Re: [opensc-devel] openpgp.profile missing from win32 nightlies
Le 09/11/2012 22:19, Leonardo Brondani Schenkel a écrit : The latest nightlies from https://www.opensc-project.org/downloads/nightly/staging/win32/ do not come with openpgp.profile. Is it deliberate or a bug in the installer? Take last nightly from https://www.opensc-project.org/downloads/projects/opensc/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
Dear Anthony, I have to admit, that I never tried this with openssl engine. I will give it a shot tomorrow. As for the internally generated CSR: This is actually a CSR using the format defined in TR-03110 Part 3, chapter C.2 [1]. This format can be used directly in PKIs for Extended Access Control, which are commonly used to protect access to biometric data on passports. To use this format for X.509 PKIs, the RA would need to understand the CSR format and extract the public key. In the current version of OpenSC, the CSR is not exposed at the interface, as PKCS#11 does not provide a mechanism to handle device generated certificate signing requests. In a later version we will try to make the CSR available as a session based data object. The suggested way in the meantime is to generate the key pair, extract the public key and generate a CSR externally, signing it with the private key on the device. Andreas [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v2.1_P3pdf.pdf Am 11.11.2012 03:24, schrieb Anthony Foiani: Greetings. I'm working with a CardContact HSM, and would like to generate a keypair on the token, then get a certificate based on that key. I'm using CardContact's branch of OpenSC (https://github.com/CardContact/OpenSC rev a4c3d4ec2436) and openssl 1.0.1c; I'm currently experimenting on an up-to-date Fedora 17 x86-64 box, but am hoping to deploy portions of this toolchain onto an embedded platform (linux ppc32). Just in case, I updated to the latest releases of libp11 (0.2.8) and engine_pkcs11 (0.1.8). I can successfully generate the keypair and extract the public key at the same time: $ d=/usr/local/opensc $ tool=$d/bin/pkcs11-tool --module $d/lib/opensc-pkcs11.so $ $tool --login --pin 648219 \ --keypairgen --key-type rsa:2048 --id 10 \ --read-object --id 10 --type pubkey --output-file pub.spki Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: Private Key ID: 10 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 10 Usage: encrypt, verify, wrap $ ls -al pub.spki -rw-rw-r--. 1 tony tony 270 Nov 9 22:20 pub.spki $ hexdump -C pub.spki 30 82 01 0a 02 82 01 01 00 95 42 87 7a 04 82 ab |0.B.z...| 0010 89 7f b2 07 9f 25 e3 c2 47 e7 0a 53 2e 8c a9 0b |.%..G..S| ... 00f0 71 a7 17 18 f6 69 99 eb 5d d1 cb 18 33 60 29 c0 |qi..]...3`).| 0100 c5 22 28 5b 31 7d 3e 6d 99 02 03 01 00 01|.([1}m..| However, I haven't managed to find the right incantation to force openssl to use the (available) public key, but to sign with the private key on the token. I think I finally got the engine configured correctly: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/local/lib/opensc-pkcs11.so init = 0 But when I try to do the signing operation, it looks like openssl is trying to read the private key off the token, instead of asking the token to sign on the token: LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib/engines \ /usr/local/bin/openssl req -verbose \ -config ./token.conf -engine pkcs11 \ -key slot_1-id_10 -keyform engine -out foo.req Using configuration from ./token.conf engine pkcs11 set. PKCS#11 token PIN: 648219 PKCS11_get_private_key returned NULL cannot load Private Key from engine 140416681797312:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: 140416681797312:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key On the wiki for the HSM (http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair), there is a curious phrase: The SmartCard-HSM does not permanently store public keys, but generates the required PKCS#11 public key object from certificates stored on the device. As newly generated key pairs don't have a certificate initially, the public key is extracted from the card generated certificate signing request instead and made available for the duration of the session. To save the generated public key in Subject Public Key Information format as per RF3280 use the following command If I'm reading that correctly, then it seems that the HSM is creating a CSR internally -- but I don't see any way to retrieve that CSR (let alone specify the typical certificate properties like email address, DN, CN, etc.) There's the moz-test flag to the pkcs11-tool, which invokes test_kpgen_certwrite; this seems very close to what I'm trying to do -- but it's not exposed
[opensc-devel] state of the project?
Hi, I wonder what we can or should do to improve the state of the project. It seems to me: * the last release was 0.12.2, released on 17.07.2011, not enough progress to create a release since. * that is a maintenance release, the last major version was opensc 0.12.0 in 22-Dec-2010. * discussions about new server / some migration / some improvement etc. are similar old, no significant results yet While there have been some proposals, e.g. in the thread about the future of the server, there hasn't been any real discussion, no back and forth about the merrits of the different proposals, and no convergence on one option or decission by anyone. It seems to me the state of the project is defunct: while there are requests, proposals, options and offerings, we are not getting towards a decission or action it seems, as noone decides anything or gets people to agree or to do things. I haven't touched a smart card in over a year, so don't expect me to do anything - that wouldn't work. But if anyone is still concerned about the project, I think it is time you take action. Don't look for anyone else, it is you or noone. But many people offered help, if you want to drive the project forward. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN login broken in 0.13.0rc1
Le 06/11/2012 15:54, Viktor Tarasov a écrit : Hello, On Tue, Nov 6, 2012 at 2:45 PM, Lukas Wunner lu...@wunner.de mailto:lu...@wunner.de wrote: when logging in to a GemSafeV1 card with 0.13.0rc1, opensc first retrieves the number of tries_left using C_GetTokenInfo() and then calls C_Login(). Both functions invoke sc_pin_cmd() to communicate with the card. It seems that somehow in-between the two invocations of sc_pin_cmd(), the sc_pkcs15_auth_info structure holding the PIN information is destroyed: $ OPENSC_DEBUG=9 pkcs11-tool --module opensc-pkcs11.so --test --login -p XXX [...] pkcs11-session.c:57:C_OpenSession: C_OpenSession(0x1) pkcs11-session.c:83:C_OpenSession: C_OpenSession handle: 0x6100f0 pkcs11-session.c:86:C_OpenSession: C_OpenSession() = CKR_OK framework-pkcs15.c:426:C_GetTokenInfo: C_GetTokenInfo(1) sec.c:157:sc_pin_cmd: called sec.c:204:sc_pin_cmd: returning with: -1408 (Not supported) -- data structure okay pkcs11-session.c:259:C_Login: C_Login(0x6100f0, 1) pkcs15-pin.c:293:sc_pkcs15_verify_pin: called pkcs15-pin.c:294:sc_pkcs15_verify_pin: PIN(0x;len:8) pkcs15-pin.c:295:sc_pkcs15_verify_pin: Auth(type:0;method:0) pkcs15-pin.c:299:sc_pkcs15_verify_pin: PIN value validated card.c:315:sc_lock: called reader-pcsc.c:517:pcsc_lock: called card.c:610:sc_select_file: called; type=2, path=3f001604 card-gemsafeV1.c:184:gemsafe_select_file: called [...] card.c:636:sc_select_file: returning with: 0 (Success) sec.c:157:sc_pin_cmd: called sec.c:204:sc_pin_cmd: returning with: -1300 (Invalid arguments) -- data structure destroyed pkcs15-pin.c:367:sc_pkcs15_verify_pin: PIN cmd result -1300 [...] error: PKCS11 function C_Login failed: rv = CKR_ARGUMENTS_BAD (0x7) The final error message is caused by method:0. That value is assigned to data.pin_type in pkcs15-pin.c:sc_pkcs15_verify_pin(). A value of 0 means SC_AC_NONE. The correct value would be 1 which means SC_AC_CHV. There's a check in card-gemsafeV1.c:gemsafe_build_pin_apdu() for pin_type == SC_AC_CHV which returns SC_ERROR_INVALID_ARGUMENTS on failure. That's what causes the error message. If I hardwire data.pin_type = SC_AC_CHV in sc_pkcs15_verify_pin(), it still doesn't work: The card answers with CKR_PIN_INCORRECT even though the PIN is correct. Somehow the data structure holding the authentication info gets garbled. The curious thing is that upon the first invocation of sc_pin_cmd() (by C_GetTokenInfo()), the data structure seems to still be okay: The check for pin_type == SC_AC_CHV in gemsafe_build_pin_apdu() succeeds and the function just returns SC_ERROR_NOT_SUPPORTED because SC_PIN_CMD_GET_INFO is not implemented for GemSafeV1 cards. I'm at a loss here, if somebody has an idea what's going awry I'd be grateful to hear it. Try to apply the following: diff --git a/src/libopensc/pkcs15-gemsafeV1.c b/src/libopensc/pkcs15-gemsafeV1.c index c05578e..3e04d40 100644 --- a/src/libopensc/pkcs15-gemsafeV1.c +++ b/src/libopensc/pkcs15-gemsafeV1.c @@ -436,6 +436,7 @@ sc_pkcs15emu_add_pin(sc_pkcs15_card_t *p15card, info = calloc(1, sizeof(*info)); info-auth_type = SC_PKCS15_PIN_AUTH_TYPE_PIN; + info-auth_method = SC_AC_CHV; info-auth_id = *id; info-attrs.pin.min_length= min_length; info-attrs.pin.max_length= max_length; The patch has been applied to the Github OpenSC/OpenSC. Thanks, Lukas Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org mailto:opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Hello, Le 11/11/2012 16:28, Andreas Jellinghaus a écrit : I wonder what we can or should do to improve the state of the project. It seems to me: * the last release was 0.12.2, released on 17.07.2011, not enough progress to create a release since. * that is a maintenance release, the last major version was opensc 0.12.0 in 22-Dec-2010. We are preparing 0.13.0 release on the base of the master/staging branch of Github OpenSC/OpenSC. Now it's at rc1. The candidates have been relatively well tested with some cards. The nightly builds and release candidates are on the OpenSC file server and in CI service. My intention is to publish the next major release during the last two weeks of November. There are still few regression issues with MacOS and old cards. I guess it's a good occasion to migrate the project. What is the procedure to follow when publishing a new major release ? * discussions about new server / some migration / some improvement etc. are similar old, no significant results yet While there have been some proposals, e.g. in the thread about the future of the server, there hasn't been any real discussion, no back and forth about the merrits of the different proposals, and no convergence on one option or decission by anyone. It seems to me the state of the project is defunct: while there are requests, proposals, options and offerings, we are not getting towards a decission or action it seems, as noone decides anything or gets people to agree or to do things. I haven't touched a smart card in over a year, so don't expect me to do anything - that wouldn't work. But if anyone is still concerned about the project, I think it is time you take action. Don't look for anyone else, it is you or noone. But many people offered help, if you want to drive the project forward. I propose to start migration the week 19-25.11 . I'll have more free time: - sources: all sources will migrate to github; - CI: CI server is currently hosted by 'opensc.fr' ; - download: on the same platform can be hosted the file server; - TRAC (wiki?): it seems that Peter Stuge proposed to do something with Trac. Peter, if you are here, can you take this part, or at least explain how it could be done, please? If no suggestions, Trac can also be hosted by 'opensc.fr' . - mailling list: the same, if no other suggestions, I'm ready to install/migrate it to 'opensc.fr' platform. Would be nice if one of the experts explain what is the actions to follow for such migration. Regards, Andreas Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
On 11/11/2012 03:24 AM, Anthony Foiani wrote: Greetings. I'm working with a CardContact HSM, and would like to generate a keypair on the token, then get a certificate based on that key. Hello, Your question was on openssl, but just in case someone is interested. If you have any recent version of gnutls you could simply do that by using the PKCS #11 URLs of the objects. That is: certtool --generate-request --outfile req.pem --load-privkey pkcs11:yyy --load-pubkey pkcs11:xxx should generate a request from the objects based on a smart card. The pkcs11: URLs are obtained using the p11tool --list-all --login command. regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
Andreas -- Many thanks for the very quick response! On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier andreas.schw...@cardcontact.de wrote: In the current version of OpenSC, the CSR is not exposed at the interface, as PKCS#11 does not provide a mechanism to handle device generated certificate signing requests. In a later version we will try to make the CSR available as a session based data object. Ok, good to know I'm not going crazy. The suggested way in the meantime is to generate the key pair, extract the public key and generate a CSR externally, signing it with the private key on the device. That's where I was going next, although I'm having issues with openssl. I'll give it another shot later today. If you happen to have an example session that shows that sequence of activities, it would be very helpful. Thanks again! Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
Nikos -- Thanks for the quick reply! On Sun, Nov 11, 2012 at 12:42 PM, Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com wrote: Your question was on openssl, Apologies if it was off-topic; it got to the point where I couldn't tell which component was complaining. Also, my initial goal is to use the token to authenticate data from an embedded instrument; as such, I figured that was more in the opensc world than openssl. (Eventually I'd like to use the token to provide that instrument with a server-side HTTPS certificate as well, which would of course get me back to openssl or similar tool. But that's further down the path.) but just in case someone is interested. If you have any recent version of gnutls you could simply do that by using the PKCS #11 URLs of the objects. That is: certtool --generate-request --outfile req.pem --load-privkey pkcs11:yyy --load-pubkey pkcs11:xxx should generate a request from the objects based on a smart card. The pkcs11: URLs are obtained using the p11tool --list-all --login command. Nice -- thank you for the pointer! Unfortunately, I don't think this can work with a keypair generated on the CC-HSM. First, the public key is only available during the same session that generates the pair; it disappears after the session disappears. One can capture the public key at generation time using the instructions provided by CardContact here: http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair This does work, but it leaves me with a public key in SPKI format, and I'm too ignorant to figure out how to turn that into something that OpenSSL can work with. Second, the private key is not extractable, so the certtool won't be able to load it from the card. (Unless --load-privkey actually means use this privkey, but it's really just a reference to doing it on the token itself.) So far as I know, what I would really like the openssl req tool to do is: 1. Read the public key from a given file on the regular OS filesystem [somehow dealing with the SPKI-whatever format issue]; 2. Prompt me for the X.509 request parameters; 3. Construct the X.509 certificate request; 4. Sign that request on the CC-HSM token using the private key on the card; 5. Output the signed CSR onto the regular OS filesystem. But I have not yet figured out the correct incantation for that. Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
On 11/11/2012 11:50 PM, Anthony Foiani wrote: certtool --generate-request --outfile req.pem --load-privkey pkcs11:yyy --load-pubkey pkcs11:xxx should generate a request from the objects based on a smart card. The pkcs11: URLs are obtained using the p11tool --list-all --login command. Nice -- thank you for the pointer! Unfortunately, I don't think this can work with a keypair generated on the CC-HSM. First, the public key is only available during the same session that generates the pair; it disappears after the session disappears. One can capture the public key at generation time using the instructions provided by CardContact here: http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair Ouch. In that case it can be a problem. I'm not aware of a PKCS #11 way to extract the public key from a private key, after its generation. However, with the process use can use the spki file in the command I send before in place of pkcs11:xxx. You may need to use the --inder option if it is in DER format. Second, the private key is not extractable, so the certtool won't be able to load it from the card. (Unless --load-privkey actually means use this privkey, but it's really just a reference to doing it on the token itself.) --load-privkey does not really load the key. It only uses the private key to sign the request without extracting it. regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] two trivial patches for opensc
Greetings. I cloned CardContact's repo, since I'm working with their hardware, but it looks like these issues are present in the upstream source as well. https://github.com/tkil/OpenSC/commit/563e264483338ea8eef01b5e5549647916308f3f https://github.com/tkil/OpenSC/commit/4d5993066b4473249682b1bcf0e718373e85b267 Should I make pull requests against CardContact's repo, or just post patches here, or? Thanks, Tony ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
Andreas -- On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier andreas.schw...@cardcontact.de wrote: The suggested way in the meantime is to generate the key pair, extract the public key and generate a CSR externally, signing it with the private key on the device. I haven't tried that precise sequence yet -- I tried it with openssl and it complained, I still need to try it with certtool as described by Nikos. I did try creating the keypair and certificate in software, then installing the resulting bits onto the token. I managed to install the certificate (which also provides the public key): $ echo $tool /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --pin 648219 $ LD_LIBRARY_PATH=/usr/local/lib $tool -O Using slot 1 with a present token (0x1) Certificate Object, type = X.509 cert label: Foo ID: 10 Public Key Object; RSA 2048 bits label: Foo ID: 10 Usage: encrypt, verify Although the public key does not have the wrap usage flag set; compare with a keypair generated on the token: $ LD_LIBRARY_PATH=/usr/local/lib $tool \ --keypairgen --key-type rsa:2048 --id 11 \ --read-object --id 11 --type pubkey --output-file foobar.pub Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: Private Key ID: 11 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 11 Usage: encrypt, verify, wrap However, the bigger problem came when I tried to install the private key: $ LD_LIBRARY_PATH=/usr/local/lib $tool --write-object foo2a.key.der --id 11 --type privkey --label Foo Using slot 1 with a