On 2/7/2011 2:48 AM, Jean-Michel Pouré - GOOZE wrote:
> Le dimanche 06 février 2011 à 22:38 +0100, Peter Stuge a écrit :
>> You would have to explain what the problem is. :)
>
> I am having a problem with CAcerts certificates containing
> an SSO ID in the email field:
> http://www.opensc-project.org/opensc/ticket/324
>
> Firefox and OpenSSH + opensc-pkcs11.so fail to use such certificates.
>
> I tried to debug Firefox using pkcs11-spy, with no result as Firefox
> seems to reject this module (security reason?).
>
> So I had to run ssh commands with pkcs11-spy.
>
> But my bug report is far from being readable and IMHO is bullshit.
>
> So I would like to know a little bit more about OpenSSL pkcs11 engine. I
> know how to load certificates:
> OpenSSL>engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:opensc-pkcs11.so
>
> For example, I don't know how to run verify commands or sign commands
> using the PKCS11 engine, directly from openssl command line, not the
> interpreter.
I use something like this in a script to generate a request suitable to
paste into a CA web page (Lines wrapped for the e-mail):
openssl << EOT
engine dynamic -vvvv
-pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre NO_VCHECK:1
-pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$MODULE
req $SSLEAY_CONFIG -engine pkcs11 -md5 -new
-key slot_$SLOT-id_$ID
-keyform engine -out myreq.$ID.pem -text
EOT
Most openssl command support the -engine and -keyform engine
parameters. The -key parameters are then passed to the engine, and
the engine_plcs11 sues the slot and id to find the card and key.
>
> Kind regards,
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
