Hello, On Jul 7, 2010, at 6:57 PM, David Woodhouse wrote: > I've been working on getting applications to use the 'NSS Shared DB': > https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX Nice effort. Don't know if it will be possible to promote NSS to be the library of choice on Linux platform, I know that Fedora is trying to do that, but there will be others who dislike NSS for something else (be that OpenSSL or GnuTLS or bouncycastle instead)
> I received a bug report from a user using smart cards, and wanted to > test it -- so I bought a 'Crypto Stick v1.2' from German Privacy > Foundation, after seeing that the CCID driver supported it. The two v2.0 OpenPGP spec compatible pre-release sticks of I received for testing unfortunately did not work at all, I did not get further than seeing the ATR if I was lucky, some electrical issues. The older 1.0 card I have, got locked up a looooong time ago. There have been no reports of success (or failure) with OpenPGP cards on the mailing list for quite a long time, so it could be considered as not working/obsolete, until somebody proves otherwise. > Unfortunately, I didn't realise that this only seems to mean that the > _reader_ is supported; the OpenPGP v2 card that's soldered into it is > not. Correct. I noticed that OpenPGP card[1] did not show up in the SupprtedHardware [2] wiki page, that is fixed now. I marked it as unsupported. > The patch below makes it look like it's kind of working, but not for > anything useful. It may be obvious that I have no clue what I'm doing; > any pointers would be gratefully appreciated. Including "don't bother > with that; just buy one of <these>.". I'm in the UK. > > $ pkcs15-init -C > Using reader with a card: German Privacy Foundation Crypto Stick v1.2 00 00 > resp len 17: 62 15 84 10 d2 76 00 01 24 01 02 00 00 05 00 00 05 4b 00 00 8a > 01 05 > [pkcs15-init] pkcs15-lib.c:322:sc_pkcs15init_bind: Unsupported card driver > openpgp > Couldn't bind to the card: Not supported OpenPGP 1.0/1.1 support that does exist in OpenSC, consists of a card driver for basic functionality and a PKCS#15 emulation layer, as the card does not follow PKCS#15. There is no personalization support via pkcs15-init. You need to write it or use the OpenPGP specific tools for that. The PKCS#15 emulation layer hardcodes many things that might not be on the card at all. For example, it hard-codes 1024b keys, which are old now, the spec supports keys up to 3072 bits. So unless pkcs11-tool --login --test works for one of the slots, the output of pkcs15-tool can be pure printf. Can you read out certificates for example? Does the information in the certificate match the output of pkcs15-tool -D? [1] http://www.opensc-project.org/opensc/wiki/OpenPGP [2] http://www.opensc-project.org/opensc/wiki/SupportedHardware -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel