Il 14/02/2011 07:15, Martin Paljak ha scritto:
>>>> $ pkcs15-init -S startssl.p12 -f PKCS12 -i 45 -a 2 -l "StartSSL auth"
>>>> Using reader with a card: Gemalto GemPC Twin 00 00
>>>> error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
>>> Is this error normal? Does it happen with OpenSSL command line tools or
>>> other software?
>> I always get it for PKCS12 certs where the private key is protected by a
>> password.
> Also with "openssl pkcs12 -info" for example?
I'm now on another machine, but it seems for openssl it's OK:
$ openssl pkcs12 -info -in startssl.p12
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1
Bag Attributes
friendlyName: ID di StartCom Free Certificate Member a StartCom Ltd.
localKeyID: 25 83 B6 44 D1 E4 9C D8 5F 97 AE 86 3F CA E0 C4 1D 5D 1A 65
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[PEM data follows]
Might be something related to iterations?
> ID-s should only be used to bind objects together and have no meaning.
So I understood it correctly the first time. But it was worth a try...
> I found your source as well: pkcs15-init man page, which apparently needs
> updating...
Yup. Sometimes it's better *no* docs than *wrong* ones...
>> pkcs15-init -E
BTW, even if I add to this line "--so-pin $SOPIN", it gets asked
interactively. Another bug?
> OK, we have a bug. Feel free to file it to Trac as well.
Ok.
>> With these values I could iterate 58(!!!) times "pkcs15-init -G rsa/1024
>> ..." before EF 4404 (??? why? I'm not storing certs yet!) fills up.
> Good question, would nee to try it out.
>
>> But now "pkcs15 -D" shows me only private and public keys up to the 32nd
>> (limit in the tool?).
> You're seriously pushing the limits here :) Yes, 32 is a hardcoded limit in
> pkcs15-tool.
I use Linux *exactly* for that: push the HW to its limits... :)
> "640kb ought to be enough for anybody." This needs to be fixed before the
> Linux of smart cards will take over and OpenSC becomes the minisoft :)
With always bigger cards, limits shouldn't be too tight. Better if there
are no hardcoded limits other than the mandatory ones (dictated by a
spec: "you can't have more than 14 PINs" => limit to 14.
>> If I delete a public key, then I can see the 33rd
>> and so on (one more key for every one I delete). *Can't* delete private
>> keys (always says it can't find that key ID):
>> $ pkcs15-init -D privkey --id 6b1414bf460fe3a6711fee7e61c286331f490d1a
>> Using reader with a card: Gemalto GemPC Twin 00 00
>> NOTE: couldn't find privkey 6b1414bf460fe3a6711fee7e61c286331f490d1a to
>> delete
>> Deleted 0 objects
>> -8<--
>> Maybe this is a bug?
> If you try to delete both at once (private and public key) will that work?
Nope. It only finds the public one. I usually do:
$ pkcs15-init -D pubkey,privkey -i $ID
> I need to check with a MyEID card before further comments but I think you can
> easily file the issues you found as bugs. If not technical bug it is a
> usability bug nevertheless
Ok. Created #327, #328, #329 .
Another thing: seems PIN use is quite "fixed" by profile. Maybe making
it more flexible could help. Now it asks CHV1 every time I add a key,
even if I'll need CHV2 to access it. Having a simpler way to override
the system-wide profile might improve greatly user experience...
Tks & BYtE!
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
