On 9/9/2011 2:46 AM, Edward Middleton wrote:
On 09/06/2011 11:16 PM, Douglas E. Engert wrote:
On 9/6/2011 6:21 AM, Nikos Mavrogiannopoulos wrote:
Hello,
I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
signing in gnutls via PKCS #11. However I have no such cards to test it.
Do you have any suggestion on which card to use? (My only requirement is
that it must be obtainable without placing a mass order)
The OpenSC ECDSA code was developed using Oberthur
"ID-One PIV FIPS 201 Validated Dual Interface Smart Card"
These cards were obtained from Oberthur at about $10 each
in small quantities. I do not know their policies on selling to
individuals.
I know at least one of the other developers obtained some of these
cards.
I am not sure if the OpenSC ECDSA code was added to any of the other
OpenSC card-*.c drivers. It could be, as Gemalto also says their IAS ECC
card can do ECDSA, and ECDH,
http://www.gemalto.com/products/multiapp_id_ias_ecc/
I have not tried these.
If you get any of the PIV cards, I can fill you in on generating
keys and signing cert requests using the card.
I would be very interested in hearing how to use these cards with
opensc. I picked up a couple of "Cosmo V7 128K PIV" cards several
months ago from smartcardfocus.com[1]. I could get them to generate keys
but generating certificate requests kept asking for a pin.
You did not say how you where trying to generate the request.
The way I have done it for testing, is it use OpenSSL with
the OpenSC engine to do the signature.
If you are trying to use ECDSA, then you will need mods to
libp11 and engine_pkcs11.
See:
http://www.opensc-project.org/pipermail/opensc-devel/2011-February/016089.html
and:
http://www.opensc-project.org/pipermail/opensc-devel/2011-September/017163.html
The PIN would be the user PIN, which you may have to reset before trying
to use it. The vendor should have told you what the initial PIN and PUK were.
The PUK might be all hex zeros or maybe 99999999 The PIN may also be all hex
zeros or maybe 123456 or 12345678.
I verified
the pin using
# piv-tool -A M:9B:03 --send-apdu 00:20:00:80:08:....:FF:FF
but that pin didn't work.
You mean the verify failed, or the pin verified but the you could not
use the PIN with the cert request.
I have a set of scripts to track test cards, generate keys, and
cert requests, as well as change PINS. They are not meant to be
used in production as each PIV card vendor has different ways to
finalize a card, and to change the 9B03 key.
I sent these scripts to Martin in January. I will forward that
e-mail to you. It does not have the ECDSA code mods If that is what
you need I will have to clean up the scripts some more, before
posting them.
Also see the attached patch for OpenSSL-1.0.0 that maybe needed
if using ECDSA.
Edward
1. http://www.smartcardfocus.com/shop/ilp/id~410/p/index.shtml
2. http://www.opensc-project.org/opensc/wiki/PivTool
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ./apps/,ca.c Wed Dec 2 08:41:24 2009
+++ ./apps/ca.c Fri Nov 5 15:58:45 2010
@@ -1605,7 +1605,9 @@
{
ok=0;
BIO_printf(bio_err,"Signature did not match the certificate request\n");
- goto err;
+/*DEE for testing EC till libp11 is working */
+ BIO_printf(bio_err,"BUT WILL SIGN ANYWAY\n");
+ // goto err;
}
else
BIO_printf(bio_err,"Signature ok\n");
--- ./apps/,dgst.c Fri Feb 12 11:07:24 2010
+++ ./apps/dgst.c Tue Feb 22 16:14:41 2011
@@ -415,9 +415,10 @@
goto end;
}
if (do_verify)
- r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+ /* See http://www.listware.net/201006/openssl-users/107245-re-error-with-dgst-sign.html */
+ r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
else
- r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+ r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
if (!r)
{
BIO_printf(bio_err, "Error setting context\n");
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
