Hello, On Fri, Jul 15, 2011 at 06:06, Adam 'foo-script' Rakowski <foo-scr...@o2.pl> wrote: > I played around with OpenSC 0.12.2-svn and Crypto Stick 1.2 (OpenPGP v. > 2) and some problems have been found. I have been doing the same. Interestingly enough, I can't make it work with gpg2 on Linux but GPGTools for OS X works almost flawlessly with the token.
Version 0.12.2 has some improvements to openpgp code, but only the low-level driver that deals with faking a file system (card-openpgp.c). That is in Github, not in SVN > 1.) Nether PEM, nor P12 certificate can't be loaded into Crypto Stick. > It tells an OpenSSL' error occured. However, both certs can are > validated by OpenSSL. > > Log: http://szn.republika.pl/loading.txt This seems like a problem with the certificate parsing for some reason. Nevertheless, at the moment OpenPGP must be personalized with gpg2 and only read-only support exists in OpenSC. That will probably change in the future, but as OpenPGP is a fixed scheme for a "person" rather than a generic blank "key and file container" it will probably be somewhat tricky to do (fixed identifiers etc) > 2.) Trying to list objects on empty card (-O switch) causes segfault. > log: http://szn.republika.pl/crash-o.txt Do you know if the card can be "blanked" (factory reset) ? I've seen some tips on the interned through gpg-agent but it did not work fully (name was still the same on the card) > 3.) Signing causes pkcs11-tool hangs. After last command program was > terminated by Ctrl+C cause it didn't answer. > Command line: OPENSC_DEBUG=9 pkcs11-tool --module > ~/cards/opensc/src/pkcs11/.libs/opensc-pkcs11.so -m RSA-PKCS -p 123456 > -s signMe.txt >> signing.txt 2>&1 > > log: http://szn.republika.pl/signing.txt > > (With RSA-X-509 an effect is same) > > 4.) Key pair can't be generated. Reason: CKR_FUNCTION_NOT_SUPPORTED > (0x54) Is this feature supported now at all? Same applies, read-only support at the moment. > 6.) Signing mechanisms supported are: > > RSA-X-509, keySize={2048,2048}, hw, decrypt, sign, verify > RSA-PKCS, keySize={2048,2048}, hw, decrypt, sign, verify > SHA1-RSA-PKCS, keySize={2048,2048}, sign, verify > SHA256-RSA-PKCS, keySize={2048,2048}, sign, verify > MD5-RSA-PKCS, keySize={2048,2048}, sign, verify > RIPEMD160-RSA-PKCS, keySize={2048,2048}, sign, verify Because that's the size of the key on the card? I started tinkering with CryptoStick again, because I finally got a working gpg2 --card-edit command (on OS X). The PKCS#15 emulation code (as the card is not PKCS#15-ish) is old and only adresses v1.1 cards (with three PIN codes, which has been dropped in v2.0) and also has hard-coded key sizes etc. I got some patches to push on that, as my main interest with CryptoStick is 3072 and 4096 bit keys (the current common "maximum" in OpenSC is 2048, I'm quite sure there will be some bugs with longer keys) _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
