Re: [opensc-devel] [opensc-commits] [OpenSC] #197: Entersafe driver: impossible to transfer 2048bit key to PKI card
OpenSC wrote:
#197: Entersafe driver: impossible to transfer 2048bit key to PKI card
-+--
Reporter: jmpoure | Owner: opensc-de...@…
Type: defect | Status: new
Priority: normal | Milestone:
Component: opensc | Version: 0.11.6
Severity: normal |Keywords:
-+--
I am following these guidelines with FEITIAN PKI:
http://wiki.strongswan.org/projects/strongswan/wiki/SmartCards
{{{
pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --profile pkcs15+onepin \
--use-default-transport-key \
--pin --puk 11 \
--label Test
}}}
Is okay.
Then
{{{
pkcs15-init --auth-id 1 --store-private-key myKey.pem
}}}
fails with incorrect parameter.
The RSA is a 2048bit private key in PEM format.
It could be a problem with entersafe driver.
I don't know how it worked before,
but now it works for me with the following diff:
--- src/libopensc/card-entersafe.c (révision 4040)
+++ src/libopensc/card-entersafe.c (copie de travail)
@@ -1252,7 +1252,7 @@
switch(data-usage)
{
case 0x22:
- if(rsa-modulus.len=1024)
+ if(rsa-modulus.len 256)
return
entersafe_write_small_rsa_key(card,data-key_id,rsa);
else
return
entersafe_write_large_rsa_key(card,data-key_id,rsa);
Kind wishes,
Viktor.
--
Viktor Tarasov viktor.tara...@opentrust.com
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] opensc-pkcs11 + TrueCrypt
Hello, Does anyone successfully use opensc-pkcs11 module with TrueCrypt ? Im interrest in feedback of user since I dont manage to do it. Regards, François. smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] FYI: OpenSSH gained PKCS#11 support (sort of)
Hello. The latest Portable SSH snapshots include PKCS#11 support and have removed linking against libopensc. Original ticket: https://bugzilla.mindrot.org/show_bug.cgi?id=1371 Snapshots are available from http://www.mindrot.org/openssh_snap/ Code added to OpenSSH are not the patches created by Alon. There are shortcomings and issues (like no pinpad support, no exposed token labels, no scp commandline support etc) but at least something is there. AFAIK, this was the last (and only) user of libopensc. In theory we can now stop installing .pc files and also remove man3 manpages. m. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] [OpenSC] #197: Entersafe driver: impossible to transfer 2048bit key to PKI card
Le vendredi 19 février 2010 à 10:51 +0100, Viktor TARASOV a écrit :
--- src/libopensc/card-entersafe.c (révision 4040)
+++ src/libopensc/card-entersafe.c (copie de travail)
@@ -1252,7 +1252,7 @@
switch(data-usage)
{
case 0x22:
- if(rsa-modulus.len=1024)
+ if(rsa-modulus.len 256)
return
entersafe_write_small_rsa_key(card,data-key_id,rsa);
else
return
entersafe_write_large_rsa_key(card,data-key_id,rsa);
The patch works well for me. Thanks Viktor.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] entersafe: can this patch be commited?
Hi, any objections if the following patch would be commited ? http://www.opensc-project.org/pipermail/opensc-commits/2010-February/008386.html Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] entersafe: can this patch be commited?
On Feb 19, 2010, at 17:10 , Viktor TARASOV wrote: Hi, any objections if the following patch would be commited ? http://www.opensc-project.org/pipermail/opensc-commits/2010-February/008386.html If it works - probably not. I've only used 1024 keys with epass3k. m. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] entersafe: can this patch be commited?
Le vendredi 19 février 2010 à 18:39 +0200, Martin Paljak a écrit : If it works - probably not. I've only used 1024 keys with epass3k. I can confirm it works with Feitian PKI. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] FYI: OpenSSH gained PKCS#11 support (sort of)
Am Freitag 19 Februar 2010 15:08:49 schrieb Martin Paljak: Hello. The latest Portable SSH snapshots include PKCS#11 support and have removed linking against libopensc. Original ticket: https://bugzilla.mindrot.org/show_bug.cgi?id=1371 Snapshots are available from http://www.mindrot.org/openssh_snap/ Code added to OpenSSH are not the patches created by Alon. There are shortcomings and issues (like no pinpad support, no exposed token labels, no scp commandline support etc) but at least something is there. Thanks for letting us know! I downloaded it and compiled latest openssl, openct, opensc, openssh and tested this combination: works fine! I haven't tested scp so far, but ssh-agent/ssh-add and then ssh (without entering the pin) works, so I guess scp works at least with the agent. AFAIK, this was the last (and only) user of libopensc. In theory we can now stop installing .pc files and also remove man3 manpages. good idea. we need to keep the library (used by our own tools), but we can remove everything distributions put into the -dev package (pc file, man pages, static archive, stop installing header files etc). does anyone object such a change? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] profile template 'key-directory' not used
Hi, afais, the profile template 'key-directory', that exists in 'flex' and 'cyberflex' card profiles is not used. And so, these cards do not accepts more then one private key. Is it a 'known feature'? Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] ACOS5 Support in OpenSC
I've been looking around for ways to interface with the ACS ACOS5 card using the ACS38 reader on my Mac. It looks like opensc has some rudimentary support for the card, but far from complete. I already have a bunch of these cards that my university purchased for investigation, so I'd prefer to use these instead of having to buy something else. My question is: what does the support for this card look like today, and what can I do to help develop it. I'm new to smart cards and to opensc, but I've spent a lot of time reading through the ACOS5 documentation and about smart cards in general. I feel confident that I could develop the code if I had any idea where to start and what needs to be done to make this card useful on the non-Windows platforms. If anyone can help get me started, I'll be happy to get the project complete and contribute a patch back. Thanks, Greg Mefford ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ACOS5 Support in OpenSC
On Feb 19, 2010, at 20:31 , Greg Mefford wrote: My question is: what does the support for this card look like today, and what can I do to help develop it. OpenSC has basic (or practically no supportt) for the card. Basically you can maybe read files from the card but you can't do anything useful (like generate keys or store certificates or calcluate signatures). I'm new to smart cards and to opensc, but I've spent a lot of time reading through the ACOS5 documentation and about smart cards in general. Great! I feel confident that I could develop the code if I had any idea where to start and what needs to be done to make this card useful on the non-Windows platforms. If anyone can help get me started, I'll be happy to get the project complete and contribute a patch back. You should improve the basic ACOS5 read only support present in OpenSC source src/libopensc/card-acos5.c Then you should add the necessary commands to generate on card structures like keys and add a profile for the card in src/pkcs15init/ (currently missing 100%) I also have ACOS5 cards so I could help testing. Other people on this list can hopefully guide you (and me) through the pkcs15init/profile related parts. Good luck, -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ACOS5 Support in OpenSC
Excellent. That certainly gives me a starting point. I've checked out the source from SVN but I'm not sure how to compile it. I've used Make before, but never Automake, so I'm kind of a noob there. Any MacOS X developers want to just give me the commands they use to compile opensc? And do I need to compile the whole source tree including tools, or can I just compile the opensc library, for example? Thanks, Greg Mefford On Fri, Feb 19, 2010 at 1:46 PM, Martin Paljak mar...