Le 05/12/2011 14:37, Viktor Tarasov a écrit : > Hello Jean-Pierre, > > Le 05/12/2011 11:27, Jean-Pierre Fortune a écrit : >> Could this behaviour be related to the fact that the private key is >> not allowed to sign? >> Where could I patch the code to force the use of this key? > > afais, you a using key in 'Generic PKI' application. > For all pre-allocated key slots in this application the signature is possible > with mechanism RSA-PKCS. > (I don't know the details of pkcs11 engine configuration, but somewhere you > have to indicate the mechanism to be used.)
After some investigation and tests: (Using Gemalto IAS/ECC eID card, authentication key stored in protected application.) - CKM_RSA_PKCS mechanism is encoded into the libp11 and the only mechanism that is used for signature; - the smime signature 'works for me' with the inkey indicated by public part or by it's PKCS#15 ID: OpenSSL> engine -t dynamic -pre SO_PATH:<path>/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:<path>/opensc-pkcs11.so OpenSSL> smime -sign -signer <path>/cert.pem -inkey f79a522740e5b9e7fd9123e2e130f14b1c7358d7 -in data.txt -keyform engine -engine pkcs11 OpenSSL> smime -sign -signer <path>/cert.pem -inkey <path>/pubkey.pem -in data.txt -keyform engine -engine pkcs11 Kind regards, Viktor. _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
