On Feb 18, 2011, at 11:54 AM, NdK wrote: > Il 18/02/2011 07:07, Martin Paljak ha scritto: > >>> Yup. That's why keys are generated on card :) >> Unless the key is exportable .... > Always asked why one needs to mark a private key exportable: if you need > it exportable, create it externally and load to card. It's even faster. :) Exportable (plaintext) vs exportable (wrappable). The result is the same (key leaves the card) the method different.
>> If you want to sign certificates with a smart card (run a CA against a >> PKCS#11 token) then EJBCA is the most feature complete solution I know. But >> most probably too much hassle for a few certificates for home use. > Well, for now it's personal, but I'm evaluating it for office use too. > We'll need to setup a ZeroShell box to authenticate users, and it > contains a (quite limited, but sufficient if it supported cards) CA. XCA worked with OpenSC quite OK IIRC, you might want to try it as well. >>> *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of >>> the PINs I created works: >>> $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config >>> openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1 >> >> Have you tried some other format? slot_XX:id_XX ? (even though it should be >> the same). Having OpenSC log with the relevant C_OpenSession() and C_Login >> lines is useful as well. > Yup. All formats. Same result: slot 0 = no PIN, every other slot asks > 'who knows' PIN. Unfortunately engine_pkcs11 (and OpenSSL in general) is not the best interface for smart cards, especially for user interaction purposes. But a patch against engine_pkcs11 might make the prompt a bit easier to understand [1] > Says nowhere that a PIN is locked... It seems the card (or the driver) does not support fetching remaining tries left of a PIN. [1] https://github.com/martinpaljak/engine_pkcs11/commit/39259efe109dcd81502e920155c10a30f41cbb8f -- @MartinPaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
