On 9/15/2011 9:54 AM, Mike Tancsa wrote: > On 9/14/2011 10:28 PM, Mike Tancsa wrote: >> >> I have just run into the same problem on FreeBSD. An older version >> works fine with this key below. How do I create the debug logs to help >> narrow down this problem ? > > > Full logs sent directly to Martin > > But things seem to go 'bad' right from the start. Doing a simple -E > gives errors like below. Perhaps the version of openct ? >
OK, I narrowed it down a bit more. It seems the files in /usr/local/share/opensc have changed. If I use the files from the older version it seems to mostly work. Another thing I am not sure of is that I used to use the --split-key option and thats no longer there ? pkcs15-init -G rsa/2048 -a 01 --pin $DUMMYPIN --so-pin $DUMMYPIN -u sign,decrypt --split-key Not sure if its related to the fact that I cannot used the openssl pkcs11_engine ? OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -subj "/C=CA/ST=ON/L=Hespeler/O=Sentex Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca" engine "pkcs11" set. Invalid slot number: 0 PKCS11_get_private_key returned NULL cannot load Private Key from engine 80187:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126: unable to load Private Key error in req OpenSSL> Nothing really jumps out just yet, but pkcs15-id-style = mozilla; from the pkcs15.profile and diff -u ../opensc.fresh/cardos.profile cardos.profile --- ../opensc.fresh/cardos.profile 2011-09-16 13:41:52.000000000 -0400 +++ cardos.profile 2009-05-27 13:46:44.000000000 -0400 @@ -18,7 +18,7 @@ reference = 1; } PIN user-pin { - attempts = 3; + attempts = 8; } PIN user-puk { attempts = 10; @@ -34,21 +34,16 @@ # Prevent unauthorized updates of basic security # objects via PUT DATA OCI. - # ACL = UPDATE=NEVER; - ACL = UPDATE=$SOPIN; + ACL = UPDATE=NEVER; # Bump the size of the EF(PrKDF) - with split # keys, we may need a little more room. EF PKCS15-PrKDF { - size = 1024; + size = 384; } EF PKCS15-PuKDF { - size = 768; - } - - EF PKCS15-CDF { - size = 1536; + size = 384; } # This template defines files for keys, certificates etc. @@ -57,9 +52,11 @@ # combined with the last octet of the object's pkcs15 id # to form a unique file ID. template key-domain { - BSO private-key { + # This is a dummy entry - pkcs15-init insists that + # this is present + EF private-key { + file-id = FFFF; } - EF public-key { file-id = 3003; structure = transparent; -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel