Hi Douglas, Effectively, there is no way to set a specific aid in pkcs11/engine_pkcs11/openssl chain. The "default" app is always chosen. My card's personalisation has to be reviewed. I will use the pkcs11/15 lib "directly" in the mean time. Thanks for the help. Best regards, -- Jean-Pierre
2011/12/2 Douglas E. Engert <[email protected]>: > > > On 12/2/2011 3:56 AM, Jean-Pierre Fortune wrote: >> Thank you. But I still have the problem. >> >> 2011/12/1 Douglas E. Engert<[email protected]>: >>> >>> >>> On 12/1/2011 8:04 AM, Jean-Pierre Fortune wrote: >>>> Hello, >>>> >>>> I am currently trying to sign a file with an iasecc compliant >>>> smartcard and openssl but I can find out how to specify the private >>>> key to use. >>>> >>>> The private key I want to select "belongs" to the ECC Generic ID >>>> application. >>>> >>>> When signing with pkcs15-crypt tool, I execute the following command >>>> and it works well: >>>> >>>> pkcs15-crypt --aid E828BD080FD25047656E65726963 -k $my_key_id--sign >>>> --pkcs1 --sha-1 --input data-1.sha1 --pin $my_pin --output >>>> data-1.auth.sig >>>> >>>> When using openssl, I use the following command: >>>> >>>> openssl >>>> OpenSSL> engine -t dynamic -pre >>>> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre >>>> LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so >>>> (dynamic) Dynamic engine loading support >>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >>>> [Success]: ID:pkcs11 >>>> [Success]: LIST_ADD:1 >>>> [Success]: LOAD >>>> [Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so >>>> Loaded: (pkcs11) pkcs11 engine >>>> [ available ] >>>> OpenSSL> smime -nodetach -binary -outform PEM -sign -signer $my_cert >>>> pem -inkey $my_key_id -keyform engine -in data-1.txt -out test.p7m >>>> -engine pkcs11 >>>> engine "pkcs11" set. >>>> Invalid slot number: 0 >>>> PKCS11_get_private_key returned NULL >>>> cannot load signing key file from engine >>>> 3611:error:26096080:engine routines:ENGINE_load_private_key:failed >>>> loading private key:eng_pkey.c:126: >>>> unable to load signing key file >>>> error in smime >>>> OpenSSL> >>>> >>>> The problem is that I couldn't find how to specify $my_key_id in the >>>> latter case. >>> >>> See: >>> >>> http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart >>> >>> The slot_X-id_Y or id_Y are used as parameters to PKCS#11. >>> You can find out what they are on your card using >>> >>> pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L -O >> >> When I do this, I get a list related to the application, "ECC eID". >> The card contains another application " > > And does it list anything other then this? > >> >> I use pkcs15-tool for examining the card, there are no key and no >> certificates in "ECC eID" but 2 certs and 2 keys in "ECC Generic PKI": >> >> pkcs15-tool --list-applications >> Using reader with a card: Teo by Xiring 00 00 >> Application 'ECC eID': >> AID: E828BD080FD2504543432D654944 >> >> Application 'ECC Generic PKI': >> AID: E828BD080FD25047656E65726963 >> >> pkcs15-tool --list-certificates >> Using reader with a card: Teo by Xiring 00 00 >> >> pkcs15-tool --list-certificates --aid E828BD080FD25047656E65726963 >> Using reader with a card: Teo by Xiring 00 00 >> X.509 Certificate [Signature Certificate] >> Object Flags : [0x2], modifiable >> Authority : no >> Path : e828bd080fd25047656e65726963::b001 >> ID : 5369676E6174757265204365727469666963617465 >> GUID : {5369676E61747-5726-5204-365727469666} >> Access Rules : read:<always>; update:c1; delete:c1; >> Encoded serial : 02 02 113E >> >> X.509 Certificate [Authentification Certificate] >> Object Flags : [0x2], modifiable >> Authority : no >> Path : e828bd080fd25047656e65726963::b002 >> ID : >> 41757468656E74696669636174696F6E204365727469666963617465 >> GUID : {41757468-656E-7469-6669-636174696F6E} >> Access Rules : read:<always>; update:c1; delete:c1; >> Encoded serial : 02 02 113F >> >> What I am looking for is how to specify an equivalent to "--aid >> E828BD080FD25047656E65726963" when using the card from openssl and >> engine_pkcs11. > > AFAIK with PKCS#11 there is no attribute to set the application. > > It looks like ./pkcs11/framework-pkcs15.c always calls > sc_pkcs15_bind with aid = NULL. > > > But have you tired in your script setting $my_key_id to > id_41757468656E74696669636174696F6E204365727469666963617465 > > >> >> Best regards, > > -- > > Douglas E. Engert <[email protected]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > _______________________________________________ > opensc-devel mailing list > [email protected] > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
