Re: [opensc-devel] Multiple certs on a MyEID card?

Sun, 13 Feb 2011 05:06:38 -0800 

On 13/02/2011 11:07, Tomas Gustavsson wrote:

> Did you try to specify the -i parameter when importing certificates?
> pkcs15-init --store-certificate cert.pem -v -i 45
> where i is the key_id?
>
> I didn't try with multiple certs actually, but that's how I imported
> certificates assigning them to a key. See
> http://blog.ejbca.org/2010/03/using-pure-opensc-formatted-smart-cards.html

No way. When importing the second it still says "file too small":
-8<--
$ pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
Using reader with a card: Gemalto GemPC Twin 00 00
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 3 certificates:
   0: /description=319470-SNVg5Hb3589q8dqm/O=Persona Not 
Validated/CN=StartCom Free Certificate 
Member/emailAddress=*********@*********
   1: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Certification Authority
   2: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Class 1 Primary Intermediate Client CA
User PIN [Card Auth] required.
Please enter User PIN [Card Auth]:

$ pkcs15-init -S ndk2.p12 -f PKCS12 -i 45 -a 2 -l "ndk 2"
Using reader with a card: Gemalto GemPC Twin 00 00
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 3 certificates:
   0: /description=122698-9FVmbs813O0ow3bM/O=Persona Not 
Validated/CN=StartCom Free Certificate Member/emailAddress=ndk****@****
   1: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Certification Authority
   2: /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Class 1 Primary Intermediate Client CA
User PIN [Card Auth] required.
Please enter User PIN [Card Auth]:
Failed to store private key: File too small

-8<--

IIUC -i can only be 45 ("normal") or 46 ("non repudiation")... But to be 
sure I tried w/ different IDs, too, but got the same result.

And as you can see, I get asked CHV1 even if I chose -a 2 ...

Really strange thing is that it seems both private keys get stored on 
card and protected by the correct PIN:
-8<--
$ pkcs15-tool --dump
Using reader with a card: Gemalto GemPC Twin 00 00
PKCS#15 Card [MyEID]:
         Version        : 0
         Serial number  : 7340050446913028
         Manufacturer ID: Aventra Ltd.
         Last update    : 20110213120742Z
         Flags          : EID compliant

PIN [Security Officer PIN]
         Object Flags   : [0x3], private, modifiable
         ID             : ff
         Flags          : [0xB0], initialized, needs-padding, soPin
         Length         : min_len:4, max_len:8, stored_len:8
         Pad char       : 0xFF
         Reference      : 3
         Type           : ascii-numeric
         Path           :

PIN [Card Auth]
         Object Flags   : [0x3], private, modifiable
         ID             : 01
         Flags          : [0x30], initialized, needs-padding
         Length         : min_len:4, max_len:8, stored_len:8
         Pad char       : 0xFF
         Reference      : 1
         Type           : ascii-numeric
         Path           :

PIN [User Auth]
         Object Flags   : [0x3], private, modifiable
         ID             : 02
         Flags          : [0x30], initialized, needs-padding
         Length         : min_len:4, max_len:8, stored_len:8
         Pad char       : 0xFF
         Reference      : 2
         Type           : ascii-numeric
         Path           :

  Private RSA Key [StartSSL auth]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
         Access Flags   : [0x0]
         ModLength      : 2048
         Key ref        : 1
         Native         : yes
         Path           : 3f0050154b01
         Auth ID        : 02
         ID             : 45

Private RSA Key [ndk****@****]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
         Access Flags   : [0x0]
         ModLength      : 2048
         Key ref        : 2
         Native         : yes
         Path           : 3f0050154b02
         Auth ID        : 02
         ID             : 45

X.509 Certificate [/description=319470-SNVg5Hb3589q8dqm/O=Persona Not 
Validated/CN=StartCom Free Certificate 
Member/emailAddress=*******************]
         Object Flags   : [0x2], modifiable
         Authority      : no
         Path           : 3f0050154301
         ID             : 45
         Encoded serial : 02 03 01F7C8

X.509 Certificate [/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Certification Authority]
         Object Flags   : [0x2], modifiable
         Authority      : yes
         Path           : 3f0050154302
         ID             : 509b7413aa02db7808cf0c378e61a7ecc4f29745
         Encoded serial : 02 01 01

X.509 Certificate [/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate 
Signing/CN=StartCom Class 1 Primary Intermediate Client CA]
         Object Flags   : [0x2], modifiable
         Authority      : yes
         Path           : 3f0050154303
         ID             : 6b4d6361e8c647c2ad9a055c051139ccdfdb1885
         Encoded serial : 02 01 1E

-8<--
What's missing is the second cert and its chain, not the private key as 
the error message suggests...

BYtE!
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to