Hello Jean-Pierre, Le 05/12/2011 11:27, Jean-Pierre Fortune a écrit : > Could this behaviour be related to the fact that the private key is > not allowed to sign? > Where could I patch the code to force the use of this key?
afais, you a using key in 'Generic PKI' application. For all pre-allocated key slots in this application the signature is possible with mechanism RSA-PKCS. (I don't know the details of pkcs11 engine configuration, but somewhere you have to indicate the mechanism to be used.) Do: # iasecc-tool --aid E828BD080FD25047656E65726963 --list-sdos 16 This will list the preallocated Private Key SDOs of your card/application. ACLs starting with BB indicate the 'Decipher' & 'InternalAuthent' allowed, ACLs starting with AB indicate the 'InternalAuthent' allowed. Then do: # pkcs15-tool --aid E828BD080FD25047656E65726963 -k This will list the Private Key PKCS#15 objects created in 'Generic PKI' application. You can see the on-card reference of you key and get know what is really allowed by SDO. Finally: # pkcs11-tool --module `pwd`/build/lib/pkcs11/opensc-pkcs11.so -L This will list the slots. ... and (assuming that 'Generic PKI' corresponding to slot '0') # pkcs11-tool --module `pwd`/build/lib/pkcs11/opensc-pkcs11.so --slot-index 0 -O -l --pin "0007" This will list the objects accessible with PKCS#11 API. ... and sign some data with PKCS#11: # pkcs11-tool --module `pwd`/build/lib/pkcs11/opensc-pkcs11.so --slot-index 0 -l --pin "0007" -s -i ./data.bin --id 46d34662665b5ebb1f9ff1455331b7a84c133d93 -m RSA-PKCS -o ./data.signed If still there is no solution, send here (or rather me) the full logs. Kind regards, Viktor. Le 05/12/2011 11:27, Jean-Pierre Fortune a écrit : > I have retrieved your last code from the git repository. > > According to the log file, the application / card pin slot is now done > correctly: > > [...] > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:678:pkcs15_create_pkcs11_objects: Found 3 data > objects > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 0 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:692:__pkcs15_prkey_bind_related: Object is a > private key and has id 5369676E6174757265204365727469666963617465 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:717:__pkcs15_prkey_bind_related: Associating object > 3 as public key > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 1 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:692:__pkcs15_prkey_bind_related: Object is a > private key and has id > 41757468656E74696669636174696F6E204365727469666963617465 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:717:__pkcs15_prkey_bind_related: Associating object > 4 as public key > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 2 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:692:__pkcs15_prkey_bind_related: Object is a > private key and has id 01 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:717:__pkcs15_prkey_bind_related: Associating object > 5 as public key > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 3 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 4 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 5 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 6 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:734:__pkcs15_cert_bind_related: Object is a > certificate and has id 5369676E6174757265204365727469666963617465 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:763:__pkcs15_cert_bind_related: Associating object > 0 as private key > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 7 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:734:__pkcs15_cert_bind_related: Object is a > certificate and has id > 41757468656E74696669636174696F6E204365727469666963617465 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:763:__pkcs15_cert_bind_related: Associating object > 1 as private key > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 8 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 9 > 0xb78a28d0 10:29:40.089 [opensc-pkcs11] > framework-pkcs15.c:784:pkcs15_bind_related_objects: Looking for > objects related to object 10 > 0xb78a28d0 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1025:_pkcs15_create_typed_objects: found 11 FW > objects0xb78a28d0 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1260:pkcs15_create_tokens: Found 11 FW objects > objects0xb78a28d0 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1270:pkcs15_create_tokens: Found authentication > object 'Card PIN'0xb78a28d0 10:29:40.090 [opensc-pkcs11] > slot.c:351:slot_allocate: Allocated slot 0x3 for card in reader Teo by > Xiring 00 000xb78a28d0 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:951:pkcs15_init_slot: Initialized token 'ECC eID > (Card PIN)' in slot 0x30xb78a28d0 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1137:_add_pin_related_objects: PinID:c10xb78a28d0 > 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1149:_add_pin_related_objects: > ObjID(0x8e8e048,Certificat Signature IGC-CA,101):c10xb78a28d0 > 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1156:_add_pin_related_objects: Slot:0x8eac4a0, > obj:0x8e8e048 Adding private key 0 to PIN 'Card PIN'0xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8e8e0480xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8eb2c400xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8eb8cb80xb78a28d0 > 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1149:_add_pin_related_objects: > ObjID(0x8ea7bb0,Certificat Authentification IGC-CA,101):c10xb78a28d0 > 10:29:40.090 [opensc-pkcs11] > framework-pkcs15.c:1156:_add_pin_related_objects: Slot:0x8eac4a0, > obj:0x8ea7bb0 Adding private key 1 to PIN 'Card PIN'0xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8ea7bb00xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8eb2d500xb78a28d0 > 10:29:40.090 [opensc-pkcs11] framework-pkcs15.c:851:pkcs15_add_object: > Slot:3 Setting object handle of 0x0 to 0x8eba1280xb78a28d0 > 10:29:40.091 [opensc-pkcs11] > framework-pkcs15.c:1149:_add_pin_related_objects: > ObjID(0x8ea0cc0,zone_key,101):c10xb78a28d0 10:29:40.091 > [opensc-pkcs11] framework-pkcs15.c:1156:_add_pin_related_objects: > Slot:0x8eac4a0, obj:0x8ea0cc0 Adding private key 2 to PIN 'Card > PIN'0xb78a28d0 10:29:40.091 [opensc-pkcs11] > framework-pkcs15.c:851:pkcs15_add_object: Slot:3 Setting object handle > of 0x0 to 0x8ea0cc00xb78a28d0 10:29:40.091 [opensc-pkcs11] > framework-pkcs15.c:851:pkcs15_add_object: Slot:3 Setting object handle > of 0x0 to 0x8eb2e600xb78a28d0 10:29:40.091 [opensc-pkcs11] > framework-pkcs15.c:1190:_add_public_objects: 11 public objects to > process > [...] > In my case, I am also forcing the signature process to be done with > the authentication command (the key we use is not allowed to sign for > the moment). > (I have temporarly changed "senv.operation = SC_SEC_OPERATION_SIGN;" > into "senv.operation = SC_SEC_OPERATION_SIGN;" in pkcs15-sec.c). > The generated signature using pkcs15-crypt is ok but when I try to > sign from openssl, the key selection failed due to an non matching > attribute has shown by the following log extract: > > [...] > 0xb78a28d0 10:29:44.880 [opensc-pkcs11] apdu.c:184:sc_apdu_log: > Outgoing APDU data [ 9 bytes] ===================================== > 00 20 00 01 04 30 30 30 37 . ...0007 > ====================================================================== > 0xb78a28d0 10:29:44.880 [opensc-pkcs11] > reader-pcsc.c:176:pcsc_internal_transmit: called > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] apdu.c:184:sc_apdu_log: > Incoming APDU data [ 2 bytes] ===================================== > 90 00 .. > ====================================================================== > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] card.c:330:sc_unlock: called > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:1630:iasecc_chv_verify: returning with: 0 (Success) > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:123:iasecc_chv_cache_verified: called > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:137:iasecc_chv_cache_verified: > iasecc_chv_cache_verified() allocated 0x8ebb328 > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:146:iasecc_chv_cache_verified: > iasecc_chv_cache_verified() sha1(PIN): > 83DE061FB52099B8B9B03B3AE4E888D6B10D9E5E > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:159:iasecc_chv_cache_verified: returning with: 0 > (Success) > 0xb78a28d0 10:29:44.968 [opensc-pkcs11] > card-iasecc.c:1758:iasecc_pin_verify: returning with: 0 (Success) > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] > card-iasecc.c:2119:iasecc_pin_cmd: returning with: 0 (Success) > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] sec.c:204:sc_pin_cmd: > returning with: 0 (Success) > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] > pkcs15-pin.c:509:sc_pkcs15_pincache_add: called > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] > pkcs15-pin.c:543:sc_pkcs15_pincache_add: PIN(Card PIN) cached > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] card.c:330:sc_unlock: called > 0xb78a28d0 10:29:44.969 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success) > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > framework-pkcs15.c:1478:pkcs15_login: PKCS15 verify PIN returned 0 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > framework-pkcs15.c:1487:pkcs15_login: Check if pkcs15 object list can > be completed. > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:325:C_FindObjectsInit: C_FindObjectsInit(slot = 1) > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:326:C_FindObjectsInit: C_FindObjectsInit(): CKA_CLASS > = CKO_PRIVATE_KEY > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > misc.c:136:session_start_operation: called > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > misc.c:137:session_start_operation: Session 0x8ebb260, type 0 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:347:C_FindObjectsInit: Object with handle 0x8eab560 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:368:C_FindObjectsInit: Object 1/149599584: Attribute > 0x0 does NOT match. > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:347:C_FindObjectsInit: Object with handle 0x8eab5c0 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:368:C_FindObjectsInit: Object 1/149599680: Attribute > 0x0 does NOT match. > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:398:C_FindObjectsInit: 0 matching objects > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] misc.c:158:session_get_operation: > called > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] misc.c:158:session_get_operation: > called > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:53:sc_find_release: freeing 0 handles used 0 at (nil) > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:325:C_FindObjectsInit: C_FindObjectsInit(slot = 1) > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:326:C_FindObjectsInit: C_FindObjectsInit(): CKA_CLASS > = CKO_PUBLIC_KEY > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > misc.c:136:session_start_operation: called > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > misc.c:137:session_start_operation: Session 0x8ebb260, type 0 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:347:C_FindObjectsInit: Object with handle 0x8eab560 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:368:C_FindObjectsInit: Object 1/149599584: Attribute > 0x0 does NOT match. > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:347:C_FindObjectsInit: Object with handle 0x8eab5c0 > 0xb78a28d0 10:29:44.973 [opensc-pkcs11] > pkcs11-object.c:368:C_FindObjectsInit: Object 1/149599680: Attribute > 0x0 does NOT match. > 0xb78a28d0 10:29:44.974 [opensc-pkcs11] > pkcs11-object.c:398:C_FindObjectsInit: 0 matching objects > 0xb78a28d0 10:29:44.974 [opensc-pkcs11] misc.c:158:session_get_operation: > called > 0xb78a28d0 10:29:44.974 [opensc-pkcs11] misc.c:158:session_get_operation: > called > 0xb78a28d0 10:29:44.974 [opensc-pkcs11] > pkcs11-object.c:53:sc_find_release: freeing 0 handles used 0 at (nil) > 0xb78a28d0 10:29:49.019 [opensc-pkcs11] > pkcs11-global.c:290:C_Finalize: C_Finalize() > 0xb78a28d0 10:29:49.020 [opensc-pkcs11] ctx.c:714:sc_cancel: called > 0xb78a28d0 10:29:49.020 [opensc-pkcs11] reader-pcsc.c:591:pcsc_cancel: called > 0xb78a28d0 10:29:49.020 [opensc-pkcs11] slot.c:178:card_removed: Teo > by Xiring 00 00: card removed > 0xb78a28d0 10:29:49.021 [opensc-pkcs11] slot.c:398:slot_token_removed: > slot_token_removed(0x1) > 0xb78a28d0 10:29:49.021 [opensc-pkcs11] > pkcs11-session.c:126:sc_pkcs11_close_all_sessions: real > C_CloseAllSessions(0x1) 1 > 0xb78a28d0 10:29:49.021 [opensc-pkcs11] > pkcs11-session.c:98:sc_pkcs11_close_session: real > C_CloseSession(0x8ebb260) > 0xb78a28d0 10:29:49.021 [opensc-pkcs11] > pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called > 0xb78a28d0 10:29:49.022 [opensc-pkcs11] card-iasecc.c:1129:iasecc_logout: > called > 0xb78a28d0 10:29:49.022 [opensc-pkcs11] > card-iasecc.c:675:iasecc_select_file: called > 0xb78a28d0 10:29:49.022 [opensc-pkcs11] > card-iasecc.c:679:iasecc_select_file: > iasecc_select_file(card:0x8eac790) path.len 11; path.type 1; aid_len 0 > 0xb78a28d0 10:29:49.022 [opensc-pkcs11] > card-iasecc.c:680:iasecc_select_file: iasecc_select_file() > path:f0496173456363526f6f74:: > 0xb78a28d0 10:29:49.024 [opensc-pkcs11] card.c:1013:sc_print_cache: > current_ef(type=0) e828bd080fd25047656e65726963::7006 > 0xb78a28d0 10:29:49.024 [opensc-pkcs11] card.c:1018:sc_print_cache: > current_df(type=1, aid_len=0) e828bd080fd25047656e65726963:: > 0xb78a28d0 10:29:49.025 [opensc-pkcs11] card.c:1013:sc_print_cache: > current_ef(type=0) e828bd080fd25047656e65726963::7006 > 0xb78a28d0 10:29:49.025 [opensc-pkcs11] card.c:1018:sc_print_cache: > current_df(type=1, aid_len=0) e828bd080fd25047656e65726963:: > 0xb78a28d0 10:29:49.025 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called > [...] > > Could this behaviour be related to the fact that the private key is > not allowed to sign? > Where could I patch the code to force the use of this key? > > Thanks in advance. _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
