Hello, I think you have some confusion of what is PKCS#11 Admin PIN. The PKCS#11 Admin PIN is only usable to initialize a token, and optionally unlock the user PIN. It has no special privileges over the content of the card.
So you are prompted by firefox for the user PIN, which is OK. Anyway, what you have done is correct as far as opensc, use the pkcs15 tools in order to initialize the card and use the card within pkcs11 environments. If that's working, I think you provided a great solution. Alon. On Wed, May 30, 2012 at 12:21 PM, Nguyễn Hồng Quân <quanngu...@mbm.vn> wrote: > > Hello all, > > As you may know, I'm trying to implement writing certificate to OpenPGP > card via PKCS#11. > > I succeed with pkcs15-init tool but have difficulty with pkcs11-tool. > When I import via pkcs15-init tool (Command: pkcs15-init > --store-certificate quanngu...@mbm.vn.pem), the tool asks for Admin PIN > and the work is done. But when I try with pkcs11-tool: > pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert > --slot 2 > the tool does not ask for PIN and the write cannot succeed (in OpenPGP > card, writing certificate requires SO (Admin) PIN). > > I tried to provide the Admin PIN in the command, but still not successful: > pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert > --slot 2 -l --so-pin 12345678 > pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert > --slot 2 --so-pin 12345678 > > I also researched and found that in pkcs15-init, a function to ask for > PIN is implemented and added via sc_pkcs15init_set_callbacks(), but > pkcs11-tool does not do so. > > The question is: > - "Not ask for PIN" is intentional design of pkcs11-tool or a limitation? > - What is the right way to provide Admin PIN to pkcs11-tool to allow to > write data? > - When I do import certificate in Firefox, the browser ask for a PIN. I > expect it to ask for Admin PIN but not sure which PIN it actually asks > for (user PIN, to login to slot, or admin PIN, to write data). Do you > know how Firefox determines which PIN to ask? Does it always ask for > user PIN of the slot, or smart enough to ask for right PIN? > > -- > Regards, > Quân > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
