Jan Just Keijser wrote: > Hi all, > > positive news this time: I've managed to upload my certificate to the > Feitian ePAss and sign a certificate request with it (i.e no more > annoying openssl error: > 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General > Error:p11_ops.c:131: > 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:276: > > here's what I did: > > - svn checkout of the pcsc code > - build the pcsc code > - svn checkout of the opensc code > - patch the opensc code so that the openssl 1.0 thing does not bite me > (it's still broken in svn) > - build the opensc code (with --enable-pcsc) > - grab the latest engine_pkcs11 code and build it > > then > - run the new pcscd > - modify opensc.conf to point to the new libpcsclite libs and a new > profile directory (/usr/local/share/opensc) > - re-initialize the card > - install the cert + userkey > - run my script to sign a cert request > and this finally worked! > > I then switched back to the older opensc 0.11.13 code and that also > worked for signing a certificate request! > However, if I re-initialize the card using the opensc 0.11.13 codebase > the cert signing failed using both the old and the new version of opensc > : this leads me to believe that the card initialisation code has changed > between 0.11.13 and 0.12 (svn) ... >
In fact, initialization of Feitian card has been changed -- it was discussed in thread 'C_SignFinal fails when using a pinpad reader': The User PIN of this card is the local one. This fact was not reflected in the PIN's attributes written into the card during initialization with opensc 0.11.13 . > Now I have to test if all of this also works for the Feitian SCR301 card > reader ... > > The preliminary conclusion is that yes it *is* possible to get this card > working on Linux but it requires *lots* of tinkering, including the svn > checkout. I hope the final conclusion will be more optimistic. There was bug in opensc-0.11.13, now it's corrected in trunk -- I venture to say it's 'normal'. > One of the things about the 0.12 codebase is the fact that all > of a sudden I have to use slot=1 instead of slot=0 but I guess I can > live with that annoyance ... > If in your opensc.conf you will set 'plug_and_play' to 'false', you will have your token in slot '0'. > Another interesting observation is that it seems impossible to store a > certificate/pub key/priv key on the card using ID=666 : it always ends > up as ID=6066 . This is not related to the Feitian card, as it also > happens with my trusty old Aladdin eToken PRO. > > And thanks to Douglas Engbert for pointing out the certificate > compromise ;-) > > cheers, > Kind wishes, Viktor. > JJK / Jan Just Keijser > > > >> Jan Just Keijser wrote: >> >>> Yang Liu wrote: >>> >>>> Dear Customer, >>>> >>>> Our R&D team replied your enquiry in >>>> http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >>>> >>>> >>>> >>>> >>>> >>> I saw the posting on the list, as well as several other useful >>> suggestions; I will try the suggested commands next tuesday as I >>> won't have access to the card reader or card until that time. >>> >>> >>> >>> >>>> -----Original Message----- >>>> From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, >>>> May 20, 2010 6:35 PM >>>> To: opensc-devel@lists.opensc-project.org >>>> Cc: liuy...@ftsafe.com; jmpo...@gooze.eu >>>> Subject: [SPAM] Re: Feitian ePass+SCR301 problem >>>> >>>> hi all, >>>> >>>> a new attempt, this time with the Omnikey reader that Jean-Michel so >>>> kindly sent me (thanks again!). This time I attached the card reader >>>> to a CentOS 5 box which has >>>> - openssl 0.9.8e >>>> - opensc 0.11.9 >>>> - pcsc-1.4.102 >>>> Later on I added opensc 0.11.13 (read below) >>>> >>>> I started out with the gooze tutorial again >>>> http://www.gooze.eu/howto/smartcard-quickstarter-guide >>>> >>>> ardeche [janjust] > pkcs15-init -E >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> >>>> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >>>> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 >>>> --label "janjust" >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> >>>> ardeche [janjust] > pkcs15-init --store-certificate >>>> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> User PIN required. >>>> Please enter User PIN: >>>> User PIN required. >>>> Please enter User PIN: >>>> >>>> ardeche [janjust] > pkcs15-init --store-private-key >>>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> Please enter passphrase to unlock secret key: >>>> User PIN required. >>>> Please enter User PIN: >>>> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >>>> Assertion `0' failed. >>>> Aborted >>>> >>>> >>>> At this point I downloaded and built opensc-0.11.13 like this: >>>> >>>> ardeche [janjust] > head -10 config.log >>>> This file contains any messages produced by compilers while >>>> running configure, to aid debugging if configure makes a mistake. >>>> >>>> It was created by opensc configure 0.11.13, which was >>>> generated by GNU Autoconf 2.64. Invocation command line was >>>> >>>> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >>>> >>>> >>>> After the build and install I continued: >>>> >>>> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >>>> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >>>> User PIN required. >>>> Please enter User PIN: >>>> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >>>> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU >>>> [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: >>>> returning with: Transmit failed >>>> [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit >>>> failed: Transmit failed >>>> [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed >>>> [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: >>>> EnterSafe generate RSA key pair failed: Transmit failed >>>> Failed to generate key: Transmit failed >>>> >>>> this still fails, but that might be related to the older pcsc-lite >>>> version... >>>> >>>> ardeche [janjust] > ./pkcs15-init --store-private-key >>>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> Please enter passphrase to unlock secret key: >>>> User PIN required. >>>> Please enter User PIN: >>>> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >>>> Assertion `0' failed. >>>> Aborted >>>> >>>> So I commented out 'assert(0)' in card-entersafe.c: >>>> >>>> ardeche [janjust] > ./pkcs15-init --store-private-key >>>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> Please enter passphrase to unlock secret key: >>>> User PIN required. >>>> Please enter User PIN: >>>> User PIN required. >>>> Please enter User PIN: >>>> User PIN required. >>>> Please enter User PIN: >>>> User PIN required. >>>> Please enter User PIN: >>>> >>>> I had to enter the PIN 4 times, but OK: >>>> >>>> ardeche [janjust] > ./pkcs15-tool --dump >>>> Using reader with a card: OmniKey CardMan 3121 00 00 >>>> PKCS#15 Card [janjust]: >>>> Version : 1 >>>> Serial number : 3092541116010310 >>>> Manufacturer ID: EnterSafe >>>> Last update : 20100520100048Z >>>> Flags : EID compliant >>>> >>>> PIN [User PIN] >>>> Com. Flags: 0x3 >>>> ID : 01 >>>> Flags : [0x30], initialized, needs-padding >>>> Length : min_len:4, max_len:16, stored_len:16 >>>> Pad char : 0x00 >>>> Reference : 1 >>>> Type : ascii-numeric >>>> Path : 3f005015 >>>> >>>> Private RSA Key [Private Key] >>>> Com. Flags : 3 >>>> Usage : [0x4], sign >>>> Access Flags: [0x1D], sensitive, alwaysSensitive, >>>> neverExtract, local >>>> ModLength : 1024 >>>> Key ref : 1 >>>> Native : yes >>>> Path : 3f005015 >>>> Auth ID : 01 >>>> ID : 123456 >>>> >>>> Public RSA Key [Public Key] >>>> Com. Flags : 2 >>>> Usage : [0x4], sign >>>> Access Flags: [0x0] >>>> ModLength : 1024 >>>> Key ref : 0 >>>> Native : no >>>> Path : 3f0050153056 >>>> Auth ID : >>>> ID : 123456 >>>> >>>> X.509 Certificate [Certificate] >>>> Flags : 2 >>>> Authority: no >>>> Path : 3f005015315a >>>> ID : 123456 >>>> >>>> Next we try to generate a self-signed certificate: >>>> >>>> ardeche [janjust] 1> ./openssl version >>>> OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 >>>> Jul 2008) >>>> >>>> ardeche [janjust] > ./openssl >>>> OpenSSL> engine dynamic -pre >>>> SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre >>>> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre >>>> MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >>>> (dynamic) Dynamic engine loading support >>>> [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so >>>> [Success]: ID:pkcs11 >>>> [Success]: LIST_ADD:1 >>>> [Success]: LOAD >>>> [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >>>> Loaded: (pkcs11) pkcs11 engine >>>> >>>> OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 >>>> -out cert.pem -text >>>> engine "pkcs11" set. >>>> PKCS#11 token PIN: >>>> You are about to be asked to enter information that will be >>>> incorporated >>>> into your certificate request. >>>> What you are about to enter is what is called a Distinguished Name >>>> or a DN. >>>> There are quite a few fields but you can leave some blank >>>> For some fields there will be a default value, >>>> If you enter '.', the field will be left blank. >>>> ----- >>>> Country Name (2 letter code) [GB]:NL >>>> State or Province Name (full name) [Berkshire]:Amsterdam >>>> Locality Name (eg, city) [Newbury]:Amsterdam >>>> Organization Name (eg, company) [My Company Ltd]:Nikhef >>>> Organizational Unit Name (eg, section) []: >>>> Common Name (eg, your name or your server's hostname) []:Jan Just >>>> Email Address []: >>>> [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data >>>> invalidated >>>> [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: >>>> returning with: Card command failed >>>> [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card >>>> command failed >>>> [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: >>>> sc_compute_signature() failed: Card command failed >>>> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >>>> Error:p11_ops.c:131: >>>> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >>>> lib:a_sign.c:276: >>>> error in req >>>> >>>> this is - again - the error -1200 . The full opensc-debug.log file is >>>> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 >>>> >>>> I'm getting quite annoyed with this card ... >>>> >>>> What am I doing wrong? >>>> >>>> >>>> >>>> share and enjoy, >>>> >>>> JJK / Jan Just Keijser >>>> >>>> >>>> >>> >> > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel