hi all,
we're in the process of rolling out Aladdin eToken PRO 32K USB smart
tokens for security on Windows and Linux; we want to use them to
generate so-called grid proxies , which are short-lived SSL
certificates, more or less. To achieve this I've very thankfully made
use of the OpenSC too
the user types in a PIN code of 12 characters) then there's
no room for a '\0' . the openssl code specifies that this is OK but the
engine_pkcs11.c file then does a strlen(pin) ...
cheers,
Jan Just Keijser
Andreas Jellinghaus wrote:
> hi Jan,
>
>
>> - PIN code
(empty)
Slot 3 (empty)
Slot 4 (empty)
Slot 5 (empty)
Slot 6 (empty)
Slot 7 (empty)
any ideas ?
Jan Just Keijser
System Integrator
Nikhef / Amsterdam
Eddy Nigg (StartCom Ltd.) wrote:
> Guess that's a call for Nils ;-)
>
> BTW, I quick
: called
[pkcs15-init] reader-openct.c:180:openct_reader_release: called
[pkcs15-init] reader-openct.c:180:openct_reader_release: called
[pkcs15-init] reader-openct.c:180:openct_reader_release: called
[pkcs15-init] reader-openct.c:165:openct_reader_finish: called
cheers,
Jan Just Keijser
System
DF:
regards,
Jan Just Keijser
System Integrator
Nikhef / Amsterdam
Eddy Nigg (StartCom Ltd.) wrote:
> Mmhhh... didn't you say previously that you were using an eToken Pro
> 32K? It recognizes it as 64K??? Guess there must be something wrong in
> that case... Can you confirm the tok
really great. I don't need PKCS#15 for this,
just PKCS#11 access that works the same on all platforms... We'd be
willing to send one of these eToken PRO 32K's to the opensc developers
if that would speed things up ;-)
regards,
Jan Just Keijser
System Integrator
Nikhef /
e) solution,
I'd happily drop Aladdin's RTE software, *BUT* I do not want to lock out
users who _do_ decide to Aladdin's commercial stuff, especially since
the commercial stuff has a higher point&drool coefficient then the
current opensc / SCB software does.
regards,
Jan Just
PuTTY etc works on all platforms (linux+windows+macos).
- the script that I have created to generate short-lived proxy
certificates also works as well as it does now.
Only then would the opensc-solution be a viable alternative.
Unfortunately, we're quite a way off from that situation :-(
ile it actually gets ;-) If
I grab my public certificate from an eToken would that be in DER format?
then there's a slight problem, as openssl can't grok it ...
cheers,
Jan Just Keijser
System Integrator
Nikhef / Amsterdam
Nils Larsch wrote:
> Jan Just Keijser wrote:
>> Hi Edd
Hi Peter, Jean-Pierre,
thx for the suggestion but we already a bunch of Aladdin eTokens ...
they are working for us, just not with open source software. If I can
get them to work with 100% open source stuff then that would be great.
regards,
Jan Just Keijser
System Integrator
Nikhef
Hi Eddy, see comments below
Eddy Nigg (StartCom Ltd.) wrote:
> Jan Just Keijser wrote:
>> Right now I've got it boiled down to
>> - install a single RPM (for RHEL4, Fedora Core 5/6, OpenSuSE 10.x) or
>> install one or two .deb packages on Debian or Ubuntu
>> - f
Jacob H. Wiseman wrote:
>
> Has anyone been able to reformat an Aladdin eToken with CardOS 4.2b to
> an uninitialized state? The software provided with the old eToken I
> used to reformat doesn’t recongnize the new 4.2b. I would simply try
> various methods, but as the eToken is expensive and
hi Alon,
sorry for not responding any sooner (I saw your previous plea for
Windows testers) but I won't get around to testing your new MingW builds
until next week. It's definitely on my list, as we are still making
extensive use of (parts of) opensc with our Aladdin eTokens (and with
the Alad
Hi Anri,
opensc and libtool rely on the autoconf 'configure' scripts; as long as
the 'configure' script detects that dynamic linking is not supported on
uclinux you should be fine.
however, what do you intend to do with engine-pkcs11 without dynamic lib
support? engine-pkcs11 is primarily inten
e to the
> openssl will be a great problem, but engine-pkcs11 load the
> opensc-pkcs11.so using libtool, too. If i disable the opensc's dynamic
> linking capablity, does it still work well. How should handle this
> problem, could you give me some suggestion?
>
> On 2
Hi Anri,
this is getting more complicated with each post... sounds like you want
to port all of pcscd + opensc to uclinux... I'd start out with pcscd
first, and I am pretty sure you'll run into plenty of trouble. Yes ,
pcscd uses dlopen to load external libraries and no, I don't know of any
ot
AFAIK openct sits on top of pcscd (pcsc-lite). Or am I mistaken?
cheers,
JJK
Peter Stuge wrote:
> On Thu, Feb 21, 2008 at 05:22:16PM +0800, Anri Lau wrote:
>
>> Is there another choice for card reader except pcscd?
>>
>
> Maybe openct can work for you.
>
> Jan is right, if openssl should
Hi Alon,
finally had some time to test your new build system on my Windows XP box
with both Cygwin and MingW installed.
./configure + make ran fine on cygwin; the resulting pkcs11-tool (which
is all I really use) was working fine
./configure ran on MingW after I added libtool to my MingW instal
!
>
> The pkcs15-piv.c should not have included openssl... I guess this is
> leftover from some other work.
> Can you please try to remove these includes and continue building?
>
> Alon.
>
> On 2/25/08, Jan Just Keijser <[EMAIL PROTECTED]> wrote:
>
>> Hi Alo
,
JJK
Alon Bar-Lev wrote:
> 1.libtool
>
> How did you build libtool?
> Have you added LTLIB_CFLAGS="-I<>" LTLIB_LIBS="-L<> -lltdl" to configure?
>
> 2. mingw runtime should have gettimeofday... Please tell me if it does
> not work after your update.
- build your own SCB package and see if you can remove the dependency on
OpenSSL; most opensc tools actually do not require or use openssl
- rebuild openvpn and link it against the openssl 0.9.8e as found in the
SCB 0.8+ package.
what kind of smart card are you using?
cheers,
JJK / Jan Just
tions are there to test this?
cheers,
JJK
Ludovic Rousseau wrote:
> On Tue, Mar 18, 2008 at 3:48 PM, Jan Just Keijser <[EMAIL PROTECTED]> wrote:
>
>> Hi Ludovic,
>>
>
> Hello,
>
> Thanks for your efforts.
>
>
>> how do I build it on
Hi Marc,
seems to me that the FAQ is out of date; openssh private keys are in RSA
format, which can easily be stored on a smart card/token. You can then
use this key with its corresponding SSH public part using Alon Bar-Lev's
openssh patch. I must add that I have not tried this myself ;-)
chee
This does raise another interesting question: how session safe is
pcsc-lite? Right now, all comms are over a single socket
/var/run/pcscd.comm - how is access control to this socket implemented?
Otherwise I could envisage a very simple DoS : if more than 1 person is
allowed to log onto a compu
Hi Ludovic,
Ludovic Rousseau wrote:
> On Thu, Apr 3, 2008 at 4:49 PM, Jan Just Keijser <[EMAIL PROTECTED]> wrote:
>
>> This does raise another interesting question: how session safe is
>> pcsc-lite? Right now, all comms are over a single socket /var/run/pcscd.comm
&g
"RSA key"
cheers,
JJK / Jan Just Keijser
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
the name of the token
('whatever' in the sample output above) is the same in both the file
2F00 and the file [5015]/5032
I can email (off-list) you the directory contents (opensc-tool -f) for a
card initialized with opensc and one
Hi Andreas,
Andreas Jellinghaus wrote:
> Hi,
>
> I wrote a script to test my recent changes,
> and in it I generate an openssl.conf and
> use it.
>
> this should also work if I include "PIN = 1234"
> in the config file, and I believe it did work
> once.
>
> but now it doesn't the openssl crashes.
Hi Andreas,
Andreas Jellinghaus wrote:
> Am Donnerstag, 28. August 2008 13:54:06 schrieb Jan Just Keijser:
>
>> I'm using
>> - openssl 0.9.8g
>> - engine_pkcs11 0.1.4
>> - proprietary PKCS11 module
>> and the 'PIN=...' thingie works j
Hi Andreas,
Andreas Jellinghaus wrote:
> Am Donnerstag, 28. August 2008 15:57:57 schrieb Jan Just Keijser:
>
>> this problem does not occur with libp11-0.2.3+engine_pkcs11-0.1.4 . The
>> two packages seem to be tied together so I am not sure which of the 2 is
>> c
Ludovic Rousseau wrote:
> On Mon, Nov 3, 2008 at 4:33 PM, meo anderson <[EMAIL PROTECTED]> wrote:
>
>> hallo,
>>
>
> Hello,
>
>
>> i would like to ask if it is some how posible to get write acces from java
>> to PKCS11 token (pkcs15 structure is beeing used, since the methods in class
>>
hi list,
I just ran into a very weird oddity with openssl 1.0 (both the fc12
version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ; I've
initialized an etoken using pkcs15-init -C , copied a certificate to it
using pkcs15-init -X , the priv key using pkcs15-init -S etc
Now I want t
eta4 and the official openssl-1.0.0 release
cheers,
JJK
Jan Just Keijser wrote:
> hi list,
>
> I just ran into a very weird oddity with openssl 1.0 (both the fc12
> version 1.0.0-beta4 on my laptop and the official 1.0.0 version) ;
> I've initialized an etoken usi
Hi Anders,
Anders Rundgren wrote:
> If you wanted to provide a USB PKI token that would give the user maximum
> flexibility it seems that the device should support CCID.
>
> 1. As I understand,CCID only provides the basic communication and does not
>address higher level issues such as PKI, rig
Hi Aleksey,
Aleksey Samsonov wrote:
> Hello,
>
> Jan Just Keijser wrote:
>> in opensc-0.11.13/src/pkcs11/openssl.c there's section
>>
>> 106 void
>> 107 sc_pkcs11_register_openssl_mechanisms(struct sc_pkcs11_card *card)
>> 108 {
>> 109 #if OPENSSL
Martin Paljak wrote:
> On Apr 16, 2010, at 09:51 , Aleksey Samsonov wrote:
>
>> I commented out the OPENSSL_config(NULL) and now it works ...
>>
>>> should this added as a patch? the FIXME seems to be to *remove* the
>>> explicit call to OPENSSL_config; I can confirm that this works for bo
Dimitrios Siganos wrote:
> Hi,
>
> I have use openssl-1.0.0 and engine_pkcs11 for storing an rsa private
> key in a smartcard (feitian epass 3000). I got openssl to access the rsa
> private key and used it to create a self-signed certificate like this:
>
> openssl
>
> OpenSSL> engine dynamic \
>
Hi *,
Jean-Michel Pouré - GOOZE wrote:
> On Fri, 2010-04-16 at 18:31 +0200, Andreas Jellinghaus wrote:
>
>> if not we need
>> to debug this in detail and/or talk to the openssl developers
>> to track down and fix this issue.
>>
>
> Do not hesitate to propose them Free PKI developer card a
Hi Aleksey,
Aleksey Samsonov wrote:
> Hello,
>
> Andreas Jellinghaus wrote:
>
>> Am Freitag 16 April 2010 08:51:31 schrieb Aleksey Samsonov:
>>
>>> Hello,
>>>
>>> Jan Just Keijser wrote:
>>>
>>>> in opensc-
Anders Rundgren wrote:
> I wonder if we talking about the same subject. I'm talking about establishing
> a secure channel between the card and the CA so that the CA actually knows
> that the key-pair was created in the card.
>
Note: there is no absolutely secure method to establish a connectio
Aleksey Samsonov wrote:
> Hello,
>
> Jan Just Keijser wrote:
>> Martin Paljak wrote:
>>> On Apr 16, 2010, at 09:51 , Aleksey Samsonov wrote:
>>>
>>>> I commented out the OPENSSL_config(NULL) and now it works ...
>>>>
>>>
Hi Andreas,
Andreas Jellinghaus wrote:
> hmm. if we had only one engine doing both rsa and gost, the
> problem would be gone, without this "hack" required in opensc?
>
> my point of view:
> if so: I think that is the solution! please drop the stuff
> from opensc, and work in that direction.
>
> en
Robert Relyea wrote:
> On 04/21/2010 02:25 PM, Jan Just Keijser wrote:
>
>> Hi Andreas,
>>
>>
>>
>>> or send patches for libp11/engine_pkcs11 to handle gost.
>>> (no idea how much work that would be - I'm quite clueless
>>&
Hi Martin,
Martin Paljak wrote:
> On Apr 22, 2010, at 00:25 , Jan Just Keijser wrote:
>
>> Hi Andreas,
>>
>> Andreas Jellinghaus wrote:
>>
>>> hmm. if we had only one engine doing both rsa and gost, the
>>> problem would be gone, without thi
he Feitian card useless for my purposes...
thanks,
JJK / Jan Just Keijser
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
t/debug please let me know. The
"turn-around time" might be a few days but I'm definitely interested in
getting this card to work,
More information for the Feitian folks: I also tried the driver bundle
from the ftsafe website but it only supports the SCR200 card reader, not
t
Jean-Michel Pouré - GOOZE wrote:
> On Fri, 2010-05-07 at 12:36 +0200, Jan Just Keijser wrote:
>
>> I will test it with openssl 0.9.8 next week
>>
>
> I think the alternative would be to generate the keys/certificates
> outside the smartcard and transfer them to
Hi Jean-Michel ,
Jean-Michel Pouré - GOOZE wrote:
> On Fri, 2010-05-07 at 12:36 +0200, Jan Just Keijser wrote:
>
>> Excellent! I will test the CCID reader when I get it.
>>
>
> You should receive it next Monday or Tuesday.
>
>
>> More information for
Martin Paljak wrote:
> On May 11, 2010, at 19:44 , Ludovic Rousseau wrote:
>
>> I think you will need this patch to use the Gemalto pinpad:
>>
>> Index: src/libopensc/card-entersafe.c
>> ===
>> --- src/libopensc/card-entersafe.c (
itian/opensc-debug.log-20100520
I'm getting quite annoyed with this card ...
What am I doing wrong?
share and enjoy,
JJK / Jan Just Keijser
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Jean-Michel Pouré - GOOZE wrote:
> On Thu, 2010-05-20 at 12:35 +0200, Jan Just Keijser wrote:
>
>> At this point I downloaded and built opensc-0.11.13
>>
>
> As explained in the tutorial, you must build OpenSC from SVN version:
> http://www.gooze.eu/howto/s
f using 2048 bit key?
The Gooze tutorial suggests that it is possible. With the latest pcsc
driver from Ludovic I was able to verify this. I was unable to run the
newest pcsc driver on my CentOS machine though.
> What size was the Globus key?
1024 bits
>
> Jan Just Keijser wrote:
>&g
Viktor TARASOV wrote:
> Jan Just Keijser wrote:
>
>> Jean-Michel Pouré - GOOZE wrote:
>>
>>
>>> On Thu, 2010-05-20 at 12:35 +0200, Jan Just Keijser wrote:
>>>
>>>
>>>
>>>> At this point I downlo
Hi all,
positive news this time: I've managed to upload my certificate to the
Feitian ePAss and sign a certificate request with it (i.e no more
annoying openssl error:
Jan Just Keijser wrote:
> Yang Liu wrote:
>> Dear Customer,
>>
>> Our R&D team replied your e
rd using ID=666 : it always ends
up as ID=6066 . This is not related to the Feitian card, as it also
happens with my trusty old Aladdin eToken PRO.
And thanks to Douglas Engbert for pointing out the certificate
compromise ;-)
cheers,
JJK / Jan Just Keijser
>
> Jan Just Keijser wro
Hi all,
a follow-up, see comments inline below
Jan Just Keijser wrote:
> Hi all,
>
> positive news this time: I've managed to upload my certificate to the
> Feitian ePAss and sign a certificate request with it (i.e no more
> annoying openssl error:
> 1512
Hi Martin,
just to confirm: I managed to build opensc 0.12.0 on my Fedora 13 box
(with openssl 1.0.0a);
my scripts to generated short lived certificates from a key found on a
hardware device (Aladdin eToken PRO 32K and Feitian ePass) both work as
expected.
have a good weekend,
JJK / Jan Just
this version looks great!
share and enjoy,
JJK / Jan Just Keijser
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Hi Ludovic,
Ludovic Rousseau wrote:
> 2010/9/6 Jan Just Keijser :
>
>> more fun with the upcoming 0.12.0 release:
>>
>> - the only way I know how to initialize an Aladdin eToken PRO 32K with
>> opensc is by using the openct driver; is there another way?
>>
Hi all,
Viktor TARASOV wrote:
> On 11.01.2011 09:23, Xiaoshuo Wu wrote:
>
>> On Mon, 10 Jan 2011 16:50:37 +0800, Viktor TARASOV
>> wrote:
>>
>>
>>> Do we have any chance to influence the card producer and to change behavior
>>> of their middlewares ?
>>> If so, then it make a sense to w
return rv;
+ }
+
for (
current_session = _g_pkcs11h_data->sessions;
current_session != NULL;
I hope someone can incorporate this patch into the pkcs11-helper sources.
thx,
JJK / Jan Just Keijser
___
Alon Bar-Lev wrote:
> OK.
> Thanks.
> I added similar solution.
>
>
Excellent, thanks. Any idea when the next version of pkcs11-helper is
released?
cheers,
JJK / Jan Just Keijser
> On Wed, Feb 23, 2011 at 12:41 PM, Jan Just Keijser wrote:
>
>> hi all,
>>
Alon Bar-Lev wrote:
> Today?
>
>
Wow - that is far quicker than I expected. Again, many thanks for such a
quick response.
cheers,
JJK / Jan Just Keijser
> On Wed, Feb 23, 2011 at 1:32 PM, Jan Just Keijser wrote:
>
>> Alon Bar-Lev wrote:
>>
>>>
e power of open source software.
Thanks Alon.
cheers,
JJK / Jan Just Keijser
> On Wed, Feb 23, 2011 at 1:45 PM, Jan Just Keijser wrote:
>
>> Alon Bar-Lev wrote:
>>
>>> Today?
>>>
>>>
>>>
>> Wow - that is far quicker tha
Take a look at:
http://www.metacentrum.cz/en/about/devel/pkcs11.html
and
https://lists.strongswan.org/pipermail/users/2007-July/001900.html
the basic idea is that you don't extract a private key, but you ask the
nss softtoken to sign a request for you.
HTH,
JJK
weizhong qiang wrote:
> hi A
Alon Bar-Lev wrote:
> On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang
> wrote:
>
>> hi Alon,
>> Sorry that I make you be confused.
>>
>> On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote:
>>
>>
>>> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang
>>> wrote:
>>>
> OpenSSL is full
66 matches
Mail list logo
