sorry for my late reply, but I just returned today.
>>The card should treat the keys as if they where generated onboard. > > I don't know if the card keeps a flag "was generated on board", but > I don't think so. So from my perspective there shouldn't be a problem.
I have not yet tested out openct/opensc yet. But since I have to implement these "features" myself anyway, I wonder wheter the eToken Pro ( Card OS M4 ) can sign or decipher with this outside generated keys itself ? Or does just the "computer" gets the key and uses it for deciphering/signing ? In the eToken documentation I can not find any hint that I can write a RSA key object onto the token.
> note: etoken uses cardOS and thus is limited to either signing or > deciphering keys. but opensc can work around that, use --split-key. > or if you only want signing use -u sign, if you only want deciphering > use -u decipher (or ... see -u help for help on key usage).
By the way, I do not know wheter it is iteresting for you or not, but I am going to tell it anyway:
we have found a way, so that the eToken Pro can both encryption *and* decryption with one key. ( Encryption is almost only the reverse operation of decryption .. )
I will have to thest openct and opensc - it sounds really very interesting.
Thanks,
Arno Wilhelm
Andreas Jellinghaus wrote:
[usign etoke an cryptoflex with RSA keys]
1.) go to http://www.opensc.org/files/snapshots download latest openct and opensc snapshot. 2.) install openct. tar xfvz ... && configure && make && make install 3.) look at the openct documentation (it's in the doc/ subdir): - create the /var/run/openct dir and set permissions - install the init.d script, make sure your distribution starts it on boot. - make sure the kernel hotplugging calls the openct hotplug script. - either reboot or run the init.d script with "start". 4.) insert an etoken, run openct-tool and see if it was found should be.
5.) install opensc. tar xfvz ... && configure --with-openct=/path/to/openct && make && make install 6.) run opensc-explorer and see if you can access the etoken.
7.) create pkcs15 structure with pkcs15-init -C
8.) want a pin on it? create it with pkcs15-init -P -a 01
9.) create a key? pkcs15-init -G rsa/1024 (add -a 01 if you have a pin)
import a key? pkcs15-init -S file.pem (add -a 01 if you have a pin)
note: etoken uses cardOS and thus is limited to either signing or deciphering keys. but opensc can work around that, use --split-key. or if you only want signing use -u sign, if you only want deciphering use -u decipher (or ... see -u help for help on key usage).
same thing with a cryptoflex, in this example an egate card: exactly the same thing, except you don't need --split-key.
if you have a normal reader (e.g. a towitoko or kaan reader), you need to edit the openct.conf.
btw: pcsc-lite is no longer needed with the opensc+openct combo.
So I suggest moving this thread to [EMAIL PROTECTED] mailing
list. If there is any problem, the opensc and openct developers will surely assist you.
as author of the openct driver, i will still fix bugs for etoken and usbtoken, but I'm moving all development efford to openct. openct can also be used as a ifdhandler or ct-api driver with pcsc-lite.
(and if you want that, you can use openct <-> pcsc-lite <-> opensc .)
The card should treat the keys as if they where generated onboard.
I don't know if the card keeps a flag "was generated on board", but I don't think so. So from my perspective there shouldn't be a problem.
That means that it should be able to sign with the keys, to export the public key but not to export the private key etc. to
opensc will store or generate all keys as non exportable, unless you specify --exportable. so what you want is already the default setting.
Since we are using cryptoflex cards and eToken usb-tokens, I wonder if anybody on this list has done such a thing with one of these cards and could give me some useful hints ?
working fine here. My thawte certificate was created in mozilla (key and crt), downloaded from thawte, exported to a pkcs12 file, imported into a hardware key (works with all three: aladdin etoken pro, rainbow ikey 3000 (windows software for import), schlumberger cryptoflex egate), and the keys inside mozilla were deleted, mozilla was reconfigured to use opensc pkcs#11 engine. it works fine, I can sign and decrypt emails.
the opensc sslengine for openssl also works fine, so I can create certificates requests with keys stored in hardware. (actualy opensc has two engines, both work fine :-).
the pam module works also fine, but its been a few weeks since I tried it. Other people also tested openssh: it should work, but you need to apply a patch as far as i know. the other developers should know...
No, I haven't tried getting ipsec to work with opensc / key on crypto token. maybe soon :-)
Regards, Andreas
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
-- Mr Arno Wilhelm phion Information Technologies GmbH System Engineer Eduard-Bodem-Gasse 1 A-6020 Innsbruck www.phion.com tel: +43 512 39 45 45 fax: +43 512 39 45 45 20
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
