Peter Koch wrote:
Hi!I'm trying to sign a certificate request with a private key that is stored on a smartcard. This has worked last year when I was using older versions of opensc, openssl, libp11 and engine_pkcs11. Here's my openssl config file: [openssl_init] engines = engine_list [engine_list] pkcs11 = engine_pkcs11 [engine_pkcs11] engine_id = pkcs11 dynamic_path = /usr/opensc/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/opensc/lib/opensc-pkcs11.so init = 0 And here's the command that I use to create cert.pem: openssl x509 -engine pkcs11 \ -in request.pem -req -out cert.pem \ -CA ca_cert.pem -CAkey 1:01 -CAkeyform engine \ -set_serial 01 -days 100 This fails with the following messages: Getting CA Private Key iso7816.c:98:iso7816_check_sw: Security status not satisfied card-tcos.c:742:tcos_compute_signature: returning with: Security status not satisfied sec.c:53:sc_compute_signature: returning with: Security status not satisfied pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied 18735:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged in:p11_ops.c:96: The reason is obvious: engine_pkcs11 tries to use the key without verifying its pin. Now if I try the same command with a key from slot 0 openssl x509 -engine pkcs11 \ -in request.pem -req -out cert.pem \ -CA ca_cert.pem -CAkey 0:04 -CAkeyform engine \ -set_serial 01 -days 100 it will ask for my PIN, but the the command fails with Getting CA Private Key PKCS#11 token PIN: ****** CA certificate and CA private key do not match This is correct behaviour. Bbut in this case the private key was used and the resulting signature was verified with the public key from ca_cert.pem. So I'm sure the whole thing would work if only key 04 was visible on slot 0 too. Let's see wjat pkcs11-tool tells us: $ pkcs11-tool --module /usr/opensc/lib/opensc-pkcs11.so -L Available slots: Slot 0 Kobil Card Terminal 00 00 token label: Netkey E4 Card (Netkey PIN0) token manuf: TeleSec GmbH token model: PKCS #15 SCard token flags: login required, PIN initialized, token initialized serial num : 9017230000277917 Slot 1 Kobil Card Terminal 00 00 token label: Netkey E4 Card token manuf: TeleSec GmbH token model: PKCS #15 SCard token flags: PIN initialized, token initialized serial num : 9017230000277917 Slot 2 Kobil Card Terminal 00 00 token label: Netkey E4 Card token manuf: TeleSec GmbH token model: PKCS #15 SCard token flags: token initialized serial num : 9017230000277917 Slot 3 Kobil Card Terminal 00 00 token label: Netkey E4 Card token manuf: TeleSec GmbH token model: PKCS #15 SCard token flags: token initialized serial num : 9017230000277917 Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Why is login required on slot 0 only? Can I change that?
need to look at the pkcs11 code. Could you send me the "pkcs15-tool --dump" output ?
Or is this a bug?
as it works last year it definitely looks like a bug Cheers, Nils _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
