Hi all, positive news this time: I've managed to upload my certificate to the Feitian ePAss and sign a certificate request with it (i.e no more annoying openssl error: 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:
here's what I did: - svn checkout of the pcsc code - build the pcsc code - svn checkout of the opensc code - patch the opensc code so that the openssl 1.0 thing does not bite me (it's still broken in svn) - build the opensc code (with --enable-pcsc) - grab the latest engine_pkcs11 code and build it then - run the new pcscd - modify opensc.conf to point to the new libpcsclite libs and a new profile directory (/usr/local/share/opensc) - re-initialize the card - install the cert + userkey - run my script to sign a cert request and this finally worked! I then switched back to the older opensc 0.11.13 code and that also worked for signing a certificate request! However, if I re-initialize the card using the opensc 0.11.13 codebase the cert signing failed using both the old and the new version of opensc : this leads me to believe that the card initialisation code has changed between 0.11.13 and 0.12 (svn) ... Now I have to test if all of this also works for the Feitian SCR301 card reader ... The preliminary conclusion is that yes it *is* possible to get this card working on Linux but it requires *lots* of tinkering, including the svn checkout. One of the things about the 0.12 codebase is the fact that all of a sudden I have to use slot=1 instead of slot=0 but I guess I can live with that annoyance ... Another interesting observation is that it seems impossible to store a certificate/pub key/priv key on the card using ID=666 : it always ends up as ID=6066 . This is not related to the Feitian card, as it also happens with my trusty old Aladdin eToken PRO. And thanks to Douglas Engbert for pointing out the certificate compromise ;-) cheers, JJK / Jan Just Keijser > > Jan Just Keijser wrote: >> Yang Liu wrote: >>> Dear Customer, >>> >>> Our R&D team replied your enquiry in >>> http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >>> >>> >>> >>> >> I saw the posting on the list, as well as several other useful >> suggestions; I will try the suggested commands next tuesday as I >> won't have access to the card reader or card until that time. >> >> >> >>> -----Original Message----- >>> From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, >>> May 20, 2010 6:35 PM >>> To: opensc-devel@lists.opensc-project.org >>> Cc: liuy...@ftsafe.com; jmpo...@gooze.eu >>> Subject: [SPAM] Re: Feitian ePass+SCR301 problem >>> >>> hi all, >>> >>> a new attempt, this time with the Omnikey reader that Jean-Michel so >>> kindly sent me (thanks again!). This time I attached the card reader >>> to a CentOS 5 box which has >>> - openssl 0.9.8e >>> - opensc 0.11.9 >>> - pcsc-1.4.102 >>> Later on I added opensc 0.11.13 (read below) >>> >>> I started out with the gooze tutorial again >>> http://www.gooze.eu/howto/smartcard-quickstarter-guide >>> >>> ardeche [janjust] > pkcs15-init -E >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> >>> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >>> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 >>> --label "janjust" >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> >>> ardeche [janjust] > pkcs15-init --store-certificate >>> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> User PIN required. >>> Please enter User PIN: >>> User PIN required. >>> Please enter User PIN: >>> >>> ardeche [janjust] > pkcs15-init --store-private-key >>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> Please enter passphrase to unlock secret key: >>> User PIN required. >>> Please enter User PIN: >>> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >>> Assertion `0' failed. >>> Aborted >>> >>> >>> At this point I downloaded and built opensc-0.11.13 like this: >>> >>> ardeche [janjust] > head -10 config.log >>> This file contains any messages produced by compilers while >>> running configure, to aid debugging if configure makes a mistake. >>> >>> It was created by opensc configure 0.11.13, which was >>> generated by GNU Autoconf 2.64. Invocation command line was >>> >>> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >>> >>> >>> After the build and install I continued: >>> >>> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >>> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >>> User PIN required. >>> Please enter User PIN: >>> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >>> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU >>> [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: >>> returning with: Transmit failed >>> [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit >>> failed: Transmit failed >>> [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed >>> [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: >>> EnterSafe generate RSA key pair failed: Transmit failed >>> Failed to generate key: Transmit failed >>> >>> this still fails, but that might be related to the older pcsc-lite >>> version... >>> >>> ardeche [janjust] > ./pkcs15-init --store-private-key >>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> Please enter passphrase to unlock secret key: >>> User PIN required. >>> Please enter User PIN: >>> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >>> Assertion `0' failed. >>> Aborted >>> >>> So I commented out 'assert(0)' in card-entersafe.c: >>> >>> ardeche [janjust] > ./pkcs15-init --store-private-key >>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> Please enter passphrase to unlock secret key: >>> User PIN required. >>> Please enter User PIN: >>> User PIN required. >>> Please enter User PIN: >>> User PIN required. >>> Please enter User PIN: >>> User PIN required. >>> Please enter User PIN: >>> >>> I had to enter the PIN 4 times, but OK: >>> >>> ardeche [janjust] > ./pkcs15-tool --dump >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> PKCS#15 Card [janjust]: >>> Version : 1 >>> Serial number : 3092541116010310 >>> Manufacturer ID: EnterSafe >>> Last update : 20100520100048Z >>> Flags : EID compliant >>> >>> PIN [User PIN] >>> Com. Flags: 0x3 >>> ID : 01 >>> Flags : [0x30], initialized, needs-padding >>> Length : min_len:4, max_len:16, stored_len:16 >>> Pad char : 0x00 >>> Reference : 1 >>> Type : ascii-numeric >>> Path : 3f005015 >>> >>> Private RSA Key [Private Key] >>> Com. Flags : 3 >>> Usage : [0x4], sign >>> Access Flags: [0x1D], sensitive, alwaysSensitive, >>> neverExtract, local >>> ModLength : 1024 >>> Key ref : 1 >>> Native : yes >>> Path : 3f005015 >>> Auth ID : 01 >>> ID : 123456 >>> >>> Public RSA Key [Public Key] >>> Com. Flags : 2 >>> Usage : [0x4], sign >>> Access Flags: [0x0] >>> ModLength : 1024 >>> Key ref : 0 >>> Native : no >>> Path : 3f0050153056 >>> Auth ID : >>> ID : 123456 >>> >>> X.509 Certificate [Certificate] >>> Flags : 2 >>> Authority: no >>> Path : 3f005015315a >>> ID : 123456 >>> >>> Next we try to generate a self-signed certificate: >>> >>> ardeche [janjust] 1> ./openssl version >>> OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 >>> Jul 2008) >>> >>> ardeche [janjust] > ./openssl >>> OpenSSL> engine dynamic -pre >>> SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre >>> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre >>> MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >>> (dynamic) Dynamic engine loading support >>> [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so >>> [Success]: ID:pkcs11 >>> [Success]: LIST_ADD:1 >>> [Success]: LOAD >>> [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >>> Loaded: (pkcs11) pkcs11 engine >>> >>> OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 >>> -out cert.pem -text >>> engine "pkcs11" set. >>> PKCS#11 token PIN: >>> You are about to be asked to enter information that will be >>> incorporated >>> into your certificate request. >>> What you are about to enter is what is called a Distinguished Name >>> or a DN. >>> There are quite a few fields but you can leave some blank >>> For some fields there will be a default value, >>> If you enter '.', the field will be left blank. >>> ----- >>> Country Name (2 letter code) [GB]:NL >>> State or Province Name (full name) [Berkshire]:Amsterdam >>> Locality Name (eg, city) [Newbury]:Amsterdam >>> Organization Name (eg, company) [My Company Ltd]:Nikhef >>> Organizational Unit Name (eg, section) []: >>> Common Name (eg, your name or your server's hostname) []:Jan Just >>> Email Address []: >>> [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data >>> invalidated >>> [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: >>> returning with: Card command failed >>> [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card >>> command failed >>> [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: >>> sc_compute_signature() failed: Card command failed >>> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >>> Error:p11_ops.c:131: >>> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >>> lib:a_sign.c:276: >>> error in req >>> >>> this is - again - the error -1200 . The full opensc-debug.log file is >>> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 >>> >>> I'm getting quite annoyed with this card ... >>> >>> What am I doing wrong? >>> >>> >>> >>> share and enjoy, >>> >>> JJK / Jan Just Keijser >>> >>> >> >> > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
