After looking at your http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 and reading these mails again, this does not look like a reader or pcsc problem. You were not able to write your Globus key to the card, and were not able to generate a key on the card.
In http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 it fails trying to use a key that is not on the card, or is not valid. "69 84" is iso7816.c:102:iso7816_check_sw: Referenced data invalidated So the traces to send to the list are: write and existing key to the card generate a key on the card. Is the card capable of using 2048 bit key? What size was the Globus key? Jan Just Keijser wrote: > hi all, > > a new attempt, this time with the Omnikey reader that Jean-Michel so > kindly sent me (thanks again!). This time I attached the card reader to > a CentOS 5 box which has > - openssl 0.9.8e > - opensc 0.11.9 > - pcsc-1.4.102 > Later on I added opensc 0.11.13 (read below) > > I started out with the gooze tutorial again > http://www.gooze.eu/howto/smartcard-quickstarter-guide > > ardeche [janjust] > pkcs15-init -E > Using reader with a card: OmniKey CardMan 3121 00 00 > > ardeche [janjust] > pkcs15-init --create-pkcs15 --profile pkcs15+onepin > --use-default-transport-key --pin 123456 --puk 111111 --label "janjust" > Using reader with a card: OmniKey CardMan 3121 00 00 > > ardeche [janjust] > pkcs15-init --store-certificate > ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem > Using reader with a card: OmniKey CardMan 3121 00 00 > User PIN required. > Please enter User PIN: > User PIN required. > Please enter User PIN: > > ardeche [janjust] > pkcs15-init --store-private-key > ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem > Using reader with a card: OmniKey CardMan 3121 00 00 > Please enter passphrase to unlock secret key: > User PIN required. > Please enter User PIN: > pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion > `0' failed. > Aborted > > > At this point I downloaded and built opensc-0.11.13 like this: > > ardeche [janjust] > head -10 config.log > This file contains any messages produced by compilers while > running configure, to aid debugging if configure makes a mistake. > > It was created by opensc configure 0.11.13, which was > generated by GNU Autoconf 2.64. Invocation command line was > > $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian > > > After the build and install I continued: > > ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id > 01 > Using reader with a card: OmniKey CardMan 3121 00 00 > User PIN required. > Please enter User PIN: > [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit > [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU > [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning > with: Transmit failed > [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit > failed: Transmit failed > [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed > [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: EnterSafe > generate RSA key pair failed: Transmit failed > Failed to generate key: Transmit failed > > this still fails, but that might be related to the older pcsc-lite > version... > > ardeche [janjust] > ./pkcs15-init --store-private-key > ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem > Using reader with a card: OmniKey CardMan 3121 00 00 > Please enter passphrase to unlock secret key: > User PIN required. > Please enter User PIN: > pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion > `0' failed. > Aborted > > So I commented out 'assert(0)' in card-entersafe.c: > > ardeche [janjust] > ./pkcs15-init --store-private-key > ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem > Using reader with a card: OmniKey CardMan 3121 00 00 > Please enter passphrase to unlock secret key: > User PIN required. > Please enter User PIN: > User PIN required. > Please enter User PIN: > User PIN required. > Please enter User PIN: > User PIN required. > Please enter User PIN: > > I had to enter the PIN 4 times, but OK: > > ardeche [janjust] > ./pkcs15-tool --dump > Using reader with a card: OmniKey CardMan 3121 00 00 > PKCS#15 Card [janjust]: > Version : 1 > Serial number : 3092541116010310 > Manufacturer ID: EnterSafe > Last update : 20100520100048Z > Flags : EID compliant > > PIN [User PIN] > Com. Flags: 0x3 > ID : 01 > Flags : [0x30], initialized, needs-padding > Length : min_len:4, max_len:16, stored_len:16 > Pad char : 0x00 > Reference : 1 > Type : ascii-numeric > Path : 3f005015 > > Private RSA Key [Private Key] > Com. Flags : 3 > Usage : [0x4], sign > Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, > local > ModLength : 1024 > Key ref : 1 > Native : yes > Path : 3f005015 > Auth ID : 01 > ID : 123456 > > Public RSA Key [Public Key] > Com. Flags : 2 > Usage : [0x4], sign > Access Flags: [0x0] > ModLength : 1024 > Key ref : 0 > Native : no > Path : 3f0050153056 > Auth ID : > ID : 123456 > > X.509 Certificate [Certificate] > Flags : 2 > Authority: no > Path : 3f005015315a > ID : 123456 > > Next we try to generate a self-signed certificate: > > ardeche [janjust] 1> ./openssl version > OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) > > ardeche [janjust] > ./openssl > OpenSSL> engine dynamic -pre > SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 > -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so > Loaded: (pkcs11) pkcs11 engine > > OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 -out > cert.pem -text > engine "pkcs11" set. > PKCS#11 token PIN: > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > ----- > Country Name (2 letter code) [GB]:NL > State or Province Name (full name) [Berkshire]:Amsterdam > Locality Name (eg, city) [Newbury]:Amsterdam > Organization Name (eg, company) [My Company Ltd]:Nikhef > Organizational Unit Name (eg, section) []: > Common Name (eg, your name or your server's hostname) []:Jan Just > Email Address []: > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data invalidated > [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: > returning with: Card command failed > [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card > command failed > [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: > sc_compute_signature() failed: Card command failed > 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General > Error:p11_ops.c:131: > 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:276: > error in req > > this is - again - the error -1200 . The full opensc-debug.log file is > http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 > > I'm getting quite annoyed with this card ... > > What am I doing wrong? > > > > share and enjoy, > > JJK / Jan Just Keijser > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
