Re: [Openca-Users] Failing to Approve Request without Signing from iKey3000 USB token

Wed, 29 Jun 2005 02:03:00 -0700 

Hello Marc-Aurèle,

I am glad you made it somehow.

> > The "list-keys" operation should return the private key created while
> > requesting a certificate from OpenCA, shouldn't it? If there isnt' any
> > there can we conclude in a bug in the Firefox-USB token connexion
> > happening only when generating private keys?
> > 
> 
> There was one thing I did not try. I so much hate MSIE that the idea of
> using for testing never ever crossed my mind until a colleague suggested
> that I just gave it a try to help doing the diagnostic.
> 
> And with the same key on the same Windows playstation the certificate
> request was generated and this time could be "approve request without
> signing" without any problems!
> 
> I (fastly) took the USB token back and plug it into the nix workstation
> and then verified that the there was a key:
> 
> $ pkcs15-tool --list-keys
> Private RSA Key []
>          Com. Flags  : 3
>          Usage       : [0x2E], decrypt, sign, signRecover, unwrap
>          Access Flags: [0xC], alwaysSensitive, neverExtract
>          ModLength   : 1024
>          Key ref     : 132
>          Native      : yes
>          Path        :
>          Auth ID     : 82
>          ID          : 4f7bc510edcd39f02c91462b2e95f90e75df1f5e

One question crosses my mind here: if you are able to generate a keypair
from Internet Explorer, it means that your token is CryptoAPI-compatible
and if you are able then to read it via the pkcs15-tool, it means that
this token is also PKCS#11/PKCS#15 compatible.
I don't know which specific tool you can use to initialize your iKey
token but when I use the OpenSC way to do it, I will not be able to use
it later with a CryptoAPI application like Internet Explorer or Outlook.
Reminder: the OpenSC typical way to initialize a token:
Smart Card initialisation
 pkcs15-init -EC -T --label 'Card01'--no-so-pin
User PIN/PUK creation
 pkcs15-init -P -T --auth-id 01 --label 'User01' --pin 1234 --puk 4321

So maybe the Rainbow CSP enables you to use an opensc-initialized token
with IE which is not the case with e-gate tokens.
So here is my question:
How do you initialize your token?

Also are you able to enroll the certificate on your Windows machine once
you generated your keypair? Have you checked that this token is then
usable for e-mail signature or https client authentication, etc.?

> So the conclusion seems to be either that the opensc shipped with
> Debian Sarge doesn't work with iKey3000 USB token or that those tokens
> are buggy in some way.

The only thing I could recommend you now (even you already tried it) is
to edit the /etc/opensc/opensc.conf file as much as possible to find the
good combination for your token. That is what saved us.
On the other hand, maybe there is no convenient default profile file for
your token (stored in /usr/share/opensc). We also had to edit this
profile file (flex.profile in our case) to get the maximum out of our
token.
Maybe, you will get info in the opensc mailing lists for your token.

> I'd like to have some people commenting on this conclusion before
> ordering Cryptoflex 32k e-gate token from Axalto ;-)

It really depends on what you plan to do with your tokens.
Interoperability between Unix-based and Windows Systems is not well
handled with Cryptoflex.






-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to