M.-A. DARCHE a écrit :
All my certificate requests with the USB token on both Debian and
Windows never took more than a second and the private key generation
little popup disappears almost as it has appeared, while the private
key generation with the FF builtin security device takes something like
5 seconds or something. I have to add that I only requesting 1024 bits
key size since the iKey3000 USB tokens don't support longer key size.
I'm now almost certain that the problem comes from the fact that no
private key is generated when the USB token is used to request a
certificate.
Here is what I've got after the certificate request has been made:
$ pkcs15-tool --list-pins
PIN [Security Officer PIN]
Com. Flags: 0x3
Auth ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:6, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Type : -1
Path : 3F005015
Tries left: -1
PIN [Identity 1 (GNU-Linux)]
Com. Flags: 0x3
Auth ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 131
Type : -1
Path : 3F005015
Tries left: -1
$ pkcs15-tool --list-keys
NOTHING
The "list-keys" operation should return the private key created while
requesting a certificate from OpenCA, shouldn't it? If there isnt' any
there can we conclude in a bug in the Firefox-USB token connexion
happening only when generating private keys?
There was one thing I did not try. I so much hate MSIE that the idea of
using for testing never ever crossed my mind until a colleague suggested
that I just gave it a try to help doing the diagnostic.
And with the same key on the same Windows playstation the certificate
request was generated and this time could be "approve request without
signing" without any problems!
I (fastly) took the USB token back and plug it into the nix workstation
and then verified that the there was a key:
$ pkcs15-tool --list-keys
Private RSA Key []
Com. Flags : 3
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags: [0xC], alwaysSensitive, neverExtract
ModLength : 1024
Key ref : 132
Native : yes
Path :
Auth ID : 82
ID : 4f7bc510edcd39f02c91462b2e95f90e75df1f5e
So the conclusion seems to be either that the opensc shipped with
Debian Sarge doesn't work with iKey3000 USB token or that those tokens
are buggy in some way.
I'd like to have some people commenting on this conclusion before
ordering Cryptoflex 32k e-gate token from Axalto ;-)
As a side question, are there USB token brands that are more
libre software/open source friendly than others? I would like to buy
from them if possible.
Cheers,
--
Marc-Aurèle DARCHE
NUXEO (Paris, France) http://nuxeo.com/
Nuxeo Collaborative Portal Server (CPS) http://www.cps-project.org/
Gestion de contenu web / portail collaboratif / logiciel libre
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
