Hello,
On Feb 14, 2011, at 12:47 AM, NdK wrote:
> On 13/02/2011 21:18, Martin Paljak wrote:
>>> $ pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
>>> Using reader with a card: Gemalto GemPC Twin 00 00
>>> error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
>> Is this error normal? Does it happen with OpenSSL command line tools or
>> other software?
> I always get it for PKCS12 certs where the private key is protected by a
> password.
Also with "openssl pkcs12 -info" for example?
>>> IIUC -i can only be 45 ("normal") or 46 ("non repudiation")... But to be
>>> sure I tried w/ different IDs, too, but got the same result.
>> The ID has no real meaning AFAIK, I don't know from where the 45 and 46 come
>> from. What is your source?
> I read it somewhere while researching, noted it in my mind and forgot
> source :(
ID-s should only be used to bind objects together and have no meaning.
I found your source as well: pkcs15-init man page, which apparently needs
updating...
>>> Private RSA Key [StartSSL auth]
>>> ID : 45
>>>
>>> Private RSA Key [ndk****@****]
>>> ID : 45
>> The software should not allow you to create two private keys with the same
>> ID. How exactly did you end up with this card, do you have the commands,
>> starting from initialization?
> Yup. I init it from a script:
> pkcs15-init -E
> pkcs15-init -C --pin 1111 --puk 1111 --so-pin $SOPIN --so-puk $SOPUK
> pkcs15-init -P -a 1 --pin $PIN1 --puk $PUK1 --so-pin $SOPIN -l "Card Auth"
> pkcs15-init -P -a 2 --pin $PIN2 --puk $PUK2 --so-pin $SOPIN -l "User Auth"
> pkcs15-init -F
> pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
> pkcs15-init -S ndk2.p12 -f PKCS12 -i 45 -a 2 -l "ndk 2"
>
> Probably it's not checked.
OK, we have a bug. Feel free to file it to Trac as well.
> With these values I could iterate 58(!!!) times "pkcs15-init -G rsa/1024
> ..." before EF 4404 (??? why? I'm not storing certs yet!) fills up.
Good question, would nee to try it out.
> But now "pkcs15 -D" shows me only private and public keys up to the 32nd
> (limit in the tool?).
You're seriously pushing the limits here :) Yes, 32 is a hardcoded limit in
pkcs15-tool.
"640kb ought to be enough for anybody." This needs to be fixed before the Linux
of smart cards will take over and OpenSC becomes the minisoft :)
> If I delete a public key, then I can see the 33rd
> and so on (one more key for every one I delete). *Can't* delete private
> keys (always says it can't find that key ID):
> $ pkcs15-init -D privkey --id 6b1414bf460fe3a6711fee7e61c286331f490d1a
> Using reader with a card: Gemalto GemPC Twin 00 00
> NOTE: couldn't find privkey 6b1414bf460fe3a6711fee7e61c286331f490d1a to
> delete
> Deleted 0 objects
> -8<--
>
> Maybe this is a bug?
If you try to delete both at once (private and public key) will that work? I
need to check with a MyEID card before further comments but I think you can
easily file the issues you found as bugs. If not technical bug it is a
usability bug nevertheless
--
@MartinPaljak.net
+3725156495
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
