Thank you for testing Feitian products, AFAIK SCR301 is compliant with CCID V1.1, so no proprietary driver needed.More information for the Feitian folks: I also tried the driver bundle from the ftsafe website but it only supports the SCR200 card reader, not the 301 ; what was/am I doing wrong there?
On Thu, 20 May 2010 18:35:13 +0800, Jan Just Keijser <janj...@nikhef.nl> wrote:
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data invalidatedI got similar result on my debian 5(engine-pkcs11, pcsclite, pcscd, OpenSSL, all distribution version) with OpenSC r4365, here are the commands I use:[opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: returning with: Card command failed [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card command failed [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Card command failed 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req this is - again - the error -1200 . The full opensc-debug.log file is http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520
pkcs15-init -Epkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 --label "janjust"
openssl genrsa 2048 > id_rsa.pem openssl rsa -pubout < id_rsa.pem > id_rsa.pubpkcs15-init --store-private-key id_rsa.pem --id 45 --auth-id 01 --pin 123456
opensslOpenSSL>engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so OpenSSL>req -engine pkcs11 -new -key 45 -keyform engine -x509 -out cert.pem -text
Thanks to http://www.gooze.eu/howto/smartcard-quickstarter-guide/generating-transferring-and-extracting-x-509-certificates, I found "-key 45" should be "-key slot_X-id_45", where X is the slot number you got through "pkcs11-tool --list-slots".
Here are the following commands that works for me:OpenSSL>req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -x509 -out cert.pem -text
OpenSSL>quit openssl verify -CAfile cert.pem cert.pempkcs15-init --store-certificate cert.pem --auth-id 01 --id 123456 --format pem
I also attached the log in detail.On Thu, 20 May 2010 19:50:46 +0800, Jan Just Keijser <janj...@nikhef.nl> wrote:
I saw "slot_1-id_6606", please run "pkcs11-tool --list-slots" and "pkcs15-tool --dump", to see if you have a private key with ID 6606 in the card that was inserted in slot 1?$ ./openssl OpenSSL> engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine -x509 -out cert.pem -text engine "pkcs11" set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req OpenSSL> quit in other words: same error. See http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 for the full log
Regards, Xiaoshuo
log.tar.bz2
Description: application/bzip2
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel