Hello Martin, On Tue, 2010-10-05 at 18:04 +0300, Martin Paljak wrote: > Hello > On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert <deeng...@anl.gov> wrote: > > > With OpenSSL-1.0.0a pkcs11-tool -M shows: > > > > Supported mechanisms: > > RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen > > > > > Without OPenSSL, pkc11-tool -M > > RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt > > > > Note that verify is not listed without OpenSSL, as the > > pkcs11/openssl.c adds the OpenSSL hash and verify functions. > > Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with > OpenSSL.
look at [1], there you can find the reason. To fix this, one could mess around with: SC_ALGORITHM_ONBOARD_KEY_GEN SC_CARD_FLAG_ONBOARD_KEY_GEN SC_CARDCTL_XXX_GENERATE_KEY Some examples: muscle: card->flags |= SC_CARD_FLAG_ONBOARD_KEY_GEN; setcos: card->caps |= SC_CARD_FLAG_ONBOARD_KEY_GEN; lots: flags |= SC_ALGORITHM_ONBOARD_KEY_GEN; _sc_card_add_rsa_alg(card, 512, flags, 0); _sc_card_add_rsa_alg(card, 1024, flags, 0); Additionally it seems, that there is no way to generate keys in hardware form within pkcs11. Only pkcs15init/pkcs15-*.c can do so. Regards Andre [1] http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c#L3142 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel