[opensc-devel] inconsistency between pkcs11-tool and pkcs15-tool
Greetings!
I'm experimenting with a CardContact HSM, and I'm finding some
peculiar results when trying to install multiple certificates on the
token. Loading three certificates onto the token seemed to work, but
when I went to remove them, things fell apart.
I think that the crux of the problem is that pkcs11-tool shows only one object:
$ tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219"
$ $tool -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
label: Foo2A
ID: 0f48886a19793c9e
Usage: decrypt, sign, unwrap
But the pkcs15-tool shows quite a few more:
$ pkcs15-tool -D
[...]
Private RSA Key [Foo2A]
Object Flags : [0x3], private, modifiable
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
ModLength : 2048
Key ref: 1 (0x1)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID: 01
ID : 0f48886a19793c9e
GUID : {be6fda39-699a-d073-68e5-9629a54eafff}
X.509 Certificate [Bar Intermediate Certificate (2013)]
Object Flags : [0x2], modifiable
Authority : no
Path : e82b0601040181c31f0201::ca01
ID : 02
GUID : {55f338e7-137c-67e9-a6db-9135ca0aa884}
X.509 Certificate [Certificate]
Object Flags : [0x2], modifiable
Authority : no
Path : e82b0601040181c31f0201::ca02
ID : 03
GUID : {f89468b8-6674-1c8a-b01e-1a244eaaaf54}
X.509 Certificate [Foo2A (2013)]
Object Flags : [0x2], modifiable
Authority : no
Path : e82b0601040181c31f0201::ca03
ID : 03
GUID : {f89468b8-6674-1c8a-b01e-1a244eaaaf54}
Encoded serial : 02 01 01
I tried modifying the tools, but I found myself in pkcs15-tool without
a way to discover the correct sc_profile object,...
Thanks
Tony
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The smart card reader is known as "VMware Virtual USB CCID 00 00" in linux ??!!
2012/12/7 Rns Course : >> Ludovic had said it was strange that pcsc_scan worked but opensc-tool -a >> did not. > > Pcsc_scan finds the reader as Virtual CCID not OMNIKEY, but gets the card's > ATR correctly. > Opensc-tool doesn't find the card to show the ATR, because the card reader > is not known for it as OMNIKEY. opensc-tool will use any connected reader. Unless you gave a specific name but that was not explicit in your first email. opensc-tool can see the (virtual) reader. But failed to connect to the card. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] a few more trivial patches
Greetings -- I have two small patches which you might want to consider integrating. (And given that I can't get git to do what I want, you probably want to just cherry-pick these, as I suspect I've completely destroyed my repo history...) https://github.com/tkil/OpenSC/commit/0c4a2e0c4063f31bc41c34e45869b9a9e7ca41d7 This uses "dir local" settings to configure Emacs indentation correctly. https://github.com/tkil/OpenSC/commit/599bd1e6c906af63eb379c866076f98a91654cb2 I spotted an inconsistency in how the option argument pointers were initialized; this fixes it (to make it more consistent). Best Regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Fwd: inconsistency between pkcs11-tool and pkcs15-tool
Greetings. Andreas is (obviously) helping me with this, but if anyone else has ideas about what's going on here, I would love to hear them. Many thanks, Tony -- Forwarded message -- From: Anthony Foiani Date: Sat, Dec 8, 2012 at 1:34 PM Subject: Re: inconsistency between pkcs11-tool and pkcs15-tool To: Andreas Schwier Andreas -- I must say, your customer support hours are impressive. :) On Sat, Dec 8, 2012 at 7:31 AM, Andreas Schwier wrote: > can you create a log using export OPENSC_DEBUG=9 ? Of which steps? > Seems that the last two certificates are the same, at the least GUID is > the same. Did you import certificates in DER encoding or PEM encoding ? They were in DER. Actual sequence of operations: 1. Use XCA to create key and certificate signing request. This had some issues as well: it would wait long enough for the creation to take place, but on the first try, it would give me an error. Second try gave me another error (because I used the same name as first key, and even though it wasn't shown in the XCA window, it was indeed on the key, so the error came when XCA tried to label the second key). Third try, with a different name, worked. 2. Use OpenSSL and my in-house CA to sign the CSR and create a cert. These were all in PEM format, so I transformed them using: for i in ca-2013 ca-root foo2a-2013 do openssl x509 -inform pem -in $i-cert.pem \ -outform der -out $i-cert.der done 3. Use pkcs11-tool to load them onto the token: tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219" $tool --write-object ca-root-cert.der --id 1 --type cert \ --label 'Foiani CA Root Certificate' $tool --write-object ca-2013-cert.der --id 2 --type cert \ --label 'Foiani CA Intermediate Certificate (2013)' $tool --write-object foo2a-2013-cert.der --id 3 --type cert \ --label 'Foo2A (2013)' At that point, the list of objects on the token was: $tool -O Using slot 1 with a present token (0x1) Private Key Object; RSA label: Foo2A ID: 0f48886a19793c9e Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: Foiani CA Intermediate Certificate (2013) ID: 02 Public Key Object; RSA 2048 bits label: Foiani CA Intermediate Certificate (2013) ID: 02 Usage: encrypt, verify Certificate Object, type = X.509 cert label: Foiani CA Root Certificate ID: 01 Public Key Object; RSA 8192 bits label: Foiani CA Root Certificate ID: 01 Usage: encrypt, verify Certificate Object, type = X.509 cert label: Certificate ID: 03 Public Key Object; RSA 2048 bits label: Certificate ID: 03 Usage: encrypt, verify Certificate Object, type = X.509 cert label: Foo2A (2013) ID: 03 Public Key Object; RSA 2048 bits label: Foo2A (2013) ID: 03 Usage: encrypt, verify So there's already one problem, with multiple entries at id 03. I suspect that I want to start over with a fresh pkcs15-tool init, and see if I can get a working setup from there. Thanks to your help, though, I feel I'm getting very close. Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] how to obtain an sc_profile pointer (in pkcs15-tool)?
Greetings. As a part of debugging my current issue, I was looking for a way to delete objects from a token. I didn't find one, so I thought I'd try to add it. I think that I got very close, but I was unable to determine how to retrieve the profile pointer. My efforts so far are here: https://github.com/tkil/OpenSC/tree/pkcs15-tool-add-del-path More specifically, I am trying to find the correct sc_profile * in function delete_path: https://github.com/tkil/OpenSC/blob/pkcs15-tool-add-del-path/src/tools/pkcs15-tool.c#L1385 Hopefully this will be unnecessary after we figure out how I'm abusing the tools to corrupt my token, but I thought that others might find it useful (if they can figure out the profile pointer business). Thanks again for the great library; hopefully this little contribution is helpful, and not creating more work for you all... Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
