Xiaoshuo Wu wrote: > Hello, > I am stuck in updating certificate using "pkcs15-init -U" command, > here is what I did: > I'd like to store one certificate and update it with a new one, so I > derived two certificates with one private key with few openssl commands. > Then I erase & initialize the card, store one certificate & update it > with the new one. > This whole thing failed in updating certificate, saying "Security > status not satisfied". > I put in attachment the script and complete debug trace. > > I am using Feitian PKI card PK01C with OpenSC r4256. the debugging > with gdb shows me the reason: > The ACL entry defined in entersafe.profile shows that to update the > certificate file one needs to be authenticated. > While sc_select_file() called in sc_pkcs15init_update_certificate() > couldn't get the ACLs(entersafe driver can't get one file's ACLs by > simply select it). > so the later sc_pkcs15init_authenticate() will not verify the pin. > > So here is the situation: I probably couldn't get one file's ACLs via > selecting, but only via creating(entersafe.profile), and update a > certificate will not create a new file. > Any advice about this?
Actually there is no way to update certificates for the cards that do not returns ACLs at file selection. The 'sc_pkcs15init_update_certificate' should be modified; it has to instantiate certificate file from the profile, using the attributes of the really existing cert file (path, id, ??), and pass it to 'sc_pkcs15init_authenticate(UPDATE)'. > > Regards, Xiaoshuo Kind wishes, Viktor. > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
