Hello all, As you may know, I'm trying to implement writing certificate to OpenPGP card via PKCS#11.
I succeed with pkcs15-init tool but have difficulty with pkcs11-tool. When I import via pkcs15-init tool (Command: pkcs15-init --store-certificate quanngu...@mbm.vn.pem), the tool asks for Admin PIN and the work is done. But when I try with pkcs11-tool: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 the tool does not ask for PIN and the write cannot succeed (in OpenPGP card, writing certificate requires SO (Admin) PIN). I tried to provide the Admin PIN in the command, but still not successful: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 -l --so-pin 12345678 pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 --so-pin 12345678 I also researched and found that in pkcs15-init, a function to ask for PIN is implemented and added via sc_pkcs15init_set_callbacks(), but pkcs11-tool does not do so. The question is: - "Not ask for PIN" is intentional design of pkcs11-tool or a limitation? - What is the right way to provide Admin PIN to pkcs11-tool to allow to write data? - When I do import certificate in Firefox, the browser ask for a PIN. I expect it to ask for Admin PIN but not sure which PIN it actually asks for (user PIN, to login to slot, or admin PIN, to write data). Do you know how Firefox determines which PIN to ask? Does it always ask for user PIN of the slot, or smart enough to ask for right PIN? -- Regards, Quân _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
