.c:96: > 8869:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:276: Looks to me like someone broke the code that handles security status. In most cases it should be asking for a PIN to satisfy that security status.
pkcs11-tool has this problem with the PIV card, since it requires a PIN entry right before signatures using the SIG key. Thunderbird and Firefox work fine re: security status problems... they ask for the PIN on this error. -- Thomas Harning Jr. Authentication Engineer @ Identity Alliance _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
