Dear Anthony,

I've created a patch [1] that adds storing the internally generated
certificate signing request in place of the certificate. This makes the
public key available in subsequent sessions until the certificate
overwrites the CSR. I've tried it with engine-pkcs11 and got a signed
PKCS#10 request.

Please let me know if it works for you.

Andreas


[1]
https://github.com/CardContact/OpenSC/commit/9dec8c35c71b94742bc75c08f33b91616bb4c9cb


Am 12.11.2012 07:54, schrieb Anthony Foiani:
> Andreas --
>
> On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier
> <andreas.schw...@cardcontact.de> wrote:
>
>> The suggested way in the meantime is to generate the key pair, extract
>> the public key and generate a CSR externally, signing it with the
>> private key on the device.
> I haven't tried that precise sequence yet -- I tried it with openssl
> and it complained, I still need to try it with certtool as described
> by Nikos.
>
> I did try creating the keypair and certificate in software, then
> installing the resulting bits onto the token.
>
> I managed to install the certificate (which also provides the public key):
>
> $ echo $tool
> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so
> --login --pin 648219
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool -O
> Using slot 1 with a present token (0x1)
> Certificate Object, type = X.509 cert
>   label:      Foo
>   ID:         10
> Public Key Object; RSA 2048 bits
>   label:      Foo
>   ID:         10
>   Usage:      encrypt, verify
>
> Although the public key does not have the "wrap" usage flag set;
> compare with a keypair generated on the token:
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool \
>   --keypairgen --key-type rsa:2048 --id 11 \
>   --read-object --id 11 --type pubkey --output-file foobar.pub
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA
>   label:      Private Key
>   ID:         11
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         11
>   Usage:      encrypt, verify, wrap
>
> However, the bigger problem came when I tried to install the private key:
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool --write-object foo2a.key.der
> --id 11 --type privkey --label Foo
> Using slot 1 with a present token (0x1)
> error: PKCS11 function C_CreateObject failed: rv =
> CKR_ATTRIBUTE_VALUE_INVALID (0x13)
> Aborting.
>
> Turning on debugging (after making trivial repairs to the debug output
> code), it seems that these are the attributes that are getting
> stuffed:
>
> CKA_CLASS = CKO_PRIVATE_KEY
> CKA_TOKEN = TRUE
> CKA_PRIVATE = TRUE
> CKA_SENSITIVE = TRUE
> CKA_LABEL = Foo
> CKA_ID = 10
> CKA_KEY_TYPE = 0x7fff6d1c1175
> CKA_MODULUS = C770D5...
> CKA_PUBLIC_EXPONENT = 010001
> CKA_PRIVATE_EXPONENT = 97F798...
> CKA_PRIME_1 = EFE5AD...
> CKA_PRIME_2 = D4D3F6...
> CKA_EXPONENT_1 = 5815FD...
> CKA_EXPONENT_2 = 2DD24D...
> CKA_COEFFICIENT = 62BD2B...
>
> Looking for similar instances on the web, the recommendation seems to
> be: "hack pkcs11-tool to remove individual attributes until you find
> which one the token is complaining about".
>
> With your visibility into the software on the token, I'm hoping that
> you can help us avoid that kind of trial and error.  :)
>
> Thanks very much for your help so far, and we're looking forward to
> hearing the results of your tests with openssl.
>
> Best regards,
> Anthony Foiani


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to