[opensc-devel] SO pin in pkcs11-tool?
Hello all, As you may know, I'm trying to implement writing certificate to OpenPGP card via PKCS#11. I succeed with pkcs15-init tool but have difficulty with pkcs11-tool. When I import via pkcs15-init tool (Command: pkcs15-init --store-certificate quanngu...@mbm.vn.pem), the tool asks for Admin PIN and the work is done. But when I try with pkcs11-tool: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 the tool does not ask for PIN and the write cannot succeed (in OpenPGP card, writing certificate requires SO (Admin) PIN). I tried to provide the Admin PIN in the command, but still not successful: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 -l --so-pin 12345678 pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 --so-pin 12345678 I also researched and found that in pkcs15-init, a function to ask for PIN is implemented and added via sc_pkcs15init_set_callbacks(), but pkcs11-tool does not do so. The question is: - Not ask for PIN is intentional design of pkcs11-tool or a limitation? - What is the right way to provide Admin PIN to pkcs11-tool to allow to write data? - When I do import certificate in Firefox, the browser ask for a PIN. I expect it to ask for Admin PIN but not sure which PIN it actually asks for (user PIN, to login to slot, or admin PIN, to write data). Do you know how Firefox determines which PIN to ask? Does it always ask for user PIN of the slot, or smart enough to ask for right PIN? -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SO pin in pkcs11-tool?
Hello, I think you have some confusion of what is PKCS#11 Admin PIN. The PKCS#11 Admin PIN is only usable to initialize a token, and optionally unlock the user PIN. It has no special privileges over the content of the card. So you are prompted by firefox for the user PIN, which is OK. Anyway, what you have done is correct as far as opensc, use the pkcs15 tools in order to initialize the card and use the card within pkcs11 environments. If that's working, I think you provided a great solution. Alon. On Wed, May 30, 2012 at 12:21 PM, Nguyễn Hồng Quân quanngu...@mbm.vn wrote: Hello all, As you may know, I'm trying to implement writing certificate to OpenPGP card via PKCS#11. I succeed with pkcs15-init tool but have difficulty with pkcs11-tool. When I import via pkcs15-init tool (Command: pkcs15-init --store-certificate quanngu...@mbm.vn.pem), the tool asks for Admin PIN and the work is done. But when I try with pkcs11-tool: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 the tool does not ask for PIN and the write cannot succeed (in OpenPGP card, writing certificate requires SO (Admin) PIN). I tried to provide the Admin PIN in the command, but still not successful: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 -l --so-pin 12345678 pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 --so-pin 12345678 I also researched and found that in pkcs15-init, a function to ask for PIN is implemented and added via sc_pkcs15init_set_callbacks(), but pkcs11-tool does not do so. The question is: - Not ask for PIN is intentional design of pkcs11-tool or a limitation? - What is the right way to provide Admin PIN to pkcs11-tool to allow to write data? - When I do import certificate in Firefox, the browser ask for a PIN. I expect it to ask for Admin PIN but not sure which PIN it actually asks for (user PIN, to login to slot, or admin PIN, to write data). Do you know how Firefox determines which PIN to ask? Does it always ask for user PIN of the slot, or smart enough to ask for right PIN? -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SO pin in pkcs11-tool?
Hello Alon, On Wed 30 May 2012 04:27:11 PM ICT, Alon Bar-Lev wrote: Hello, I think you have some confusion of what is PKCS#11 Admin PIN. The PKCS#11 Admin PIN is only usable to initialize a token, and optionally unlock the user PIN. It has no special privileges over the content of the card. But for OpenPGP card, the Admin PIN is required to write to the DO which holds certificate (the 7F21 DO). Maybe this is specific for OpenPGP card. So you are prompted by firefox for the user PIN, which is OK. Anyway, what you have done is correct as far as opensc, use the pkcs15 tools in order to initialize the card and use the card within pkcs11 environments. Do you think use pkcs11 to change card content is unnecessary? -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SO pin in pkcs11-tool?
Thanks for your explanation. On Wed 30 May 2012 04:42:04 PM ICT, Alon Bar-Lev wrote: Actually no. After personalization a card content is constant. So we have 99.9% of the time card content is unchanged. If personalization process is done via other interface it should not be a problem. OpenSC uses the pkcs15 utilities / emulation in order to personalize the cards, so the process is not exception. PKCS#11 is weak in term of privileges, not always it is possible to access the complete feature set via this interface without proprietary extensions. Alon. -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SO pin in pkcs11-tool?
On 30/05/2012 11:42, Alon Bar-Lev wrote: PKCS#11 is weak in term of privileges, not always it is possible to access the complete feature set via this interface without proprietary extensions. IIRC, that's why profiles are needed when you use the card, not only when you initialize it, right? But shouldn't a copy of the ACLs be stored in PKCS15 metadata so it's parseable after init w/o requiring the profile? And shouldn't SO-PIN be just another PIN (on MyEID card it have id ff, on others cards it might be different) so that you can specify it in profile? BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel