On Thu, Dec 03, 2009 at 10:13:40PM +0000, João Poupino wrote: >> Errors: >> % openssl req -days 3650 -new -out $CLIENT.csr -config openssl.cnf -engine >> pkcs11 -keyform engine -key 0:45 -sha1 >> engine "pkcs11" set. >> [opensc-pkcs11] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=02 >> [opensc-pkcs11] sec.c:201:sc_pin_cmd: returning with: Card command failed >> Login failed > > 0x9C02 is "Auth Failed". Are you sure you have entered the correct PIN?
I finally got this running. Looks like I had some mismatching versions (some packages recompiled from debian testing running on debian stable). After downgrading all pcscd and opensc related packages to debian stable again, everything is working using pkcs15-tool, pkcs15-init, and the pkcs11 library from opensc. Note that I did *not* have to initialize using muscleTool, this isn't necessary (and still doesn't work). I've summarized everything (building java applet, uploading to card, generating keys + certs and using that for openvpn authentication) on my blog at http://blog.runtux.com/2009/12/05/150/ I hereby grant permission to reuse this documentation for enhancing documentation of the packages involved under any open source license necessary. I still get an error when first generating a 2048 bit key, then reinitialize with pkcs15-init -E, then try to generate a 1024 bit key, summarized at http://blog.runtux.com/2009/12/05/150/#some-notes-on-key-sizes and already reported as a bug for debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=559471 This also fails with the same error the other way round (first 1024 then 2048 bit key). It also seems that the old version of opensc on debian *can* generate 2048 bit keys but *can't* use these for generating certificates and signatures (these were fixed in later versions of opensc than the one shipping with debian stable aka lenny). When testing uploading of applets I discovered a bug in the hello world upload script for my card and reported this to gpshell. It's scheduled for inclusion into the next release of gpshell: https://sourceforge.net/tracker/?func=detail&atid=755201&aid=2908789&group_id=143343 I'll report my changes to the cross-JVM-build process of the MCardApplet once my registration for allioth worked. Seems like I can't do anonymous bug-reports at allioth. I've summarized the changes I made in the above-cited blog post. This is essential for people trying to build the applet under Linux, because the old java and javac executables from an ancient version of java development environment do no longer run on modern systems due to library incompatibilities. Thanks to everybody for helping me to get this running! Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting Fax: +43/2243/26465-23 Reichergasse 131 www: http://www.runtux.com A-3411 Weidling email: [email protected] osAlliance member email: [email protected] _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
