Le 05/10/2011 14:30, Benjamin ALLEMAND a écrit : > I enrolled an IAS/ECC card with certsrv and explored it with OpenSC tools. The keys were imported or generated? What middlaware have you used?
do: # pkcs15-tool --bind-to-aid E828BD080FD25047656E65726963 -k -c -C to see if there are some data objects related to CSP/minidriver. > I realized that Gemalto M/W does store certificate under Generic application, > and not ECC eId at all ! Gemalto M/W do not implement 'write' access to the protected applications. All write/updates with this M/W concerns the 'generic' application. > > So, here is the certificates and keys dump : > > pkcs15-tool --bind-to-aid E828BD080FD25047656E65726963 -k -c -v > Using reader with a card: SpringCard CSB6 Family Contact 0 > Connecting to card in reader SpringCard CSB6 Family Contact 0... > Using card driver IAS-ECC. > Trying to find a PKCS#15 compatible card... > Found ECC eID! > Card has 1 certificate(s). > X.509 Certificate [Nicolas DUHAMEL's ID] > Flags : 2 > Authority: no > Path : E828BD080FD25047656E65726963::b001 > ID : 24804BC5CE68B229A3D812C1FE871DECEC134468 > Access Rules: read:<always>; update:C1; delete:C1; > Encoded serial: 02 0A 18B6545600010000004E > Card has 2 private key(s). > Private RSA Key [Nicolas DUHAMEL's ID] > Com. Flags : 3 > Usage : [0x26], decrypt, sign, unwrap > Access Flags: [0x15], sensitive, alwaysSensitive, local > Access Rules: update:C1; execute,pso_decrypt,int_auth:C1; > Supported algorithms: 6, 5 > ModLength : 1024 > Key ref : 137 > Native : yes > Path : E828BD080FD25047656E65726963:: > Auth ID : C1 > ID : 625299F4A603903CBD76D53190C49A22C13FE02F > Subject : > 306B31133011060A0992268993F22C6401191603636F6D31173015060A > 099226... > Private RSA Key [Nicolas DUHAMEL's ID] > Com. Flags : 3 > Usage : [0x26], decrypt, sign, unwrap > Access Flags: [0x15], sensitive, alwaysSensitive, local > Access Rules: update:C1; execute,pso_decrypt,int_auth:C1; > Supported algorithms: 6, 5 > ModLength : 1024 > Key ref : 138 > Native : yes > Path : E828BD080FD25047656E65726963:: > Auth ID : C1 > ID : 24804BC5CE68B229A3D812C1FE871DECEC134468 > Subject : > 306B31133011060A0992268993F22C6401191603636F6D31173015060A > 099226... > > > My last question is : what is the best way to get the same results through > OpenSC ? > > I'm trying to answer now, please give me feedback about it : > > pkcs15-init -X cert.cer -f DER --bind-to-aid E828BD080FD25047656E65726963 -v > > pkcs15-init -G rsa1024 --bind-to-aid E828BD080FD25047656E65726963 --auth-id > C1 --key-usage digitalSignature,keyEncipherment -v , used twice ? I do not quite follow, what for 'used twice' ? If you really need to make 'manual' decentralized enrollment with the OpenSC tools you need: - generate key (pkcs15-init -G); - sign generated public key and create certificate request (pkcs15-tool --sign); - ask some CA to sign a new certificate; - import new certificate into the card (pkcs15-init -X). > Regards, > Benjamin ALLEMAND Kind regards, Viktor. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
