Greetings.
Andreas is (obviously) helping me with this, but if anyone else has
ideas about what's going on here, I would love to hear them.
Many thanks,
Tony
---------- Forwarded message ----------
From: Anthony Foiani <anthony.foi...@gmail.com>
Date: Sat, Dec 8, 2012 at 1:34 PM
Subject: Re: inconsistency between pkcs11-tool and pkcs15-tool
To: Andreas Schwier <andreas.schw...@cardcontact.de>
Andreas --
I must say, your customer support hours are impressive. :)
On Sat, Dec 8, 2012 at 7:31 AM, Andreas Schwier
<andreas.schw...@cardcontact.de> wrote:
> can you create a log using export OPENSC_DEBUG=9 ?
Of which steps?
> Seems that the last two certificates are the same, at the least GUID is
> the same. Did you import certificates in DER encoding or PEM encoding ?
They were in DER.
Actual sequence of operations:
1. Use XCA to create key and certificate signing request.
This had some issues as well: it would wait long enough for the
creation to take place, but on the first try, it would give me an
error. Second try gave me another error (because I used the same name
as first key, and even though it wasn't shown in the XCA window, it
was indeed on the key, so the error came when XCA tried to label the
second key). Third try, with a different name, worked.
2. Use OpenSSL and my in-house CA to sign the CSR and create a cert.
These were all in PEM format, so I transformed them using:
for i in ca-2013 ca-root foo2a-2013
do
openssl x509 -inform pem -in $i-cert.pem \
-outform der -out $i-cert.der
done
3. Use pkcs11-tool to load them onto the token:
tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219"
$tool --write-object ca-root-cert.der --id 1 --type cert \
--label 'Foiani CA Root Certificate'
$tool --write-object ca-2013-cert.der --id 2 --type cert \
--label 'Foiani CA Intermediate Certificate (2013)'
$tool --write-object foo2a-2013-cert.der --id 3 --type cert \
--label 'Foo2A (2013)'
At that point, the list of objects on the token was:
$tool -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
label: Foo2A
ID: 0f48886a19793c9e
Usage: decrypt, sign, unwrap
Certificate Object, type = X.509 cert
label: Foiani CA Intermediate Certificate (2013)
ID: 02
Public Key Object; RSA 2048 bits
label: Foiani CA Intermediate Certificate (2013)
ID: 02
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Foiani CA Root Certificate
ID: 01
Public Key Object; RSA 8192 bits
label: Foiani CA Root Certificate
ID: 01
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Certificate
ID: 03
Public Key Object; RSA 2048 bits
label: Certificate
ID: 03
Usage: encrypt, verify
Certificate Object, type = X.509 cert
label: Foo2A (2013)
ID: 03
Public Key Object; RSA 2048 bits
label: Foo2A (2013)
ID: 03
Usage: encrypt, verify
So there's already one problem, with multiple entries at id 03.
I suspect that I want to start over with a fresh pkcs15-tool init, and
see if I can get a working setup from there.
Thanks to your help, though, I feel I'm getting very close.
Best regards,
Anthony Foiani
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
