On 17.03.2011 16:14, Felipe Blauth wrote: > Hello everyone, > > Currently, I'm having some trouble with usage of starcos spk 2.4 cards and > opensc. I used to have no problem, and I don't know where exactly the problem > is. > > Here what's happening: > I have an aplicattion that use's pkcs15-init to initialize cards and then it > codes directly against PKCS#11 API (and opensc-pkcs11.so module) to use the > card (generete keys, sign, etc). I have no problems with the initialization > (I use system calls): > > #pkcs15-init -C (ok) > #pkcs15-init --store-pin --auth-id 01 --label some-label (ok) > > And then, if I try to generate keys through PKCS#11 API (with > C_GenerateKeyPair), I get CKR_GENERAL_ERROR. The weird thing is that > everything used to work in the past =p. > Also, if I try to generate keys using pkcs11-tool, I get the same error. For > example, if I do: > #pkcs11-tool --login -k (error: PKCS11 function C_GenerateKeyPair failed: rv > = CKR_GENERAL_ERROR (0x5))
In the default initialization profile the 'CREATE FILE' operation (and some others) is protected by SOPIN . When using opensc-pkcs11 module there is no way to supply the value of SOPIN and authenticate this operation. You can edit your profiles, or use the 'onepin' mode of initialization. For the second case here are the commands that worked for me with 'iKey 3000' token: #pkcs15-init -E #pkcs15-init -C --profile pkcs15+onepin --pin "9999" --puk "8888" #pkcs11-tool --module ./onepin-opensc-pkcs11.so --slot 0 -l --pin "9999" -k --key-type rsa:1024 Key pair generated: Private Key Object; RSA label: Private Key ID: 45 Usage: decrypt, sign, unwrap Public Key Object; RSA 1024 bits label: Public Key ID: 45 Usage: encrypt, verify, wrap > > On the other side, if I use pkcs15-init to generate a key pair: > #pkcs15-init -G rsa/1024 --auth-id ff --label "My Private Key" > --public-key-label "My Public Key" > It does generate the key-pair. However, if I try to do something with > pkcs11-tool, with the generated key, like > #pkcs11-tool --sign -i i_file -o signature > I get the following erros: > > Please enter User PIN: > Using signature algorithm RSA-PKCS > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied > [opensc-pkcs11] card-starcos.c:1136:starcos_set_security_env: returning with: > Security status not satisfied > [opensc-pkcs11] sec.c:67:sc_set_security_env: returning with: Security status > not satisfied > [opensc-pkcs11] pkcs15-sec.c:267:sc_pkcs15_compute_signature: > sc_set_security_env() failed: Security status not satisfied > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied > [opensc-pkcs11] card-starcos.c:1136:starcos_set_security_env: returning with: > Security status not satisfied > [opensc-pkcs11] sec.c:67:sc_set_security_env: returning with: Security status > not satisfied > [opensc-pkcs11] pkcs15-sec.c:267:sc_pkcs15_compute_signature: > sc_set_security_env() failed: Security status not satisfied > error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN (0x101) > > It appears to be a problem with opensc-pkcs11 module and starcos spk 2.4, > because when using pkcs15 tools directly, no errors are prone. > > I can't tell exactly what my system were when it used to work, but it was 1 > or 2 versions back of ubuntu 32-bit and that time repository versions of > opensc and pcscd (installed via apt-get) > > Now I'm using ubuntu 10.10 32-bit and current versions of opensc and pcscd > repository versions, which are 0.11.13-1ubuntu2.1 for opensc and > 0.11.13-1ubuntu2.1 for pcscd. > > best regards. > > Felipe Menegola Blauth > > > > > > > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
