Viktor, I would like to thank you very much.
The link to secure-messaging Git repos and your further explanations solved all my problems. I had to learn this pkcs11/iasecc in a short time but now I am able to sign files with openssl / smime / engine_pkcs11 /opensc / iasecc card! The produced signatures are recognized by third parties. Thanks again. -- Jean-Pierre 2011/12/6 Viktor Tarasov <[email protected]> > Le 05/12/2011 14:37, Viktor Tarasov a écrit : > > Hello Jean-Pierre, >> >> Le 05/12/2011 11:27, Jean-Pierre Fortune a écrit : >> >>> Could this behaviour be related to the fact that the private key is >>> not allowed to sign? >>> Where could I patch the code to force the use of this key? >>> >> >> afais, you a using key in 'Generic PKI' application. >> For all pre-allocated key slots in this application the signature is >> possible with mechanism RSA-PKCS. >> (I don't know the details of pkcs11 engine configuration, but somewhere >> you have to indicate the mechanism to be used.) >> > > > After some investigation and tests: > (Using Gemalto IAS/ECC eID card, authentication key stored in protected > application.) > > - CKM_RSA_PKCS mechanism is encoded into the libp11 and the only mechanism > that is used for signature; > > - the smime signature 'works for me' with the inkey indicated by public > part or by it's PKCS#15 ID: > OpenSSL> engine -t dynamic -pre SO_PATH:<path>/engine_pkcs11.**so -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:<path>/opensc-** > pkcs11.so > OpenSSL> smime -sign -signer <path>/cert.pem -inkey > f79a522740e5b9e7fd9123e2e130f1**4b1c7358d7 -in data.txt -keyform engine > -engine pkcs11 > OpenSSL> smime -sign -signer <path>/cert.pem -inkey <path>/pubkey.pem -in > data.txt -keyform engine -engine pkcs11 > > > Kind regards, > Viktor. > > >
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
