Andreas Jellinghaus wrote:
I'm using openct+opensc+libp11+engine_pkcs11+openss to do this:
create a certificate signed by the smart card.
with the ubuntu edgy packages this works ok, with all components
current trunk it doesn't work at all:
pkcs15-init -ET
pkcs15-init -CT -p pkcs15+onepin --label "Andreas Jellinghaus" \
--pin 123456 --puk 78907890
pkcs15-init -G rsa/1024 -a 01 --pin 123456
openssl req -config openssl.conf -engine pkcs11 -new -key id_45 \
-keyform engine -out req.pem -text -x509 \
-subj "/CN=Andreas Jellinghaus"
engine "pkcs11" set.
iso7816.c:99:iso7816_check_sw: Security status not satisfied
card-flex.c:1073:cryptoflex_compute_signature: Card returned error:
Security status not satisfied
sec.c:53:sc_compute_signature: returning with: Security status not
satisfied
pkcs15-sec.c:332:sc_pkcs15_compute_signature: sc_compute_signature()
failed: Security status not satisfied
8869:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged
in:p11_ops.c:96:
8869:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
lib:a_sign.c:276:
I guess the fault is in opensc, but no idea what broke. can someone have
a look and try this with your own card? ( you don't need the pkcs15-init
commands, those erase the card and create new pkcs#15 format and a key
and are only included for demonstration purpose - and for me so I can
easily switch from 2048 bit to 1024 bit key).
hmm, works for me using the trunk of opensc and some older libp11
+ opensc_engine versions ... I will update libp11 and engine_pkcs11
to see if it still works.
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
