pierre lhostis a écrit :
One question crosses my mind here: if you are able to generate a keypair
from Internet Explorer, it means that your token is CryptoAPI-compatible
and if you are able then to read it via the pkcs15-tool, it means that
this token is also PKCS#11/PKCS#15 compatible.
Yes you are right.
I don't know which specific tool you can use to initialize your iKey
token but when I use the OpenSC way to do it, I will not be able to use
it later with a CryptoAPI application like Internet Explorer or Outlook.
Reminder: the OpenSC typical way to initialize a token:
Smart Card initialisation
pkcs15-init -EC -T --label 'Card01'--no-so-pin
User PIN/PUK creation
pkcs15-init -P -T --auth-id 01 --label 'User01' --pin 1234 --puk 4321
So maybe the Rainbow CSP enables you to use an opensc-initialized token
with IE which is not the case with e-gate tokens.
So here is my question:
How do you initialize your token?
Those successful uses of the USB token to request a certificate through
generating a private key on the token with MSIE where not done with a
token intialized using OpenSC.
I have use a windows program provided in
http://igc.cru.fr/delegation/installation-ikey3000.zip
The page (in French) that leads to this program is
http://www.cru.fr/igc/howto-ik3000.html
This program will not recognize a iKey3000 USB token intialized with
OpenSC, while the opposite is true.
Also are you able to enroll the certificate on your Windows machine once
you generated your keypair? Have you checked that this token is then
usable for e-mail signature or https client authentication, etc.?
Those certificates are fully usable for e-mail signature or https client
authentication with Firefox on both Windows and GNU/Linux.
I made more tests and I am now able to generate a private key on Windows
*but with Firefox this time* :-) (out buggy-crappy-unsecure MSIE). But
this was not done by using the opensc lib but a proprietary lib from the
manufacturer, which is SafeSign: C:\WINDOWS\system32\aetpkss1.dll
With this new lib configured in Firefox everything work fine from the
private key generation, to the OpenCA request approval, then certificate
retrieval, to the end-user common operations (email, https, etc.).
So I have now a full working chain on the Windows side with Firefox,
but with proprietary smart card libs, not OpenSC.
As for the GNU/Linux side I'm still not able to generate private keys
with Firefox. It seems that some proprietary libs
(libaetpkss.so.1 tells google) could be installed on the system, but I
would rather not use closed-source/non-durable software on a GNU/Linux
machine.
So the conclusion of all this thread:
* OpenCA is behaving perfectly
* Firefox is behaving perfectly both on GNU/Linux and Windows
* With iKey3000 USB tokens, OpenSC is not able to generate private
keys
* iKey3000 USB tokens initialized with OpenSC cannot later on be used
with the SafeSign proprietary libs, while the opposite is possible
As you said interoperability between libre technology and proprietary
one is not good when it comes with the iKey3000 USB tokens.
Moreover it seems it's not possible to generate private keys on iKey3000
with just the OpenSC libs.
The only thing I could recommend you now (even you already tried it) is
to edit the /etc/opensc/opensc.conf file as much as possible to find the
good combination for your token. That is what saved us.
On the other hand, maybe there is no convenient default profile file for
your token (stored in /usr/share/opensc). We also had to edit this
profile file (flex.profile in our case) to get the maximum out of our
token.
Maybe, you will get info in the opensc mailing lists for your token.
I have read the content of /usr/share/opensc without any clue on what
I could modify there :-( I will ask info to the opensc mailing list
as you suggest.
I will report here if I manage to get a full working path only with
free/libre/opensource software.
I'd like to have some people commenting on this conclusion before
ordering Cryptoflex 32k e-gate token from Axalto ;-)
It really depends on what you plan to do with your tokens.
Interoperability between Unix-based and Windows Systems is not well
handled with Cryptoflex.
Thank very much Pierre.
Cheers,
--
Marc-Aurèle DARCHE
NUXEO (Paris, France) http://nuxeo.com/
Nuxeo Collaborative Portal Server (CPS) http://www.cps-project.org/
Gestion de contenu web / portail collaboratif / logiciel libre
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
