On 4/26/2011 8:10 AM, Jean-Michel Pouré - GOOZE wrote: > Le mardi 26 avril 2011 à 08:23 +0300, Martin Paljak a écrit : >> pkcs15-tool is a (G)UI as well. And to my knowledge it does what it >> advertises. > > After a short discussion with Martin, I post the steps to reproduce: > > Initialize the Feitian PKI: > > * pkcs15-init -E > * pkcs15-init --create-pkcs15 --profile pkcs15+onepin > --use-default-transport-key --pin 0000 --puk 111111 --label "François > Pérou" > > Now find certificate including: one RSA private key, one X.509 > certificate and CA certs. Online CAs provide such format. > > Import in key: > * pkcs15-init --store-private-key key-file.p12 --format pkcs12 --auth-id > 01 --pin 0000 > > Dump, we have no public object, which is normal: > > pkcs15-tool --dump > Using reader with a card: Feitian SCR301 00 00 > PKCS#15 Card [François Pérou]: > Version : 0 > Serial number : 2963094713181210 > Manufacturer ID: EnterSafe > Last update : 20110220103102Z > Flags : EID compliant > > PIN [User PIN] > Object Flags : [0x3], private, modifiable > ID : 01 > Flags : [0x32], local, initialized, needs-padding > Length : min_len:4, max_len:16, stored_len:16 > Pad char : 0x00 > Reference : 1 > Type : ascii-numeric > Path : 3f005015 > > Private RSA Key [Private Key] > Object Flags : [0x3], private, modifiable > Usage : [0x10E], decrypt, sign, signRecover, derive > Access Flags : [0x0] > ModLength : 2048 > Key ref : 1 > Native : yes > Path : 3f005015 > Auth ID : 01 > ID : 2649a19d5d6a216913c5a0c8bb9f97229dec99ab > > X.509 Certificate [/CN=***********/emailAddress=@***********] > Object Flags : [0x2], modifiable > Authority : no > Path : 3f0050153100 > ID : 2649a19d5d6a216913c5a0c8bb9f97229dec99ab > Encoded serial : 02 03 00C520 > > X.509 Certificate [/O=CAcert Inc./OU=http://www.CAcert.org/CN=CAcert > Class 3 Root] > Object Flags : [0x2], modifiable > Authority : yes > Path : 3f0050153101 > ID : ef47e5fca7e04e356d41b0192d725eb0e54fc3af > Encoded serial : 02 01 01 > > X.509 Certificate [/O=Root CA/OU=http://www.cacert.org/CN=CA Cert > Signing Authority/emailAddress=supp...@cacert.org] > Object Flags : [0x2], modifiable > Authority : yes > Path : 3f0050153102 > ID : c81e42ceda0bc1d65c9051b0eb8679e29dd6c067 > Encoded serial : 02 01 00 > > Now, we come to the point: > * pkcs15-tool --list-public-keys > returns nothing > > * pkcs15-tool --read-public-key c81e42ceda0bc1d65c9051b0eb8679e29dd6c067 > returns the public key
It should have said it did not find a pubkey, but found a certificate with a pubkey. > > From a user point of view, this is an inconsistency. > > In my previous emails, I was suggesting that pkcs15-tool > --list-public-keys may return all usable keys, even when public objects > don't exist on card. > > Kind regards, -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