@paljak.pri.ee wrote: On Feb 19, 2010, at 20:31 , Greg Mefford wrote: My question is: what does the support for this card look like today, and what can I do to help develop it. OpenSC has basic (or practically no supportt) for the card. Basically you can maybe read files from the card but you can't do anything useful (like generate keys or store certificates or calcluate signatures). I'm new to smart cards and to opensc, but I've spent a lot of time reading through the ACOS5 documentation and about smart cards in general. Great! I feel confident that I could develop the code if I had any idea where to start and what needs to be done to make this card useful on the non-Windows platforms. If anyone can help get me started, I'll be happy to get the project complete and contribute a patch back. You should improve the basic ACOS5 read only support present in OpenSC source src/libopensc/card-acos5.c Then you should add the necessary commands to generate on card structures like keys and add a profile for the card in src/pkcs15init/ (currently missing 100%) I also have ACOS5 cards so I could help testing. Other people on this list can hopefully guide you (and me) through the pkcs15init/profile related parts. Good luck, -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ACOS5 Support in OpenSC
On Feb 19, 2010, at 21:07 , Greg Mefford wrote: Excellent. That certainly gives me a starting point. I've checked out the source from SVN but I'm not sure how to compile it. I've used Make before, but never Automake, so I'm kind of a noob there. Any MacOS X developers want to just give me the commands they use to compile opensc? And do I need to compile the whole source tree including tools, or can I just compile the opensc library, for example? In theory ./bootstrap should generate the ./configure which should be enough to get you started. The attached file can be of some use/inspiration on 10.6. cnf.osx.default Description: Binary data -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ACOS5 Support in OpenSC
I tried to use the bootstrap script after installing some of those tools with fink that were in your config script. I get the following errors: - configure.ac:100: error: possibly undefined macro: AC_DEFINE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:255: error: possibly undefined macro: AC_MSG_ERROR configure.ac:323: error: possibly undefined macro: AC_CHECK_LIB autoreconf: /sw/bin/autoconf-2.60 failed with exit status: 1 - From searching the web, it looks like at least one opensc developers has hit this problem in the past, but I didn't see a solution on the mailing list. Any ideas? Thanks, Greg Mefford On Fri, Feb 19, 2010 at 2:15 PM, Martin Paljak mar...@paljak.pri.ee wrote: On Feb 19, 2010, at 21:07 , Greg Mefford wrote: Excellent. That certainly gives me a starting point. I've checked out the source from SVN but I'm not sure how to compile it. I've used Make before, but never Automake, so I'm kind of a noob there. Any MacOS X developers want to just give me the commands they use to compile opensc? And do I need to compile the whole source tree including tools, or can I just compile the opensc library, for example? In theory ./bootstrap should generate the ./configure which should be enough to get you started. The attached file can be of some use/inspiration on 10.6. -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] FYI: OpenSSH gained PKCS#11 support (sort of)
Andreas Jellinghaus wrote: Am Freitag 19 Februar 2010 15:08:49 schrieb Martin Paljak: Hello. The latest Portable SSH snapshots include PKCS#11 support and have removed linking against libopensc. Original ticket: https://bugzilla.mindrot.org/show_bug.cgi?id=1371 Snapshots are available from http://www.mindrot.org/openssh_snap/ Code added to OpenSSH are not the patches created by Alon. There are shortcomings and issues (like no pinpad support, no exposed token labels, no scp commandline support etc) but at least something is there. Thanks for letting us know! I downloaded it and compiled latest openssl, openct, opensc, openssh and tested this combination: works fine! I haven't tested scp so far, but ssh-agent/ssh-add and then ssh (without entering the pin) works, so I guess scp works at least with the agent. AFAIK, this was the last (and only) user of libopensc. In theory we can now stop installing .pc files and also remove man3 manpages. good idea. we need to keep the library (used by our own tools), but we can remove everything distributions put into the -dev package (pc file, man pages, static archive, stop installing header files etc). does anyone object such a change? You better ask this question on other lists too, like maybe a debian list, or search for packages that require libopensc. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] entersafe: can this patch be commited?
On Fri, 19 Feb 2010 23:10:27 +0800, Viktor TARASOV viktor.tara...@opentrust.com wrote: Hi, any objections if the following patch would be commited ? http://www.opensc-project.org/pipermail/opensc-commits/2010-February/008386.html Kind wishes, Viktor. Thank you for fixing it, Viktor. And thank all of you for testing entersafe driver. Kind wishes, Xiaoshuo. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
