Hello Martin,
On Tue, 2010-10-05 at 18:04 +0300, Martin Paljak wrote:
> Hello
> On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert <deeng...@anl.gov> wrote:
>
> > With OpenSSL-1.0.0a pkcs11-tool -M shows:
> >
> > Supported mechanisms:
> > RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen
>
> >
> > Without OPenSSL, pkc11-tool -M
> > RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt
> >
> > Note that verify is not listed without OpenSSL, as the
> > pkcs11/openssl.c adds the OpenSSL hash and verify functions.
>
> Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with
> OpenSSL.
look at [1], there you can find the reason. To fix this, one could mess
around with:
SC_ALGORITHM_ONBOARD_KEY_GEN
SC_CARD_FLAG_ONBOARD_KEY_GEN
SC_CARDCTL_XXX_GENERATE_KEY
Some examples:
muscle: card->flags |= SC_CARD_FLAG_ONBOARD_KEY_GEN;
setcos: card->caps |= SC_CARD_FLAG_ONBOARD_KEY_GEN;
lots: flags |= SC_ALGORITHM_ONBOARD_KEY_GEN;
_sc_card_add_rsa_alg(card, 512, flags, 0);
_sc_card_add_rsa_alg(card, 1024, flags, 0);
Additionally it seems, that there is no way to generate keys in hardware
form within pkcs11. Only pkcs15init/pkcs15-*.c can do so.
Regards
Andre
[1]
http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c#L3142
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
