hi all, a new attempt, this time with the Omnikey reader that Jean-Michel so kindly sent me (thanks again!). This time I attached the card reader to a CentOS 5 box which has - openssl 0.9.8e - opensc 0.11.9 - pcsc-1.4.102 Later on I added opensc 0.11.13 (read below)
I started out with the gooze tutorial again http://www.gooze.eu/howto/smartcard-quickstarter-guide ardeche [janjust] > pkcs15-init -E Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] > pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 --label "janjust" Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] > pkcs15-init --store-certificate ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: ardeche [janjust] > pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted At this point I downloaded and built opensc-0.11.13 like this: ardeche [janjust] > head -10 config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by opensc configure 0.11.13, which was generated by GNU Autoconf 2.64. Invocation command line was $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian After the build and install I continued: ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id 01 Using reader with a card: OmniKey CardMan 3121 00 00 User PIN required. Please enter User PIN: [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning with: Transmit failed [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit failed: Transmit failed [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: EnterSafe generate RSA key pair failed: Transmit failed Failed to generate key: Transmit failed this still fails, but that might be related to the older pcsc-lite version... ardeche [janjust] > ./pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted So I commented out 'assert(0)' in card-entersafe.c: ardeche [janjust] > ./pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: I had to enter the PIN 4 times, but OK: ardeche [janjust] > ./pkcs15-tool --dump Using reader with a card: OmniKey CardMan 3121 00 00 PKCS#15 Card [janjust]: Version : 1 Serial number : 3092541116010310 Manufacturer ID: EnterSafe Last update : 20100520100048Z Flags : EID compliant PIN [User PIN] Com. Flags: 0x3 ID : 01 Flags : [0x30], initialized, needs-padding Length : min_len:4, max_len:16, stored_len:16 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x4], sign Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 1 Native : yes Path : 3f005015 Auth ID : 01 ID : 123456 Public RSA Key [Public Key] Com. Flags : 2 Usage : [0x4], sign Access Flags: [0x0] ModLength : 1024 Key ref : 0 Native : no Path : 3f0050153056 Auth ID : ID : 123456 X.509 Certificate [Certificate] Flags : 2 Authority: no Path : 3f005015315a ID : 123456 Next we try to generate a self-signed certificate: ardeche [janjust] 1> ./openssl version OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) ardeche [janjust] > ./openssl OpenSSL> engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 -out cert.pem -text engine "pkcs11" set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:NL State or Province Name (full name) [Berkshire]:Amsterdam Locality Name (eg, city) [Newbury]:Amsterdam Organization Name (eg, company) [My Company Ltd]:Nikhef Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Jan Just Email Address []: [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data invalidated [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: returning with: Card command failed [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card command failed [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Card command failed 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req this is - again - the error -1200 . The full opensc-debug.log file is http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 I'm getting quite annoyed with this card ... What am I doing wrong? share and enjoy, JJK / Jan Just Keijser _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