present token (0x1) error: PKCS11 function C_CreateObject failed: rv = CKR_ATTRIBUTE_VALUE_INVALID (0x13) Aborting. Turning on debugging (after making trivial repairs to the debug output code), it seems that these are the attributes that are getting stuffed: CKA_CLASS = CKO_PRIVATE_KEY CKA_TOKEN = TRUE CKA_PRIVATE = TRUE CKA_SENSITIVE = TRUE CKA_LABEL = Foo CKA_ID = 10 CKA_KEY_TYPE = 0x7fff6d1c1175 CKA_MODULUS = C770D5... CKA_PUBLIC_EXPONENT = 010001 CKA_PRIVATE_EXPONENT = 97F798... CKA_PRIME_1 = EFE5AD... CKA_PRIME_2 = D4D3F6... CKA_EXPONENT_1 = 5815FD... CKA_EXPONENT_2 = 2DD24D... CKA_COEFFICIENT = 62BD2B... Looking for similar instances on the web, the recommendation seems to be: hack pkcs11-tool to remove individual attributes until you find which one the token is complaining about. With your visibility into the software on the token, I'm hoping that you can help us avoid that kind of trial and error. :) Thanks very much for your help so far, and we're looking forward to hearing the results of your tests with openssl. Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] obtaining a CSR for a token-generated (and locked-on-token) keypair
Dear Anthony, you can not import an externally generated private key. For security reasons, the SmartCard-HSM only supports keys generated internally. We've tested with XCA which uses OpenSSL and the engine mechanism, so I'm quite confident it should work with the command line as well. Let me come back after I tried it. Andreas Am 12.11.2012 07:54, schrieb Anthony Foiani: Andreas -- On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier andreas.schw...@cardcontact.de wrote: The suggested way in the meantime is to generate the key pair, extract the public key and generate a CSR externally, signing it with the private key on the device. I haven't tried that precise sequence yet -- I tried it with openssl and it complained, I still need to try it with certtool as described by Nikos. I did try creating the keypair and certificate in software, then installing the resulting bits onto the token. I managed to install the certificate (which also provides the public key): $ echo $tool /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --pin 648219 $ LD_LIBRARY_PATH=/usr/local/lib $tool -O Using slot 1 with a present token (0x1) Certificate Object, type = X.509 cert label: Foo ID: 10 Public Key Object; RSA 2048 bits label: Foo ID: 10 Usage: encrypt, verify Although the public key does not have the wrap usage flag set; compare with a keypair generated on the token: $ LD_LIBRARY_PATH=/usr/local/lib $tool \ --keypairgen --key-type rsa:2048 --id 11 \ --read-object --id 11 --type pubkey --output-file foobar.pub Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: Private Key ID: 11 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: Private Key ID: 11 Usage: encrypt, verify, wrap However, the bigger problem came when I tried to install the private key: $ LD_LIBRARY_PATH=/usr/local/lib $tool --write-object foo2a.key.der --id 11 --type privkey --label Foo Using slot 1 with a present token (0x1) error: PKCS11 function C_CreateObject failed: rv = CKR_ATTRIBUTE_VALUE_INVALID (0x13) Aborting. Turning on debugging (after making trivial repairs to the debug output code), it seems that these are the attributes that are getting stuffed: CKA_CLASS = CKO_PRIVATE_KEY CKA_TOKEN = TRUE CKA_PRIVATE = TRUE CKA_SENSITIVE = TRUE CKA_LABEL = Foo CKA_ID = 10 CKA_KEY_TYPE = 0x7fff6d1c1175 CKA_MODULUS = C770D5... CKA_PUBLIC_EXPONENT = 010001 CKA_PRIVATE_EXPONENT = 97F798... CKA_PRIME_1 = EFE5AD... CKA_PRIME_2 = D4D3F6... CKA_EXPONENT_1 = 5815FD... CKA_EXPONENT_2 = 2DD24D... CKA_COEFFICIENT = 62BD2B... Looking for similar instances on the web, the recommendation seems to be: hack pkcs11-tool to remove individual attributes until you find which one the token is complaining about. With your visibility into the software on the token, I'm hoping that you can help us avoid that kind of trial and error. :) Thanks very much for your help so far, and we're looking forward to hearing the results of your tests with openssl. Best regards, Anthony Foiani -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] two trivial patches for opensc
Suggested way is to open a pull request toward OpenSC/staging. Our repo is pretty much in sync with the OpenSC repo, but OpenSC has the master. Am 12.11.2012 07:15, schrieb Anthony Foiani: Greetings. I cloned CardContact's repo, since I'm working with their hardware, but it looks like these issues are present in the upstream source as well. https://github.com/tkil/OpenSC/commit/563e264483338ea8eef01b5e5549647916308f3f https://github.com/tkil/OpenSC/commit/4d5993066b4473249682b1bcf0e718373e85b267 Should I make pull requests against CardContact's repo, or just post patches here, or? Thanks, Tony ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel