2012/1/2 Jean-Michel Pouré - GOOZE :
> Dear all,
> Is there a way to store a 3DES key on smartcard, so it cannot be
> extracted but still be usable by OpenSSL?
PKCS #11 allows that but opensc didn't support secret keys last time I
checked. Symmetric keys in smart-cards could be useful for Kerberos
On 02/17/2012 10:58 PM, Jean-Michel Pouré - GOOZE wrote:
> Let us take two examples to see how OpenSC can be improved: 1) The
> ePass2003 code was reviewed by Viktor and included in his branch. You
> probably did not know, did not compile, did not test and therefore
> Viktor's work is ignored. He
On Wed, Mar 21, 2012 at 11:03 PM, Peter Stuge wrote:
>> progress much faster, even in the price of committing not-the-best
>> solutions,
> Do you find this a desirable quality for a security-related project?
I don't think that this thread was about a balance of quality against
quantity. The issu
On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren
wrote:
> On 2012-08-06 11:23, Andreas Schwier wrote:
>> I would assume, that checking constraints is the job of the RA, not the CA.
>>
>> Anyway, our design works the other way around: The card generates the
>> CSR internally, so the RA/CA can prove
On 11/11/2012 03:24 AM, Anthony Foiani wrote:
> Greetings.
>
> I'm working with a CardContact HSM, and would like to generate a
> keypair on the token, then get a certificate based on that key.
Hello,
Your question was on openssl, but just in case someone is interested.
If you have any recent
On 11/11/2012 11:50 PM, Anthony Foiani wrote:
>> certtool --generate-request --outfile req.pem --load-privkey
>> "pkcs11:yyy" --load-pubkey "pkcs11:xxx"
>>
>> should generate a request from the objects based on a smart card. The
>> pkcs11: URLs are obtained using the "p11tool --list-all --login"
a present token (0x1)
Logging in to "Nikos Mavrogiannopoulos (User PI".
Please enter User PIN:
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR
(0x5)
Aborting."
If there is any additional help I can provide on that please let
On 11/04/2010 06:56 PM, Andre Zepezauer wrote:
>> If there is any additional help I can provide on that please let me know.
> $export OPENSC_DEBUG=9
> $pkcs11-tool [options] 2> file.log
> But be aware of the fact, that your pin will be included in the log file.
There was no additional output with
Hello,
Another issue I had with opensc is when trying to use it with secret
keys (symmetric ones)[0]. My feitian card says it supports 3DES and DES
thus I assumed it should support storing symmetric keys as well. I tried
to do:
I used C_CreateObject with template:
CKA_CLASS -> CKO_SECRET_KEY
CKA_
On 11/04/2010 07:05 PM, Jean-Michel Pouré - GOOZE wrote:
> Le jeudi 04 novembre 2010 à 18:37 +0100, Nikos Mavrogiannopoulos a
> écrit :
>> I'm trying to destroy an object I created on a Feitian PKI smart
>> card using pkcs11 calls. My result is CKR_GENERAL_ERROR. I can
&g
> Hello Nikos,
> AFAIK only RSA is supported by OpenSC.
Is this a design decision or a limitation of the supported cards?
regards,
Nikos
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/o
On 11/04/2010 09:46 PM, Nikos Mavrogiannopoulos wrote:
>>> I'm trying to destroy an object I created on a Feitian PKI smart
>>> card using pkcs11 calls. My result is CKR_GENERAL_ERROR. I can
>>> reproduce it using the pkcs11-tool:
>> On the Feitian PKI
The commit applied in svn revision 4853[0] does not allow me to
erase my feitian smart card:
$ ./pkcs15-init -E
Using reader with a card: OmniKey CardMan 3121 00 00
Couldn't bind to the card: Not allowed
The error I get from sc_select_file is -1209 and if set to zero
as before I can erase and form
On Sun, Nov 7, 2010 at 8:07 AM, Andre Zepezauer
wrote:
> Hello Nikos,
> please could you post the access conditions of 3F00/5015/4946. I wounder
> why the error code SC_ERROR_NOT_ALLOWED is returned. To me it seems,
> that r4853 has only discovered an older bug.
Hello,
I don't understand what you
On 11/08/2010 01:48 PM, Andre Zepezauer wrote:
> I'm interested in the security attributes, that are set when the file
> above is created. The simplest way to get these attributes is to use
> opensc-explorer:
Here it is:
$ opensc-explorer
OpenSC Explorer version 0.12.0-rc1
Using reader with a car
On Wed, Jan 26, 2011 at 12:00 PM, Anders Rundgren
wrote:
> External tokens on mobile phones is a difficult idea that most likely
> will be marginalized by on-line schemes using embedded crypto hardware.
> If there was this "One Provider" things could be OK, but it is really
> the opposite, and it
On 01/26/2011 08:46 PM, Andreas Jellinghaus wrote:
> Am Mittwoch 26 Januar 2011, um 12:12:42 schrieb Nikos
> Mavrogiannopoulos:
>> I don't understand what you mean by a reasonable enrollment
>> system, however having seen the EMV protocol, I believe that the
>> availa
On 03/31/2011 05:48 PM, Stef Walter wrote:
> I worked on documenting some of the p11-kit stuff today. Here's the
> documentation for the PKCS#11 URI reference implementation:
> http://p11-glue.freedesktop.org/doc/p11-kit/p11-kit-URIs.html
> And here's some docs for all of p11-kit, including the con
On Mon, May 9, 2011 at 9:53 PM, Alon Bar-Lev wrote:
> This is a matter of interpretation.
> Either is not constant and user is not suppose to know of.
> Apart of the special case of having a single slot, so you expect 0 I presume.
> You can check which slot is what simply by using:
> pkcs11-tool -
On Tue, May 10, 2011 at 9:40 AM, Giuliano Bertoletti wrote:
> Hello Nikos,
> just a few notes.
> The pkcs#11 standard adresses cryptographic devices in general, not only
> smart-cards which might (or might not) have a single slot.
> Cryptographic devices such HSMs are capable of supporting many ma
On 06/13/2011 11:11 AM, Stef Walter wrote:
> On 06/10/2011 07:08 PM, Martin Paljak wrote:
>> On Jun 10, 2011, at 13:11 , Stef Walter wrote:
>>> After sleeping on this idea, I realized it won't work in certain
>>> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE
>>> and requires C_Logi
On 06/21/2011 07:59 PM, Stef Walter wrote:
>> I didn't like the pinfile attribute of pkcs11-urls much, because
>> its semantics are undefined. I see it as an option that could cause
>> compatibility issues between libraries using URLs. That's why I
>> have ignored it so far.
>
> Yes, I understan
On 08/04/2011 06:57 PM, Alon Bar-Lev wrote:
Hello,
In gnutls we dropped our own PKCS #11 back-end based on pakchois
for p11-kit. I try to contribute to the discussion based on this
experience.
> pkcs11-helper targets developers who like to introduce PKCS#11 into
> their application, especially
On 08/18/2011 11:11 AM, Hans Witvliet wrote:
> Perhaps a ludicreous question, but i post it anyway... Some
> creditcard companies or banks supply their customer with cards plus
> pin-code in order to identify themselfs during financial
> transactions.
>> From my focus i presume these look like
Hello,
I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
signing in gnutls via PKCS #11. However I have no such cards to test it.
Do you have any suggestion on which card to use? (My only requirement is
that it must be obtainable without placing a mass order)
regards,
Nikos
_
On 09/06/2011 03:38 PM, Martin Paljak wrote:
>> I'm trying to use the opensc 0.12.x ECDSA support, to allow ECDSA
>> signing in gnutls via PKCS #11. However I have no such cards to test it.
>> Do you have any suggestion on which card to use? (My only requirement is
>> that it must be obtainable
On Fri, Sep 9, 2011 at 9:38 AM, Martin Paljak wrote:
> Hello,
> Autumn has started (at least in northern hemisphere) so it is time to
> pull together next OpenSC release.
> - ECDH support [5]
Out of curiosity, are the ECDH static keys used anywhere? They remind
me of the DH static keys ciphersui
On Wed, Sep 21, 2011 at 9:59 AM, Stef Walter wrote:
> Is it normal for a Gooze Feitan ePass PKI Token to take over 60 seconds
> to initialize when used with PKCS#11?
Mine operates much faster than that. I've noticed though that it does
not operate when plugged to a usb port that does not provide
On 09/22/2011 05:31 PM, Crypto Stick wrote:
> The Gnuk project [1] is working on support of ECDSA. But I expect a few
> more weeks or months until a public release.
> [1] http://www.fsij.org/gnuk/
Looks pretty cool. About speed wouldn't using a gmp-based rsa (e.g. from
nettle) be of better perfor
29 matches
Mail list logo
