Am Donnerstag 04 Februar 2010 10:20:37 schrieb Christian Horn:
> On Thu, Feb 04, 2010 at 10:01:43AM +0100, Andreas Jellinghaus wrote:
> > chistian: you could post a "pkcs15-tool --dump" to show in detail
> > how the card looks like.
>
> http://fluxcoil.net/files/openscdebug/pkcs15-tool_dump_ok
> That output is the same for working/nonworking opensc revision.
ok, thanks.
> Also the nonworking opensc-rev hands out my personalized cert when
> asking for id 46 with
> pkcs15-tool -r 46|openssl x509 -noout -subject
you have two certificates with id 46.
which one is presented to you?
or are two certificates shown with old opensc?
does "opensc-tool -f" show the content of all files, including
the certificates (file id in the pkcs15-tool --dump).
or can you try downloading those certificate files with
opensc-explorer? ("cd" to the directory (first 4 bytes),
then "get" the file (the next four bytes of the pathname)).
("cd 3f00" gets you to the main folder / top directory...)
> 'pkcs11-tool -L'-outputs are also the same.. but my guess is the wrong
> cert is accessed by strongswan.
first I guess strongswan wants to authenticate to the remote.
why does it try to use a CKA_ID 46 cert which is for encryption?
strange. but maybe that certificate was placed on the remote site
for some reason.
> This is a personoalization-procedure done for the cards here.
so your software for some reason created two certs with the same
ID and now opensc need to sort out the mess :)
> Correct sig of the wrong cert i suspect..
well, signatures are created with rsa keys, not certificates.
and there is only one rsa key with ID 45, so it has to be the
right one.
can your somehow find all certificates, find out which is the
right one, and which is the wrong one, and check if strongswan
delivers the right or wrong file to the other side? maybe it
shows the old certificate and then gets a signature with the
RSA key (which is meant for the new certificate)?
oh, and does the remote strongswan site show any errors
that might show what is going on? again, I think it might
be a strongswan issue...
btw: does the old and new ID 46 certificate contain the same
rsa public key or do they differ? this would be interesting
to know, if you can get to those files somehow.
> In the beginning also 'pkcs15-tool' spit out the other cert, we
> started to fix this with internal patches, later it was properly
> fixed in opensc-code.
so worst case you can dig out an old version of opensc, to see
what the old certificates are about?
this whole situation with two certificates with the same ID
confuses me a lot.
maybe it is simple and some flag is used to disable the old ones,
but I'm no expert here (and the asn.1 debugging code doesn't show
values, so even if I knew what to look for, it wouldn't be in the
log).
so maybe peter or pierre can help.
other than that, I think it might be a strongswan issue.
or at least getting the error from strongswan could help,
btw: you could extract the value to be signed and the signed
data from the log file, transform them to binary, and check
with your certificate (the one you can extract, or both),
if that is a valid signature for the public key in the
cert (IIRC openssl command line tools can extract it
and/or use the cert or pubkey for signature validation).
Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
