Please post to the list. On Tue, Apr 14, 2009 at 5:24 PM, <michael.roeh...@rohde-schwarz.com> wrote: > > > > > Hello Alon, > > meanwhile I think CoolKey CSP with OpenSC PKCS#11 is not able to store a > certificate from EJBCA admin web page - each time the browser searches for > keys, another CKA_ID is used and of course no matching keys are found. Now > I have to patch CSP - or take the more convenient method (from 4. on): > > 1. format a card to PKCS#15 > 2. set a pin on the card > 3. generate a RSA key pair on the card, associated with the pin (private > key) > 4. generate a PKCS#10 certificate request (which contains the public RSA > key) > 5. with the certificate request get the certificate from EJBCA CA > 6. store the certificate on the card > > 1, 2, 3, 5, 6 are ok, and for 4. the use of openssl with pkcs11 engine is > recommended ... but ... seems to be somewhat tricky with Windows. Trying > opensc-i686-pc-mingw32-004-base.tar.bz2 with > opensc-i686-pc-mingw32-004-engine_pkcs11.tar.bz2 - so I have > /lib/engines/pkcs11_engine.dll, /etc/ssl/openssl.cnf, > /bin/opensc-pkcs11.dll. > > > First try (MSYS): > > $ openssl req -engine pkcs11 -new -key id_45 -keyform engine -out > admin.req > WARNING: can't open config file: /etc/ssl/openssl.cnf > Unable to load config info from /etc/ssl/openssl.cnf > > $ ll /etc/ssl/openssl.cnf > -rw-r--r-- 1 roehner Administratoren 10847 Mar 7 20:50 > /etc/ssl/openssl.cnf > > Second try (MSYS): > > $ openssl req -engine pkcs11 -new -key id_45 -keyform engine -out > admin.req -config /etc/ssl/openssl.cnf > > WARNING: can't open config file: /etc/ssl/openssl.cnf > invalid engine "pkcs11" > 1828:error:25078067:DSO support routines:WIN32_LOAD:could not load the > shared library:dso_win32.c:180:filename(\\lib\engines\pkcs11.dll) > 1828:error:25070067:DSO support routines:DSO_load:could not load the > shared library:dso_lib.c:244: > 1828:error:260B6084:engine routines:DYNAMIC_LOAD:dso not > found:eng_dyn.c:450: > 1828:error:2606A074:engine routines:ENGINE_by_id:no such > engine:eng_list.c:416:id=pkcs11 > 1828:error:25078067:DSO support routines:WIN32_LOAD:could not load the > shared library:dso_win32.c:180:filename(pkcs11.dll) > 1828:error:25070067:DSO support routines:DSO_load:could not load the > shared library:dso_lib.c:244: > 1828:error:260B6084:engine routines:DYNAMIC_LOAD:dso not > found:eng_dyn.c:450: > no engine specified > unable to load Private Key > > Now the config file is read (for testing I inserted a faulty line). > Similiar result with MinGW from installer, with copy of engine-pkcs11.dll > to pkcs11.dll, without MSYS (Windows cmd). Some googling and own tries > later it works: > > copy engine_pkcs11.dll to MinGW /bin
I don't think the above is needed if you modify the PATH. > openssl > engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 > -pre LOAD -pre MODULE_PATH:opensc-pkcs11.dll > engine pkcs11 -pre PIN:<pin> -pre VERBOSE > req -engine pkcs11 -new -key id_45 -keyform engine -text -config > E:\MinGW\etc\ssl\openssl.cnf The above is the method I used to test it out. > Inside openssl -config requires a Windows path, but SO_PATH does not(?). > Next step is to append pkcs11 engine parms at openssl.cnf, and to automate > openssl certificate request (EJBCA ignores ALL attributes from the request, > so defaults are possible). This is OpenSSL issue... I think you need to add .dll or / instead of \... Did not investigate this. > How do you test/use the openssl engine with Windows? I do not think the > "solution" above is a smart solution. But, instead of using a Windows COM > component from a browser window, a certificate request with openssl und > storing the certificate with OpenSC works with Linux, too. Using the dynamic load... I don't have current working Windows environment, but it worked correcty. Anyway nobody said not to use a CSP or a specific PKCS#11 application... Just that you try to use a specific CSP which is not built to use generic PKCS#11 implementation... >> But if you like to use as pure PKCS#11 token I guess you have to use the > onepin provider. > > I don't think so since I am using only one key pair, one certificate, and > one pin. You also have the SO PIN... >> I had this problem before, I believe that most of CSP->PKCS#11 converters > use the >> container name as CKA_ID, while OpenSC has some issues with these long > names... > > Yes, I think it is the CKA_ID handling, since CKA_ID is generated from the > container name which comes from browser / COM: > > 04/08 14:21:02 [0088] Executable: "C:\Programme\Internet > Explorer\iexplore.exe" (C:\WINDOWS\system32\clkcsp-opensc.dll) > 04/08 14:21:02 [0088] Container: "4d6c53b6-0403-4e50-9f22-81867fe76a05" > Flags: CRYPT_NEWKEYSET | (0x8) > 04/08 14:21:02 [0088] ParseFQCN: container_name: > "4d6c53b6-0403-4e50-9f22-81867fe76a05." > ... > 04/08 14:21:02 [0088] CKA_ID: > 34643663353362362D303430332D346535302D396632322D383138363766653736613035 > "4d6c53b6-0403-4e50-9f22-81867fe76a05" > 04/08 14:21:07 [0088] PIN Verification Successful Session:0x3 > 04/08 14:21:07 [0088] FindObject() CLA_CLASS:0x3 > CKA_ID:34643663353362362D303430332D346535302D396632322D383138363766653736613035 > "4d6c53b6-0403-4e50-9f22-81867fe76a05" > 04/08 14:21:07 [0088] FindObject returned: FALSE Almost always you can specify your own container name... Choose something smaller, such as "1". >> Why don't you use the msys installer? Much simpler and working. >> You need to add wget package and autoconf,automake (due to the >> openvpn issue which will be resolved next version). > > On sourceforge there is an installer for MSYS 1.0.10 only, very out of date > regardless it is marked as "current". Version 1.0.11 solves some issues > with MinGW and MSYS in same directory. I remember, you have to replace make > with 1.0.10. Sourceforge MSYS start page does not recommend MSYS installer. > You have to use MinGW installer, too. And have to download some packages, > too. In MY opinion download only + extract is simpler, and you know what > you get and do. The /usr issue can be solved with an own /etc/fstab. As you wish... Alon. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
