Andreas -- On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier <andreas.schw...@cardcontact.de> wrote:
> The suggested way in the meantime is to generate the key pair, extract > the public key and generate a CSR externally, signing it with the > private key on the device. I haven't tried that precise sequence yet -- I tried it with openssl and it complained, I still need to try it with certtool as described by Nikos. I did try creating the keypair and certificate in software, then installing the resulting bits onto the token. I managed to install the certificate (which also provides the public key): $ echo $tool /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --pin 648219 $ LD_LIBRARY_PATH=/usr/local/lib $tool -O Using slot 1 with a present token (0x1) Certificate Object, type = X.509 cert label: Foo ID: 10 Public Key Object; RSA 2048 bits label: Foo ID: 10 Usage: encrypt, verify Although the public key does not have the "wrap" usage flag set; compare with a keypair generated on the token: $ LD_LIBRARY_PATH=/usr/local/lib $tool \ --keypairgen --key-type rsa:2048 --id 11 \ --read-object --id 11 --type pubkey --output-file foobar.pub Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: Private Key ID: 11 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 11 Usage: encrypt, verify, wrap However, the bigger problem came when I tried to install the private key: $ LD_LIBRARY_PATH=/usr/local/lib $tool --write-object foo2a.key.der --id 11 --type privkey --label Foo Using slot 1 with a present token (0x1) error: PKCS11 function C_CreateObject failed: rv = CKR_ATTRIBUTE_VALUE_INVALID (0x13) Aborting. Turning on debugging (after making trivial repairs to the debug output code), it seems that these are the attributes that are getting stuffed: CKA_CLASS = CKO_PRIVATE_KEY CKA_TOKEN = TRUE CKA_PRIVATE = TRUE CKA_SENSITIVE = TRUE CKA_LABEL = Foo CKA_ID = 10 CKA_KEY_TYPE = 0x7fff6d1c1175 CKA_MODULUS = C770D5... CKA_PUBLIC_EXPONENT = 010001 CKA_PRIVATE_EXPONENT = 97F798... CKA_PRIME_1 = EFE5AD... CKA_PRIME_2 = D4D3F6... CKA_EXPONENT_1 = 5815FD... CKA_EXPONENT_2 = 2DD24D... CKA_COEFFICIENT = 62BD2B... Looking for similar instances on the web, the recommendation seems to be: "hack pkcs11-tool to remove individual attributes until you find which one the token is complaining about". With your visibility into the software on the token, I'm hoping that you can help us avoid that kind of trial and error. :) Thanks very much for your help so far, and we're looking forward to hearing the results of your tests with openssl. Best regards, Anthony Foiani _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel