I looked at the two logs you sent, and I don't see where the private key is generated on the card, or where the Globus private key was written to the card. I don't have any of these cards, so I may have missed something. I would have expected the log to have some entries for entersafe_gen_key, or entersafe_write_.
In both the dumps, the trace of the pkcs15-init --store-private-key is from lines 42 to 58, and looks like it only 16 lines long, and only tests if a card is present. Xiaoshuo Wu wrote: > On Fri, 07 May 2010 18:36:39 +0800, Jan Just Keijser <janj...@nikhef.nl> > wrote: >> More information for the Feitian folks: I also tried the driver bundle >> from the ftsafe website but it only supports the SCR200 card reader, not >> the 301 ; what was/am I doing wrong there? > Thank you for testing Feitian products, AFAIK SCR301 is compliant with > CCID V1.1, so no proprietary driver needed. > > > > On Thu, 20 May 2010 18:35:13 +0800, Jan Just Keijser <janj...@nikhef.nl> > wrote: >> [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data >> invalidated >> [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: >> returning with: Card command failed >> [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card >> command failed >> [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: >> sc_compute_signature() failed: Card command failed >> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >> Error:p11_ops.c:131: >> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >> lib:a_sign.c:276: >> error in req >> >> this is - again - the error -1200 . The full opensc-debug.log file is >> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 > I got similar result on my debian 5(engine-pkcs11, pcsclite, pcscd, > OpenSSL, all distribution version) with OpenSC r4365, here are the > commands I use: > > pkcs15-init -E > pkcs15-init --create-pkcs15 --profile pkcs15+onepin > --use-default-transport-key --pin 123456 --puk 111111 --label "janjust" > openssl genrsa 2048 > id_rsa.pem > openssl rsa -pubout < id_rsa.pem > id_rsa.pub > pkcs15-init --store-private-key id_rsa.pem --id 45 --auth-id 01 --pin > 123456 The log for the above is in lines 42-58 of the dumps, and it looks like it only test the card, and does not store the key. > openssl > OpenSSL>engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so > -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:/usr/local/lib/opensc-pkcs11.so > OpenSSL>req -engine pkcs11 -new -key 45 -keyform engine -x509 -out > cert.pem -text > > Thanks to > http://www.gooze.eu/howto/smartcard-quickstarter-guide/generating-transferring-and-extracting-x-509-certificates, > > I found "-key 45" should be "-key slot_X-id_45", where X is the slot > number you got through "pkcs11-tool --list-slots". > Here are the following commands that works for me: > > OpenSSL>req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -x509 > -out cert.pem -text > OpenSSL>quit > openssl verify -CAfile cert.pem cert.pem > pkcs15-init --store-certificate cert.pem --auth-id 01 --id 123456 > --format pem > > I also attached the log in detail. > > > > On Thu, 20 May 2010 19:50:46 +0800, Jan Just Keijser <janj...@nikhef.nl> > wrote: > >> $ ./openssl >> OpenSSL> engine dynamic -pre >> SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 >> -pre LIST_ADD:1 -pre LOAD -pre >> MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> Loaded: (pkcs11) pkcs11 engine >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine >> -x509 -out cert.pem -text >> engine "pkcs11" set. >> PKCS#11 token PIN: >> You are about to be asked to enter information that will be incorporated >> into your certificate request. >> What you are about to enter is what is called a Distinguished Name or >> a DN. >> There are quite a few fields but you can leave some blank >> For some fields there will be a default value, >> If you enter '.', the field will be left blank. >> ----- >> Country Name (2 letter code) [GB]: >> State or Province Name (full name) [Berkshire]: >> Locality Name (eg, city) [Newbury]: >> Organization Name (eg, company) [My Company Ltd]: >> Organizational Unit Name (eg, section) []: >> Common Name (eg, your name or your server's hostname) []: >> Email Address []: >> 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >> Error:p11_ops.c:131: >> 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >> lib:a_sign.c:276: >> error in req >> OpenSSL> quit >> >> >> in other words: same error. >> See >> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 >> for the full log > I saw "slot_1-id_6606", please run "pkcs11-tool --list-slots" and > "pkcs15-tool --dump", to see if you have a private key with ID 6606 in > the card that was inserted in slot 1? > > Regards, Xiaoshuo > > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
