Hello,
I am currently trying to use an Athena ASEPCOS smartcard, with OpenSC 0.12.
I am encountering some issues when attempting to generate keys on the card
using PKCS#11. It works fine when using pkcs15-init --generate-key
I am using the default profile with 2 PIN/PUK codes: 1 Security officer PIN/PUK
& 1 user PIN/PUK.
Please find below details about the steps I have performed:
1) Card setup:
pkcs15-init -C -T --so-pin 12345678 --so-puk 87654321 -c asepcos
pkcs15-init --store-pin --auth-id 01 --label "user1"
(User PIN/PUK & SO PIN are entered manually)
This step is successful, and both PIN can be seen with pkcs15-tool -D
2) Key generation with pkcs11-tool:
pkcs11-tool.exe -k --key-type rsa:1024 -p 123456 --so-pin 12345678
Using slot 1 with a present token (0x1)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR
(0x5)
According to the logs, the issue is coming from the fact that openSC is
retrieving a PIN length equal to 0:
2011-04-04 17:04:47.561 [opensc-pkcs11]
pkcs15-lib.c:3003:sc_pkcs15init_verify_secret: found PIN object 'Security
Officer PIN'
2011-04-04 17:04:47.561 [opensc-pkcs11]
pkcs15-lib.c:3008:sc_pkcs15init_verify_secret: PIN object 'Security Officer
PIN'; pin_obj->content.len:0
2011-04-04 17:04:47.561 [opensc-pkcs11]
pkcs15-pin.c:218:sc_pkcs15_verify_pin: called
2011-04-04 17:04:47.561 [opensc-pkcs11]
pkcs15-pin.c:219:sc_pkcs15_verify_pin: PIN(0x22e9b0;len:256)
2011-04-04 17:04:47.561 [opensc-pkcs11]
pkcs15-pin.c:222:sc_pkcs15_verify_pin: PIN value do not conforms the PIN
policy: -1304 (Invalid PIN length)
3) Key generation with pkcs15-init:
pkcs15-init --generate-key rsa/1024 --auth-id 01
The key generation succeeds, pkcs15-tool -D shows two new objects on the
card:
the private and public keys.
I can send full logs for both cases, if required.
Could you please help me to understand the issue here? Is it possible to use
the opensc-pkcs11 module without additional development if we want 2 PIN & PUK
codes ?
Our final goal is to able to configure the card so the Security Officer (with
the SO PIN & PUK) gets read/write access to the card and the User (with user
PIN & PUK) gets read only access, using PKCS#11 module in both cases. Do you
think it is possible to do so using the standard OpenSC 0.12 package?
Thanks for your help.
Best regards,
Serge Gadioux
________________________________
Ce message et les pi?ces jointes sont confidentiels et r?serv?s ? l'usage
exclusif de ses destinataires. Il peut ?galement ?tre prot?g? par le secret
professionnel. Si vous recevez ce message par erreur, merci d'en avertir
imm?diatement l'exp?diteur et de le d?truire. L'int?grit? du message ne pouvant
?tre assur?e sur Internet, la responsabilit? du groupe Atos Origin ne pourra
?tre recherch?e quant au contenu de ce message. Bien que les meilleurs efforts
soient faits pour maintenir cette transmission exempte de tout virus,
l'exp?diteur ne donne aucune garantie ? cet ?gard et sa responsabilit? ne
saurait ?tre recherch?e pour tout dommage r?sultant d'un virus transmis.
This e-mail and the documents attached are confidential and intended solely for
the addressee; it may also be privileged. If you receive this e-mail in error,
please notify the sender immediately and destroy it. As its integrity cannot be
secured on the Internet, the Atos Origin group liability cannot be triggered
for the message content. Although the sender endeavours to maintain a computer
virus-free network, the sender does not warrant that this transmission is
virus-free and will not be liable for any damages resulting from any virus
transmitted.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
