pierre lhostis a écrit :
Hello Marc-Aurèle,
Salut et merci pour la réponse :-)
We do not use the same token brand, so if your problem is token-related,
I can't give you any hint.
This I understand very well. But by comparing how your certificate
requests are behaving compared to mine it could be possible to spot
where the problem lies.
And finally if the problem is token-related I could make the decision to
switch to another USB token model/brand that would behave more
appropriatly with Firefox/Thunderbird and OpenCA.
I also have to add that I'm almost sure that I haven't problems due
to defective USB tokens since I've been given 4 iKey3000 USB tokens,
and I have tested them all 4.
the only thing I can think of is an access-right problem we had.
This is what I read in your previous message in this mailing list.
I assume that you successfully loaded the opensc-pkcs11.so library in
firefox.
Yes.
And I can even use certificates on the USB token with Firefox and
Thunderbird:
1. I generate a certificate request with FF and its builtin security
device
2. I get the certificate from the PKI into the FF builtin security
device
3. I then export the certificate onto the filesytem
4. I configure FF to use the USB token security device
5. I import the exported certificate from the filesystem into the
USB security device
6. I can finally use certificates to send signed and encrypted emails,
etc.
First, when you process your request from the OpenCA Public interface,
could you check what are the choices you got in Mozilla Firefox when it
comes to select the token ("Choix d'un jeton" in French)? If you only
got the "Sécurité personnelle" (personnal security) choice, it means
that your token is not detected properly.
I've got the personnal security device as well as the USB security
device, no problem at this stage.
The problem can come from an access right to the folder /var/run/openct
because the firefox user must be part of the scard group. You can try to
run Firefox as root and see if it changes something.
Alternatively you can change the folder access rights from rwxr-x--- to
rwxr-xr-x or add your user to the scard group.
Since I have no problem with the USB security device detection and
connexion in FF I don't think I need to do this rights change. My
user is from the scard group alright.
Just for the record I try to run FF as root in another term but with
root, only the personnal security device was detected.
If your browser detected your token properly and only the key generation
is a problem, then it must be an opensc configuration problem.
Since my previous posts I have done tests on Microsoft Windows... and I
have exactly the same behavior than on Debian GNU/Linux: I can
initialize the USB token all very fine and use it in FF, but the
certificate request approval always give me this "Error 700
General Error A Certificate with the same public key exists!" error.
One thing
that is important to when it comes to the token choice : by default, I
think opensc accepts 4 different users for one token when it comes to
the token choice ("choix d'un jeton"). For example, if my card's name is
Card03 and I initialized (PIN+PUK) the card for one operator Ope01, I
will have the following choices:
Card03
Card03
Card03
Sécurité personnelle
Card03 (Ope01)
Only "Carte03 (Ope01)" choice is working for me, because if I choose
"Carte01", then I am asked to enter a new PIN code for this (new) user,
but it always fails.
So IMO, is is important to initialize the card and to create a new user
before starting the token key generation process via the browser.
Your explanations are very clear, thanks for the care you are taking to
go into all those details.
Actually what you describe is exactly what I do.
And finally : yes, the token key generation is far much longer than a
browser generation. So you will see the difference once it succeeds :)
All my certificate requests with the USB token on both Debian and
Windows never took more than a second and the private key generation
little popup disappears almost as it has appeared, while the private
key generation with the FF builtin security device takes something like
5 seconds or something. I have to add that I only requesting 1024 bits
key size since the iKey3000 USB tokens don't support longer key size.
I'm now almost certain that the problem comes from the fact that no
private key is generated when the USB token is used to request a
certificate.
Here is what I've got after the certificate request has been made:
$ pkcs15-tool --list-pins
PIN [Security Officer PIN]
Com. Flags: 0x3
Auth ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:6, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Type : -1
Path : 3F005015
Tries left: -1
PIN [Identity 1 (GNU-Linux)]
Com. Flags: 0x3
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 131
Type : -1
Path : 3F005015
Tries left: -1
$ pkcs15-tool --list-keys
NOTHING
The "list-keys" operation should return the private key created while
requesting a certificate from OpenCA, shouldn't it? If there isnt' any
there can we conclude in a bug in the Firefox-USB token connexion
happening only when generating private keys?
Thanks to you all for your help and please bear with me a little bit
more :-)
--
Marc-Aurèle DARCHE
NUXEO (Paris, France) http://nuxeo.com/
Nuxeo Collaborative Portal Server (CPS) http://www.cps-project.org/
Gestion de contenu web / portail collaboratif / logiciel libre
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
