Hi all, positive news this time: I've managed to upload my certificate to the Feitian ePAss and sign a certificate request with it (i.e no more annoying openssl error:
Jan Just Keijser wrote: > Yang Liu wrote: >> Dear Customer, >> >> Our R&D team replied your enquiry in >> http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >> >> >> >> > I saw the posting on the list, as well as several other useful > suggestions; I will try the suggested commands next tuesday as I won't > have access to the card reader or card until that time. > > > >> -----Original Message----- >> From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, May >> 20, 2010 6:35 PM >> To: opensc-devel@lists.opensc-project.org >> Cc: liuy...@ftsafe.com; jmpo...@gooze.eu >> Subject: [SPAM] Re: Feitian ePass+SCR301 problem >> >> hi all, >> >> a new attempt, this time with the Omnikey reader that Jean-Michel so >> kindly sent me (thanks again!). This time I attached the card reader >> to a CentOS 5 box which has >> - openssl 0.9.8e >> - opensc 0.11.9 >> - pcsc-1.4.102 >> Later on I added opensc 0.11.13 (read below) >> >> I started out with the gooze tutorial again >> http://www.gooze.eu/howto/smartcard-quickstarter-guide >> >> ardeche [janjust] > pkcs15-init -E >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 111111 >> --label "janjust" >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --store-certificate >> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> ardeche [janjust] > pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> >> At this point I downloaded and built opensc-0.11.13 like this: >> >> ardeche [janjust] > head -10 config.log >> This file contains any messages produced by compilers while >> running configure, to aid debugging if configure makes a mistake. >> >> It was created by opensc configure 0.11.13, which was >> generated by GNU Autoconf 2.64. Invocation command line was >> >> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >> >> >> After the build and install I continued: >> >> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU >> [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning >> with: Transmit failed >> [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit >> failed: Transmit failed >> [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed >> [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: >> EnterSafe generate RSA key pair failed: Transmit failed >> Failed to generate key: Transmit failed >> >> this still fails, but that might be related to the older pcsc-lite >> version... >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> So I commented out 'assert(0)' in card-entersafe.c: >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> I had to enter the PIN 4 times, but OK: >> >> ardeche [janjust] > ./pkcs15-tool --dump >> Using reader with a card: OmniKey CardMan 3121 00 00 >> PKCS#15 Card [janjust]: >> Version : 1 >> Serial number : 3092541116010310 >> Manufacturer ID: EnterSafe >> Last update : 20100520100048Z >> Flags : EID compliant >> >> PIN [User PIN] >> Com. Flags: 0x3 >> ID : 01 >> Flags : [0x30], initialized, needs-padding >> Length : min_len:4, max_len:16, stored_len:16 >> Pad char : 0x00 >> Reference : 1 >> Type : ascii-numeric >> Path : 3f005015 >> >> Private RSA Key [Private Key] >> Com. Flags : 3 >> Usage : [0x4], sign >> Access Flags: [0x1D], sensitive, alwaysSensitive, >> neverExtract, local >> ModLength : 1024 >> Key ref : 1 >> Native : yes >> Path : 3f005015 >> Auth ID : 01 >> ID : 123456 >> >> Public RSA Key [Public Key] >> Com. Flags : 2 >> Usage : [0x4], sign >> Access Flags: [0x0] >> ModLength : 1024 >> Key ref : 0 >> Native : no >> Path : 3f0050153056 >> Auth ID : >> ID : 123456 >> >> X.509 Certificate [Certificate] >> Flags : 2 >> Authority: no >> Path : 3f005015315a >> ID : 123456 >> >> Next we try to generate a self-signed certificate: >> >> ardeche [janjust] 1> ./openssl version >> OpenSSL 0.9.8e 23 Feb 2007 (Library: OpenSSL 0.9.8e-fips-rhel5 01 Jul >> 2008) >> >> ardeche [janjust] > ./openssl >> OpenSSL> engine dynamic -pre >> SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre >> ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre >> MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so >> Loaded: (pkcs11) pkcs11 engine >> >> OpenSSL> req -engine pkcs11 -new -key 123456 -keyform engine -x509 >> -out cert.pem -text >> engine "pkcs11" set. >> PKCS#11 token PIN: >> You are about to be asked to enter information that will be incorporated >> into your certificate request. >> What you are about to enter is what is called a Distinguished Name or >> a DN. >> There are quite a few fields but you can leave some blank >> For some fields there will be a default value, >> If you enter '.', the field will be left blank. >> ----- >> Country Name (2 letter code) [GB]:NL >> State or Province Name (full name) [Berkshire]:Amsterdam >> Locality Name (eg, city) [Newbury]:Amsterdam >> Organization Name (eg, company) [My Company Ltd]:Nikhef >> Organizational Unit Name (eg, section) []: >> Common Name (eg, your name or your server's hostname) []:Jan Just >> Email Address []: >> [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data >> invalidated >> [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: >> returning with: Card command failed >> [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card >> command failed >> [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: >> sc_compute_signature() failed: Card command failed >> 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General >> Error:p11_ops.c:131: >> 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP >> lib:a_sign.c:276: >> error in req >> >> this is - again - the error -1200 . The full opensc-debug.log file is >> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 >> >> I'm getting quite annoyed with this card ... >> >> What am I doing wrong? >> >> >> >> share and enjoy, >> >> JJK / Jan Just Keijser >> >> > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
