Douglas E. Engert wrote: > After looking at your > http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 > and reading these mails again, this does not look like a reader or pcsc > problem. You were not able to write your Globus key to the card, > and were not able to generate a key on the card. I get the exact same problem with both the Feitian SCR301 reader and with the Omnikey reader - this suggests that it's the card itself, not the card reader indeed. > > In http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 > it fails trying to use a key that is not on the card, or is not valid. > "69 84" is iso7816.c:102:iso7816_check_sw: Referenced data invalidated > > So the traces to send to the list are: > write and existing key to the card > generate a key on the card. > > Is the card capable of using 2048 bit key? The Gooze tutorial suggests that it is possible. With the latest pcsc driver from Ludovic I was able to verify this. I was unable to run the newest pcsc driver on my CentOS machine though. > What size was the Globus key? 1024 bits > > Jan Just Keijser wrote: >> hi all, >> >> a new attempt, this time with the Omnikey reader that Jean-Michel so >> kindly sent me (thanks again!). This time I attached the card reader >> to a CentOS 5 box which has >> - openssl 0.9.8e >> - opensc 0.11.9 >> - pcsc-1.4.102 >> Later on I added opensc 0.11.13 (read below) >> >> I started out with the gooze tutorial again >> http://www.gooze.eu/howto/smartcard-quickstarter-guide >> >> ardeche [janjust] > pkcs15-init -E >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 >> --label "janjust" >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --store-certificate >> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> ardeche [janjust] > pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> >> At this point I downloaded and built opensc-0.11.13 like this: >> >> ardeche [janjust] > head -10 config.log >> This file contains any messages produced by compilers while >> running configure, to aid debugging if configure makes a mistake. >> >> It was created by opensc configure 0.11.13, which was >> generated by GNU Autoconf 2.64. Invocation command line was >> >> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >> >> >> After the build and install I continued: >> >> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU >> [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning >> with: Transmit failed >> [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit >> failed: Transmit failed >> [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed >> [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: >> EnterSafe generate RSA key pair failed: Transmit failed >> Failed to generate key: Transmit failed >> >> this still fails, but that might be related to the older pcsc-lite >> version... >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> So I commented out 'assert(0)' in card-entersafe.c: >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> I had to enter the PIN 4 times, but OK: >> >> ardeche [janjust] > ./pkcs15-tool --dump >> Using reader with a card: OmniKey CardMan 3121 00 00 >> PKCS#15 Card [janjust]: >> Version : 1 >> Serial number : 3092541116010310 >> Manufacturer ID: EnterSafe >> Last update : 20100520100048Z >> Flags : EID compliant >> >> PIN [User PIN] >> Com. Flags: 0x3 >> ID : 01 >> Flags : [0x30], initialized, needs-padding >> Length : min_len:4, max_len:16, stored_len:16 >> Pad char : 0x00 >> Reference : 1 >> Type : ascii-numeric >> Path : 3f005015 >> >> Private RSA Key [Private Key] >> Com. Flags : 3 >> Usage : [0x4], sign >> Access Flags: [0x1D], sensitive, alwaysSensitive, >> neverExtract, local >> ModLength : 1024 >> Key ref : 1 >> Native : yes >> Path : 3f005015 >> Auth ID : 01 >> ID : 123456 >> >> Public RSA Key [Public Key] >> Com. Flags : 2 >> Usage : [0x4], sign >> Access Flags: [0x0] >> ModLength : 1024 >> Key ref : 0 >> Native : no >> Path : 3f0050153056 >> Auth ID : >> ID : 123456 >> >> X.509 Certificate [Certificate] >> Flags : 2 >> Authority: no >> Path : 3f005015315a >> ID : 123456 >> >> Next we try to generate a self-signed certificate: >> >> ardeche [janjust] 1> ./openssl version >> OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 Jul >> 2008) >> >> ardeche [janjust] > ./openssl >> OpenSSL> engine dynamic -pre >> SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre >> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre >> MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> Loaded: (pkcs11) pkcs11 engine >> >> OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 >> -out cert.pem -text >> engine "pkcs11" set. >> PKCS#11 token PIN: >> You are about to be asked to enter information that will be incorporated >> into your certificate request. >> What you are about to enter is what is called a Distinguished Name or >> a DN. >> There are quite a few fields but you can leave some blank >> For some fields there will be a default value, >> If you enter '.', the field will be left blank. >> ----- >> Country Name (2 letter code) [GB]:NL >> State or Province Name (full name) [Berkshire]:Amsterdam >> Locality Name (eg, city) [Newbury]:Amsterdam >> Organization Name (eg, company) [My Company Ltd]:Nikhef >> Organizational Unit Name (eg, section) []: >> Common Name (eg, your name or your server's hostname) []:Jan Just >> Email Address []: >> [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data >> invalidated >> [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: >> returning with: Card command failed >> [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card >> command failed >> [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: >> sc_compute_signature() failed: Card command failed >> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >> Error:p11_ops.c:131: >> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >> lib:a_sign.c:276: >> error in req >> >> this is - again - the error -1200 . The full opensc-debug.log file is >> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 >> >> I'm getting quite annoyed with this card ... >> >> What am I doing wrong? >> >> >> >> share and enjoy, >> >> JJK / Jan Just Keijser >> >> _______________________________________________ >> opensc-devel mailing list >> [email protected] >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> >
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
