On 13/02/2011 21:18, Martin Paljak wrote:
>> $ pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
>> Using reader with a card: Gemalto GemPC Twin 00 00
>> error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
> Is this error normal? Does it happen with OpenSSL command line tools or other
> software?
I always get it for PKCS12 certs where the private key is protected by a
password.
>> IIUC -i can only be 45 ("normal") or 46 ("non repudiation")... But to be
>> sure I tried w/ different IDs, too, but got the same result.
> The ID has no real meaning AFAIK, I don't know from where the 45 and 46 come
> from. What is your source?
I read it somewhere while researching, noted it in my mind and forgot
source :(
>> Private RSA Key [StartSSL auth]
>> ID : 45
>>
>> Private RSA Key [ndk****@****]
>> ID : 45
> The software should not allow you to create two private keys with the same
> ID. How exactly did you end up with this card, do you have the commands,
> starting from initialization?
Yup. I init it from a script:
pkcs15-init -E
pkcs15-init -C --pin 1111 --puk 1111 --so-pin $SOPIN --so-puk $SOPUK
pkcs15-init -P -a 1 --pin $PIN1 --puk $PUK1 --so-pin $SOPIN -l "Card Auth"
pkcs15-init -P -a 2 --pin $PIN2 --puk $PUK2 --so-pin $SOPIN -l "User Auth"
pkcs15-init -F
pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
pkcs15-init -S ndk2.p12 -f PKCS12 -i 45 -a 2 -l "ndk 2"
Probably it's not checked.
Seems I'm approaching a "solution" for the original capacity troubles,
but more troubles emerge.
I modified /usr/share/opensc/myeid.profile so that it now contains these
lines:
# Comments based on
http://www.usenix.org/events/smartcard99/full_papers/nystrom/nystrom.pdf
unusedspace-size = 512;
odf-size = 256; # Object Directory File: pointers to other files
aodf-size = 384; # Authentication Object Directory File: points
to PINs file
cdf-size = 4096; # Certificate Directory File
prkdf-size = 4950; # Private Keys Directory file
pukdf-size = 4000; # Public keys Directory file
dodf-size = 256; # Data Object Directory file
With these values I could iterate 58(!!!) times "pkcs15-init -G rsa/1024
..." before EF 4404 (??? why? I'm not storing certs yet!) fills up.
But now "pkcs15 -D" shows me only private and public keys up to the 32nd
(limit in the tool?). If I delete a public key, then I can see the 33rd
and so on (one more key for every one I delete). *Can't* delete private
keys (always says it can't find that key ID):
-8<--
$ pkcs15-tool -k
Using reader with a card: Gemalto GemPC Twin 00 00
[...]
Private RSA Key [Id_32]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
ModLength : 1024
Key ref : 32
Native : yes
Path : 3f0050154b20
ID : 6b1414bf460fe3a6711fee7e61c286331f490d1a
$ pkcs15-init -D privkey --id 6b1414bf460fe3a6711fee7e61c286331f490d1a
Using reader with a card: Gemalto GemPC Twin 00 00
NOTE: couldn't find privkey 6b1414bf460fe3a6711fee7e61c286331f490d1a to
delete
Deleted 0 objects
-8<--
Maybe this is a bug?
BYtE!
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
