Il 18/02/2011 07:07, Martin Paljak ha scritto:
>> Yup. That's why keys are generated on card :)
> Unless the key is exportable ....
Always asked why one needs to mark a private key exportable: if you need
it exportable, create it externally and load to card. It's even faster. :)
> If you want to sign certificates with a smart card (run a CA against a
> PKCS#11 token) then EJBCA is the most feature complete solution I know. But
> most probably too much hassle for a few certificates for home use.
Well, for now it's personal, but I'm evaluating it for office use too.
We'll need to setup a ZeroShell box to authenticate users, and it
contains a (quite limited, but sufficient if it supported cards) CA.
>> *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of
>> the PINs I created works:
>> $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config
>> openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1
>
> Have you tried some other format? slot_XX:id_XX ? (even though it should be
> the same). Having OpenSC log with the relevant C_OpenSession() and C_Login
> lines is useful as well.
Yup. All formats. Same result: slot 0 = no PIN, every other slot asks
'who knows' PIN.
>> I obviously tried all the PINs (included SOPIN). The strange thing is
>> that NO PIN is locked after all the tries I did...
> Is any PIN locked or counter decreasing? What is the output of pkcs11-tool
> --module /path/to/pkcs11.so -L ?
$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffff): Virtual hotplug slot
(empty)
Slot 1 (0x1): SCM SCR 335 [CCID Interface] (504012DD) 00 00
token label: MyEID (Card Auth)
token manuf: Aventra Ltd.
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 7340050446913028
Slot 2 (0x2): SCM SCR 335 [CCID Interface] (504012DD) 00 00
token label: MyEID (User Auth)
token manuf: Aventra Ltd.
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 7340050446913028
Slot 3 (0x3): SCM SCR 335 [CCID Interface] (504012DD) 00 00
token label: MyEID (Root CA)
token manuf: Aventra Ltd.
token model: PKCS#15
token flags: rng, login required, PIN initialized, token initialized
serial num : 7340050446913028
Slot 4 (0x4): SCM SCR 335 [CCID Interface] (504012DD) 00 00
token label: MyEID
token manuf: Aventra Ltd.
token model: PKCS#15
token flags: rng, token initialized
serial num : 7340050446913028
Slot 5 (0x5): SCM SCR 335 [CCID Interface] (504012DD) 00 00
(empty)
[other slots all empty]
$ pkcs15-tool --list-pins
Using reader with a card: SCM SCR 335 [CCID Interface] (504012DD) 00 00
PIN [Security Officer PIN]
Object Flags : [0x3], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3
Type : ascii-numeric
Path :
PIN [Card Auth]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 1
Type : ascii-numeric
Path :
PIN [User Auth]
Object Flags : [0x3], private, modifiable
ID : 02
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 2
Type : ascii-numeric
Path :
PIN [Root CA]
Object Flags : [0x3], private, modifiable
ID : 03
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 4
Type : ascii-numeric
Path :
Says nowhere that a PIN is locked...
Using opensc-explorer, I could see that now I have a locked PIN (the #2).
But "pkcs15-tool -u" gives me a strange prompt:
Enter PUK [Security Officer PIN]:
Enter new PIN [Security Officer PIN]:
Enter new PIN again [Security Officer PIN]:
So does it need PUK for CHV2, SOPIN or what else? Luckily this card is
just a "test" one, but I'd like *not* having to reformat it... 4 tries
left...
BYtE!
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
