Am Donnerstag 04 Februar 2010 10:20:37 schrieb Christian Horn: > On Thu, Feb 04, 2010 at 10:01:43AM +0100, Andreas Jellinghaus wrote: > > chistian: you could post a "pkcs15-tool --dump" to show in detail > > how the card looks like. > > http://fluxcoil.net/files/openscdebug/pkcs15-tool_dump_ok > That output is the same for working/nonworking opensc revision.
ok, thanks. > Also the nonworking opensc-rev hands out my personalized cert when > asking for id 46 with > pkcs15-tool -r 46|openssl x509 -noout -subject you have two certificates with id 46. which one is presented to you? or are two certificates shown with old opensc? does "opensc-tool -f" show the content of all files, including the certificates (file id in the pkcs15-tool --dump). or can you try downloading those certificate files with opensc-explorer? ("cd" to the directory (first 4 bytes), then "get" the file (the next four bytes of the pathname)). ("cd 3f00" gets you to the main folder / top directory...) > 'pkcs11-tool -L'-outputs are also the same.. but my guess is the wrong > cert is accessed by strongswan. first I guess strongswan wants to authenticate to the remote. why does it try to use a CKA_ID 46 cert which is for encryption? strange. but maybe that certificate was placed on the remote site for some reason. > This is a personoalization-procedure done for the cards here. so your software for some reason created two certs with the same ID and now opensc need to sort out the mess :) > Correct sig of the wrong cert i suspect.. well, signatures are created with rsa keys, not certificates. and there is only one rsa key with ID 45, so it has to be the right one. can your somehow find all certificates, find out which is the right one, and which is the wrong one, and check if strongswan delivers the right or wrong file to the other side? maybe it shows the old certificate and then gets a signature with the RSA key (which is meant for the new certificate)? oh, and does the remote strongswan site show any errors that might show what is going on? again, I think it might be a strongswan issue... btw: does the old and new ID 46 certificate contain the same rsa public key or do they differ? this would be interesting to know, if you can get to those files somehow. > In the beginning also 'pkcs15-tool' spit out the other cert, we > started to fix this with internal patches, later it was properly > fixed in opensc-code. so worst case you can dig out an old version of opensc, to see what the old certificates are about? this whole situation with two certificates with the same ID confuses me a lot. maybe it is simple and some flag is used to disable the old ones, but I'm no expert here (and the asn.1 debugging code doesn't show values, so even if I knew what to look for, it wouldn't be in the log). so maybe peter or pierre can help. other than that, I think it might be a strongswan issue. or at least getting the error from strongswan could help, btw: you could extract the value to be signed and the signed data from the log file, transform them to binary, and check with your certificate (the one you can extract, or both), if that is a valid signature for the public key in the cert (IIRC openssl command line tools can extract it and/or use the cert or pubkey for signature validation). Regards, Andreas _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel