Cryptoflex problems

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Cryptoflex problems

Jan Schermer
So I got my new cryptoflex + e-gate

But I've got a problem

pkcs15-init -ET finishes successfuly

pkcs15-init -CT says:

New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: Authentication method blocked

what might be the problem here? I have another two cards here, but I'm
not willing to try with them in case i destructed it...

Thanks

--
Jan Schermer
Freelance UNIX Specialist

GSM: +420-608022225
email: [hidden email]
ICQ: 19466257
WWW: http://www.zviratko.net

CONFIDENTIALITY HAIKU:

This plaintext message
not alone in the network
notice for the lame

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
I figured out that SO-PIN is not supported on Cryptoflex, but it still
doesn't work:

New User PIN.
Please enter User PIN: 123456
Please type again to verify: 123456
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 123456
Please type again to verify: 123456
Failed to store PIN: PIN code or key incorrect

attached is the debug.log with a lot of -vvs

Transport key is correct (checked by using a wrong one).

What's the problem here?

I also tried pkcs15+onepin profile, with no effect.

Thanks
Jan


Jan Schermer wrote:

> So I got my new cryptoflex + e-gate
>
> But I've got a problem
>
> pkcs15-init -ET finishes successfuly
>
> pkcs15-init -CT says:
>
> New Security Officer PIN (Optional - press return for no PIN).
> Please enter Security Officer PIN:
> Please type again to verify:
> Unblock Code for New User PIN (Optional - press return for no PIN).
> Please enter User unblocking PIN (PUK):
> Please type again to verify:
> iso7816.c:98:iso7816_check_sw: Authentication method blocked
> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
> (ref=0x2)
> Failed to create PKCS #15 meta structure: Authentication method blocked
>
> what might be the problem here? I have another two cards here, but I'm
> not willing to try with them in case i destructed it...
>
> Thanks
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
And the log attached this time.... sorry

Jan Schermer wrote:

> I figured out that SO-PIN is not supported on Cryptoflex, but it still
> doesn't work:
>
> New User PIN.
> Please enter User PIN: 123456
> Please type again to verify: 123456
> Unblock Code for New User PIN (Optional - press return for no PIN).
> Please enter User unblocking PIN (PUK): 123456
> Please type again to verify: 123456
> Failed to store PIN: PIN code or key incorrect
>
> attached is the debug.log with a lot of -vvs
>
> Transport key is correct (checked by using a wrong one).
>
> What's the problem here?
>
> I also tried pkcs15+onepin profile, with no effect.
>
> Thanks
> Jan
>
>
> Jan Schermer wrote:
>
>> So I got my new cryptoflex + e-gate
>>
>> But I've got a problem
>>
>> pkcs15-init -ET finishes successfuly
>>
>> pkcs15-init -CT says:
>>
>> New Security Officer PIN (Optional - press return for no PIN).
>> Please enter Security Officer PIN:
>> Please type again to verify:
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK):
>> Please type again to verify:
>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>> (ref=0x2)
>> Failed to create PKCS #15 meta structure: Authentication method blocked
>>
>> what might be the problem here? I have another two cards here, but
>> I'm not willing to try with them in case i destructed it...
>>
>> Thanks
>>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

debug.log.gz (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Stef Hoeben-2
Hi Jan,

SO-PIN does is supported on Cryptoflex.

Not sure what went wrong (or from what the attached log file came),
but the following works here:

* with SO pin:
    pkcs15-init -ET
    pkcs15-init -CT --so-pin 123456 --so-puk 123456
    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234

* without SO pin (only user PIN):
    pkcs15-init -ET
    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin

If it doesn't work, pls. make sure the previous commands succeeded,
as send us a log containing only the command that failed.

(PS: the "User unblocking PIN" seems to be a typo -- should be "SO
unblockin PIN")

Cheers,
Stef

Jan Schermer wrote:

> And the log attached this time.... sorry
>
> Jan Schermer wrote:
>
>> I figured out that SO-PIN is not supported on Cryptoflex, but it
>> still doesn't work:
>>
>> New User PIN.
>> Please enter User PIN: 123456
>> Please type again to verify: 123456
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK): 123456
>> Please type again to verify: 123456
>> Failed to store PIN: PIN code or key incorrect
>>
>> attached is the debug.log with a lot of -vvs
>>
>> Transport key is correct (checked by using a wrong one).
>>
>> What's the problem here?
>>
>> I also tried pkcs15+onepin profile, with no effect.
>>
>> Thanks
>> Jan
>>
>>
>> Jan Schermer wrote:
>>
>>> So I got my new cryptoflex + e-gate
>>>
>>> But I've got a problem
>>>
>>> pkcs15-init -ET finishes successfuly
>>>
>>> pkcs15-init -CT says:
>>>
>>> New Security Officer PIN (Optional - press return for no PIN).
>>> Please enter Security Officer PIN:
>>> Please type again to verify:
>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>> Please enter User unblocking PIN (PUK):
>>> Please type again to verify:
>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>> (ref=0x2)
>>> Failed to create PKCS #15 meta structure: Authentication method blocked
>>>
>>> what might be the problem here? I have another two cards here, but
>>> I'm not willing to try with them in case i destructed it...
>>>
>>> Thanks
>>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>opensc-user mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
The debug file is output of:

pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v 2>debug.log

SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.

If you want and are willing and able to debug it, I'd be happy to give
you shell access to a machine with token connected.

If I do initialisation as you wrote:

With SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: PIN code or key incorrect

And without SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x1)
Failed to create PKCS #15 meta structure: Authentication method blocked

Thanks

Jan


Stef Hoeben wrote:

> Hi Jan,
>
> SO-PIN does is supported on Cryptoflex.
>
> Not sure what went wrong (or from what the attached log file came),
> but the following works here:
>
> * with SO pin:
>    pkcs15-init -ET
>    pkcs15-init -CT --so-pin 123456 --so-puk 123456
>    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234
>
> * without SO pin (only user PIN):
>    pkcs15-init -ET
>    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
>
> If it doesn't work, pls. make sure the previous commands succeeded,
> as send us a log containing only the command that failed.
>
> (PS: the "User unblocking PIN" seems to be a typo -- should be "SO
> unblockin PIN")
>
> Cheers,
> Stef
>
> Jan Schermer wrote:
>
>> And the log attached this time.... sorry
>>
>> Jan Schermer wrote:
>>
>>> I figured out that SO-PIN is not supported on Cryptoflex, but it
>>> still doesn't work:
>>>
>>> New User PIN.
>>> Please enter User PIN: 123456
>>> Please type again to verify: 123456
>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>> Please enter User unblocking PIN (PUK): 123456
>>> Please type again to verify: 123456
>>> Failed to store PIN: PIN code or key incorrect
>>>
>>> attached is the debug.log with a lot of -vvs
>>>
>>> Transport key is correct (checked by using a wrong one).
>>>
>>> What's the problem here?
>>>
>>> I also tried pkcs15+onepin profile, with no effect.
>>>
>>> Thanks
>>> Jan
>>>
>>>
>>> Jan Schermer wrote:
>>>
>>>> So I got my new cryptoflex + e-gate
>>>>
>>>> But I've got a problem
>>>>
>>>> pkcs15-init -ET finishes successfuly
>>>>
>>>> pkcs15-init -CT says:
>>>>
>>>> New Security Officer PIN (Optional - press return for no PIN).
>>>> Please enter Security Officer PIN:
>>>> Please type again to verify:
>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>> Please enter User unblocking PIN (PUK):
>>>> Please type again to verify:
>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>> (ref=0x2)
>>>> Failed to create PKCS #15 meta structure: Authentication method
>>>> blocked
>>>>
>>>> what might be the problem here? I have another two cards here, but
>>>> I'm not willing to try with them in case i destructed it...
>>>>
>>>> Thanks
>>>>
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Stef Hoeben-2
Hm, maybe the pkcs15-int -ET didn't work?

Could you try after "pkcs15-init -ET" the following:
 opensc-explorer
  verify AUT1 2C:15:E5:26:E9:3E:8A:19
  ls

and send us the output?

Cheers,
Stef


Jan Schermer wrote:

> The debug file is output of:
>
> pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v
> 2>debug.log
>
> SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
> OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.
>
> If you want and are willing and able to debug it, I'd be happy to give
> you shell access to a machine with token connected.
>
> If I do initialisation as you wrote:
>
> With SOPIN:
> zviratko@kocicka ~ $ pkcs15-init -ET
> zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
> sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
> (ref=0x2)
> Failed to create PKCS #15 meta structure: PIN code or key incorrect
>
> And without SOPIN:
> zviratko@kocicka ~ $ pkcs15-init -ET
> zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p
> pkcs15+onepin
> iso7816.c:98:iso7816_check_sw: Authentication method blocked
> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
> (ref=0x1)
> Failed to create PKCS #15 meta structure: Authentication method blocked
>
> Thanks
>
> Jan
>
>
> Stef Hoeben wrote:
>
>> Hi Jan,
>>
>> SO-PIN does is supported on Cryptoflex.
>>
>> Not sure what went wrong (or from what the attached log file came),
>> but the following works here:
>>
>> * with SO pin:
>>    pkcs15-init -ET
>>    pkcs15-init -CT --so-pin 123456 --so-puk 123456
>>    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234
>>
>> * without SO pin (only user PIN):
>>    pkcs15-init -ET
>>    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
>>
>> If it doesn't work, pls. make sure the previous commands succeeded,
>> as send us a log containing only the command that failed.
>>
>> (PS: the "User unblocking PIN" seems to be a typo -- should be "SO
>> unblockin PIN")
>>
>> Cheers,
>> Stef
>>
>> Jan Schermer wrote:
>>
>>> And the log attached this time.... sorry
>>>
>>> Jan Schermer wrote:
>>>
>>>> I figured out that SO-PIN is not supported on Cryptoflex, but it
>>>> still doesn't work:
>>>>
>>>> New User PIN.
>>>> Please enter User PIN: 123456
>>>> Please type again to verify: 123456
>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>> Please enter User unblocking PIN (PUK): 123456
>>>> Please type again to verify: 123456
>>>> Failed to store PIN: PIN code or key incorrect
>>>>
>>>> attached is the debug.log with a lot of -vvs
>>>>
>>>> Transport key is correct (checked by using a wrong one).
>>>>
>>>> What's the problem here?
>>>>
>>>> I also tried pkcs15+onepin profile, with no effect.
>>>>
>>>> Thanks
>>>> Jan
>>>>
>>>>
>>>> Jan Schermer wrote:
>>>>
>>>>> So I got my new cryptoflex + e-gate
>>>>>
>>>>> But I've got a problem
>>>>>
>>>>> pkcs15-init -ET finishes successfuly
>>>>>
>>>>> pkcs15-init -CT says:
>>>>>
>>>>> New Security Officer PIN (Optional - press return for no PIN).
>>>>> Please enter Security Officer PIN:
>>>>> Please type again to verify:
>>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>>> Please enter User unblocking PIN (PUK):
>>>>> Please type again to verify:
>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>> (ref=0x2)
>>>>> Failed to create PKCS #15 meta structure: Authentication method
>>>>> blocked
>>>>>
>>>>> what might be the problem here? I have another two cards here, but
>>>>> I'm not willing to try with them in case i destructed it...
>>>>>
>>>>> Thanks
>>>>>
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>
>>>
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>
>>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
Here you go:

OpenSC Explorer version 0.9.6
OpenSC [3F00]> verify AUT1 2C:15:E5:26:E9:3E:8A:19
Code correct.
OpenSC [3F00]> ls
FileID  Type  Size
 0011    wEF    38
 0002    wEF     8
 0000    wEF    23
 0100    wEF    23
[5016]    DF     0
OpenSC [3F00]>

Jan

Stef Hoeben wrote:

> Hm, maybe the pkcs15-int -ET didn't work?
>
> Could you try after "pkcs15-init -ET" the following:
> opensc-explorer
>  verify AUT1 2C:15:E5:26:E9:3E:8A:19
>  ls
>
> and send us the output?
>
> Cheers,
> Stef
>
>
> Jan Schermer wrote:
>
>> The debug file is output of:
>>
>> pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v
>> 2>debug.log
>>
>> SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
>> OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.
>>
>> If you want and are willing and able to debug it, I'd be happy to
>> give you shell access to a machine with token connected.
>>
>> If I do initialisation as you wrote:
>>
>> With SOPIN:
>> zviratko@kocicka ~ $ pkcs15-init -ET
>> zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
>> sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>> (ref=0x2)
>> Failed to create PKCS #15 meta structure: PIN code or key incorrect
>>
>> And without SOPIN:
>> zviratko@kocicka ~ $ pkcs15-init -ET
>> zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p
>> pkcs15+onepin
>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>> (ref=0x1)
>> Failed to create PKCS #15 meta structure: Authentication method blocked
>>
>> Thanks
>>
>> Jan
>>
>>
>> Stef Hoeben wrote:
>>
>>> Hi Jan,
>>>
>>> SO-PIN does is supported on Cryptoflex.
>>>
>>> Not sure what went wrong (or from what the attached log file came),
>>> but the following works here:
>>>
>>> * with SO pin:
>>>    pkcs15-init -ET
>>>    pkcs15-init -CT --so-pin 123456 --so-puk 123456
>>>    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234
>>>
>>> * without SO pin (only user PIN):
>>>    pkcs15-init -ET
>>>    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
>>>
>>> If it doesn't work, pls. make sure the previous commands succeeded,
>>> as send us a log containing only the command that failed.
>>>
>>> (PS: the "User unblocking PIN" seems to be a typo -- should be "SO
>>> unblockin PIN")
>>>
>>> Cheers,
>>> Stef
>>>
>>> Jan Schermer wrote:
>>>
>>>> And the log attached this time.... sorry
>>>>
>>>> Jan Schermer wrote:
>>>>
>>>>> I figured out that SO-PIN is not supported on Cryptoflex, but it
>>>>> still doesn't work:
>>>>>
>>>>> New User PIN.
>>>>> Please enter User PIN: 123456
>>>>> Please type again to verify: 123456
>>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>>> Please enter User unblocking PIN (PUK): 123456
>>>>> Please type again to verify: 123456
>>>>> Failed to store PIN: PIN code or key incorrect
>>>>>
>>>>> attached is the debug.log with a lot of -vvs
>>>>>
>>>>> Transport key is correct (checked by using a wrong one).
>>>>>
>>>>> What's the problem here?
>>>>>
>>>>> I also tried pkcs15+onepin profile, with no effect.
>>>>>
>>>>> Thanks
>>>>> Jan
>>>>>
>>>>>
>>>>> Jan Schermer wrote:
>>>>>
>>>>>> So I got my new cryptoflex + e-gate
>>>>>>
>>>>>> But I've got a problem
>>>>>>
>>>>>> pkcs15-init -ET finishes successfuly
>>>>>>
>>>>>> pkcs15-init -CT says:
>>>>>>
>>>>>> New Security Officer PIN (Optional - press return for no PIN).
>>>>>> Please enter Security Officer PIN:
>>>>>> Please type again to verify:
>>>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>>>> Please enter User unblocking PIN (PUK):
>>>>>> Please type again to verify:
>>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>>> (ref=0x2)
>>>>>> Failed to create PKCS #15 meta structure: Authentication method
>>>>>> blocked
>>>>>>
>>>>>> what might be the problem here? I have another two cards here,
>>>>>> but I'm not willing to try with them in case i destructed it...
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>> _______________________________________________
>>>>> opensc-user mailing list
>>>>> [hidden email]
>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>>
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>
>>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Stef Hoeben-2
Hi,

so you deleted the files and dir as I proposed?

And then you did "pkcs15-init -CT" and "pkcs15init -PT",

And then you are trying to stroe certs with "pkcs15-init -S" or
"pkcs15-init -X",
and this fails? Could you tell us what the exact commands you used and
the error
code (and if possible opensc-errors.log)?

Cheers,
Stef

Jan Schermer wrote:

> I tried and I tried and I can't store more than two certs on a card,
> really...
>
> I tried storing a separate PIN with the cert chain, as well as putting
> all certs on one PIN, I tried modifying sizes in profiles and
> combining profiles together... no luck.
>
> Should I try more or is it futile? I'm confused because the memory
> should be the same on ikey3k and cryptoflex (32K), does ikey3k use it
> that more efficiently??
>
> Please advise...
>
> Jan
>
> Jan Schermer wrote:
>
>> It works! Thanks! :)
>>
>> Though I have another problem - I can't seem to fit more than one
>> certificate chain to the card:
>>
>> iso7816.c:98:iso7816_check_sw: Not enough memory space in the file
>> card-flex.c:986:flex_create_file: Card returned error: Card command
>> failed
>> card.c:536:sc_create_file: returning with: Card command failed
>>
>> I haven't messed with profile yet, what should i "tune"? :) I expect
>> it to be able to store at least what ikey3K could (5 chains)
>>
>> Jan
>>
>> Stef Hoeben wrote:
>>
>>> Hi,
>>>
>>> it seems there's still a PIN file present (the 0000 one) that couldn't
>>> be deleted because 5016and 0100  in the way (Cryptoflex -> deletion
>>> must be done in reverse order of creation...).
>>>
>>> So if you are sure you don't need the 0100 file and the 5016 DF,
>>> (better check out what it contains) you could do:
>>>
>>> opensc-explorer
>>> verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>> delete 5016
>>> delete 0100
>>> delete 0000
>>>
>>> After that, "pkcs15-init -CT ..." should work fine.
>>>
>>> If you do need these, you'll have to find out which is the PUK and
>>> pin ref
>>> in the 0000 PIN file and unblock that PIN...
>>>
>>> Note: NEVER delete the 0011 and 0002 files!!
>>>
>>> Good luck,
>>> Stef
>>>
>>> Jan Schermer wrote:
>>>
>>>> Here you go:
>>>>
>>>> OpenSC Explorer version 0.9.6
>>>> OpenSC [3F00]> verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>>> Code correct.
>>>> OpenSC [3F00]> ls
>>>> FileID  Type  Size
>>>> 0011    wEF    38
>>>> 0002    wEF     8
>>>> 0000    wEF    23
>>>> 0100    wEF    23
>>>> [5016]    DF     0
>>>> OpenSC [3F00]>
>>>>
>>>> Jan
>>>>
>>>> Stef Hoeben wrote:
>>>>
>>>>> Hm, maybe the pkcs15-int -ET didn't work?
>>>>>
>>>>> Could you try after "pkcs15-init -ET" the following:
>>>>> opensc-explorer
>>>>>  verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>>>>  ls
>>>>>
>>>>> and send us the output?
>>>>>
>>>>> Cheers,
>>>>> Stef
>>>>>
>>>>>
>>>>> Jan Schermer wrote:
>>>>>
>>>>>> The debug file is output of:
>>>>>>
>>>>>> pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v
>>>>>> 2>debug.log
>>>>>>
>>>>>> SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
>>>>>> OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.
>>>>>>
>>>>>> If you want and are willing and able to debug it, I'd be happy to
>>>>>> give you shell access to a machine with token connected.
>>>>>>
>>>>>> If I do initialisation as you wrote:
>>>>>>
>>>>>> With SOPIN:
>>>>>> zviratko@kocicka ~ $ pkcs15-init -ET
>>>>>> zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
>>>>>> sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>>> (ref=0x2)
>>>>>> Failed to create PKCS #15 meta structure: PIN code or key incorrect
>>>>>>
>>>>>> And without SOPIN:
>>>>>> zviratko@kocicka ~ $ pkcs15-init -ET
>>>>>> zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p
>>>>>> pkcs15+onepin
>>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>>> (ref=0x1)
>>>>>> Failed to create PKCS #15 meta structure: Authentication method
>>>>>> blocked
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Jan
>>>>>>
>>>>>>
>>>>>> Stef Hoeben wrote:
>>>>>>
>>>>>>> Hi Jan,
>>>>>>>
>>>>>>> SO-PIN does is supported on Cryptoflex.
>>>>>>>
>>>>>>> Not sure what went wrong (or from what the attached log file came),
>>>>>>> but the following works here:
>>>>>>>
>>>>>>> * with SO pin:
>>>>>>>    pkcs15-init -ET
>>>>>>>    pkcs15-init -CT --so-pin 123456 --so-puk 123456
>>>>>>>    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234
>>>>>>>
>>>>>>> * without SO pin (only user PIN):
>>>>>>>    pkcs15-init -ET
>>>>>>>    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
>>>>>>>
>>>>>>> If it doesn't work, pls. make sure the previous commands succeeded,
>>>>>>> as send us a log containing only the command that failed.
>>>>>>>
>>>>>>> (PS: the "User unblocking PIN" seems to be a typo -- should be
>>>>>>> "SO unblockin PIN")
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Stef
>>>>>>>
>>>>>>> Jan Schermer wrote:
>>>>>>>
>>>>>>>> And the log attached this time.... sorry
>>>>>>>>
>>>>>>>> Jan Schermer wrote:
>>>>>>>>
>>>>>>>>> I figured out that SO-PIN is not supported on Cryptoflex, but
>>>>>>>>> it still doesn't work:
>>>>>>>>>
>>>>>>>>> New User PIN.
>>>>>>>>> Please enter User PIN: 123456
>>>>>>>>> Please type again to verify: 123456
>>>>>>>>> Unblock Code for New User PIN (Optional - press return for no
>>>>>>>>> PIN).
>>>>>>>>> Please enter User unblocking PIN (PUK): 123456
>>>>>>>>> Please type again to verify: 123456
>>>>>>>>> Failed to store PIN: PIN code or key incorrect
>>>>>>>>>
>>>>>>>>> attached is the debug.log with a lot of -vvs
>>>>>>>>>
>>>>>>>>> Transport key is correct (checked by using a wrong one).
>>>>>>>>>
>>>>>>>>> What's the problem here?
>>>>>>>>>
>>>>>>>>> I also tried pkcs15+onepin profile, with no effect.
>>>>>>>>>
>>>>>>>>> Thanks
>>>>>>>>> Jan
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jan Schermer wrote:
>>>>>>>>>
>>>>>>>>>> So I got my new cryptoflex + e-gate
>>>>>>>>>>
>>>>>>>>>> But I've got a problem
>>>>>>>>>>
>>>>>>>>>> pkcs15-init -ET finishes successfuly
>>>>>>>>>>
>>>>>>>>>> pkcs15-init -CT says:
>>>>>>>>>>
>>>>>>>>>> New Security Officer PIN (Optional - press return for no PIN).
>>>>>>>>>> Please enter Security Officer PIN:
>>>>>>>>>> Please type again to verify:
>>>>>>>>>> Unblock Code for New User PIN (Optional - press return for no
>>>>>>>>>> PIN).
>>>>>>>>>> Please enter User unblocking PIN (PUK):
>>>>>>>>>> Please type again to verify:
>>>>>>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>>>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method
>>>>>>>>>> blocked
>>>>>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify
>>>>>>>>>> PIN (ref=0x2)
>>>>>>>>>> Failed to create PKCS #15 meta structure: Authentication
>>>>>>>>>> method blocked
>>>>>>>>>>
>>>>>>>>>> what might be the problem here? I have another two cards
>>>>>>>>>> here, but I'm not willing to try with them in case i
>>>>>>>>>> destructed it...
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> opensc-user mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> opensc-user mailing list
>>>>>>>> [hidden email]
>>>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> opensc-user mailing list
>>>>>> [hidden email]
>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> opensc-user mailing list
>>>> [hidden email]
>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>
>>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Stef Hoeben-2
(Sorry, I missed your previous mail).

Does it help to change
           size    = 7500;
in flex.profile into
          size    = 20000;
(or something else below 31000)?

If not, could you use opensc-explorer to do an "cd 5015" and "info" and "ls"
and send us the results?

Cheers,
Stef

Stef Hoeben wrote:

> Hi,
>
> so you deleted the files and dir as I proposed?
>
> And then you did "pkcs15-init -CT" and "pkcs15init -PT",
>
> And then you are trying to stroe certs with "pkcs15-init -S" or
> "pkcs15-init -X",
> and this fails? Could you tell us what the exact commands you used and
> the error
> code (and if possible opensc-errors.log)?
>
> Cheers,
> Stef
>
> Jan Schermer wrote:
>
>> I tried and I tried and I can't store more than two certs on a card,
>> really...
>>
>> I tried storing a separate PIN with the cert chain, as well as
>> putting all certs on one PIN, I tried modifying sizes in profiles and
>> combining profiles together... no luck.
>>
>> Should I try more or is it futile? I'm confused because the memory
>> should be the same on ikey3k and cryptoflex (32K), does ikey3k use it
>> that more efficiently??
>>
>> Please advise...
>>
>> Jan
>>
>> Jan Schermer wrote:
>>
>>> It works! Thanks! :)
>>>
>>> Though I have another problem - I can't seem to fit more than one
>>> certificate chain to the card:
>>>
>>> iso7816.c:98:iso7816_check_sw: Not enough memory space in the file
>>> card-flex.c:986:flex_create_file: Card returned error: Card command
>>> failed
>>> card.c:536:sc_create_file: returning with: Card command failed
>>>
>>> I haven't messed with profile yet, what should i "tune"? :) I expect
>>> it to be able to store at least what ikey3K could (5 chains)
>>>
>>> Jan
>>>
>>> Stef Hoeben wrote:
>>>
>>>> Hi,
>>>>
>>>> it seems there's still a PIN file present (the 0000 one) that couldn't
>>>> be deleted because 5016and 0100  in the way (Cryptoflex -> deletion
>>>> must be done in reverse order of creation...).
>>>>
>>>> So if you are sure you don't need the 0100 file and the 5016 DF,
>>>> (better check out what it contains) you could do:
>>>>
>>>> opensc-explorer
>>>> verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>>> delete 5016
>>>> delete 0100
>>>> delete 0000
>>>>
>>>> After that, "pkcs15-init -CT ..." should work fine.
>>>>
>>>> If you do need these, you'll have to find out which is the PUK and
>>>> pin ref
>>>> in the 0000 PIN file and unblock that PIN...
>>>>
>>>> Note: NEVER delete the 0011 and 0002 files!!
>>>>
>>>> Good luck,
>>>> Stef
>>>>
>>>> Jan Schermer wrote:
>>>>
>>>>> Here you go:
>>>>>
>>>>> OpenSC Explorer version 0.9.6
>>>>> OpenSC [3F00]> verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>>>> Code correct.
>>>>> OpenSC [3F00]> ls
>>>>> FileID  Type  Size
>>>>> 0011    wEF    38
>>>>> 0002    wEF     8
>>>>> 0000    wEF    23
>>>>> 0100    wEF    23
>>>>> [5016]    DF     0
>>>>> OpenSC [3F00]>
>>>>>
>>>>> Jan
>>>>>
>>>>> Stef Hoeben wrote:
>>>>>
>>>>>> Hm, maybe the pkcs15-int -ET didn't work?
>>>>>>
>>>>>> Could you try after "pkcs15-init -ET" the following:
>>>>>> opensc-explorer
>>>>>>  verify AUT1 2C:15:E5:26:E9:3E:8A:19
>>>>>>  ls
>>>>>>
>>>>>> and send us the output?
>>>>>>
>>>>>> Cheers,
>>>>>> Stef
>>>>>>
>>>>>>
>>>>>> Jan Schermer wrote:
>>>>>>
>>>>>>> The debug file is output of:
>>>>>>>
>>>>>>> pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v
>>>>>>> 2>debug.log
>>>>>>>
>>>>>>> SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
>>>>>>> OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.
>>>>>>>
>>>>>>> If you want and are willing and able to debug it, I'd be happy
>>>>>>> to give you shell access to a machine with token connected.
>>>>>>>
>>>>>>> If I do initialisation as you wrote:
>>>>>>>
>>>>>>> With SOPIN:
>>>>>>> zviratko@kocicka ~ $ pkcs15-init -ET
>>>>>>> zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk
>>>>>>> 123456
>>>>>>> sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
>>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>>>> (ref=0x2)
>>>>>>> Failed to create PKCS #15 meta structure: PIN code or key incorrect
>>>>>>>
>>>>>>> And without SOPIN:
>>>>>>> zviratko@kocicka ~ $ pkcs15-init -ET
>>>>>>> zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p
>>>>>>> pkcs15+onepin
>>>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
>>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN
>>>>>>> (ref=0x1)
>>>>>>> Failed to create PKCS #15 meta structure: Authentication method
>>>>>>> blocked
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Jan
>>>>>>>
>>>>>>>
>>>>>>> Stef Hoeben wrote:
>>>>>>>
>>>>>>>> Hi Jan,
>>>>>>>>
>>>>>>>> SO-PIN does is supported on Cryptoflex.
>>>>>>>>
>>>>>>>> Not sure what went wrong (or from what the attached log file
>>>>>>>> came),
>>>>>>>> but the following works here:
>>>>>>>>
>>>>>>>> * with SO pin:
>>>>>>>>    pkcs15-init -ET
>>>>>>>>    pkcs15-init -CT --so-pin 123456 --so-puk 123456
>>>>>>>>    pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234
>>>>>>>>
>>>>>>>> * without SO pin (only user PIN):
>>>>>>>>    pkcs15-init -ET
>>>>>>>>    pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
>>>>>>>>
>>>>>>>> If it doesn't work, pls. make sure the previous commands
>>>>>>>> succeeded,
>>>>>>>> as send us a log containing only the command that failed.
>>>>>>>>
>>>>>>>> (PS: the "User unblocking PIN" seems to be a typo -- should be
>>>>>>>> "SO unblockin PIN")
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>> Stef
>>>>>>>>
>>>>>>>> Jan Schermer wrote:
>>>>>>>>
>>>>>>>>> And the log attached this time.... sorry
>>>>>>>>>
>>>>>>>>> Jan Schermer wrote:
>>>>>>>>>
>>>>>>>>>> I figured out that SO-PIN is not supported on Cryptoflex, but
>>>>>>>>>> it still doesn't work:
>>>>>>>>>>
>>>>>>>>>> New User PIN.
>>>>>>>>>> Please enter User PIN: 123456
>>>>>>>>>> Please type again to verify: 123456
>>>>>>>>>> Unblock Code for New User PIN (Optional - press return for no
>>>>>>>>>> PIN).
>>>>>>>>>> Please enter User unblocking PIN (PUK): 123456
>>>>>>>>>> Please type again to verify: 123456
>>>>>>>>>> Failed to store PIN: PIN code or key incorrect
>>>>>>>>>>
>>>>>>>>>> attached is the debug.log with a lot of -vvs
>>>>>>>>>>
>>>>>>>>>> Transport key is correct (checked by using a wrong one).
>>>>>>>>>>
>>>>>>>>>> What's the problem here?
>>>>>>>>>>
>>>>>>>>>> I also tried pkcs15+onepin profile, with no effect.
>>>>>>>>>>
>>>>>>>>>> Thanks
>>>>>>>>>> Jan
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Jan Schermer wrote:
>>>>>>>>>>
>>>>>>>>>>> So I got my new cryptoflex + e-gate
>>>>>>>>>>>
>>>>>>>>>>> But I've got a problem
>>>>>>>>>>>
>>>>>>>>>>> pkcs15-init -ET finishes successfuly
>>>>>>>>>>>
>>>>>>>>>>> pkcs15-init -CT says:
>>>>>>>>>>>
>>>>>>>>>>> New Security Officer PIN (Optional - press return for no PIN).
>>>>>>>>>>> Please enter Security Officer PIN:
>>>>>>>>>>> Please type again to verify:
>>>>>>>>>>> Unblock Code for New User PIN (Optional - press return for
>>>>>>>>>>> no PIN).
>>>>>>>>>>> Please enter User unblocking PIN (PUK):
>>>>>>>>>>> Please type again to verify:
>>>>>>>>>>> iso7816.c:98:iso7816_check_sw: Authentication method blocked
>>>>>>>>>>> sec.c:204:sc_pin_cmd: returning with: Authentication method
>>>>>>>>>>> blocked
>>>>>>>>>>> pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify
>>>>>>>>>>> PIN (ref=0x2)
>>>>>>>>>>> Failed to create PKCS #15 meta structure: Authentication
>>>>>>>>>>> method blocked
>>>>>>>>>>>
>>>>>>>>>>> what might be the problem here? I have another two cards
>>>>>>>>>>> here, but I'm not willing to try with them in case i
>>>>>>>>>>> destructed it...
>>>>>>>>>>>
>>>>>>>>>>> Thanks
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> opensc-user mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------------------
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> opensc-user mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> opensc-user mailing list
>>>>>>> [hidden email]
>>>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> opensc-user mailing list
>>>>> [hidden email]
>>>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>>>>
>>>>
>>> _______________________________________________
>>> opensc-user mailing list
>>> [hidden email]
>>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>>
>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
Hi,
it does not make the slightest difference, I tried messing with all sizes I could find. I can store two certs under one PIN (after tweaking), but no more.

Normally, I can create 3 PINs, but no certs can be stored afterwards (not enough memory space in file), or 2 PINs and one cert.

Opensc explorer returns:

OpenSC Explorer version 0.9.6
OpenSC [3F00]>  verify AUT1 2C:15:E5:26:E9:3E:8A:19
Code correct.
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> info

Dedicated File  ID 5015

File path:     3F00/5015
File size:     120 bytes
ACL for SELECT:          N/A
ACL for LOCK:            N/A
ACL for DELETE:          NONE
ACL for CREATE:          CHV2
ACL for REHABILITATE:    N/A
ACL for INVALIDATE:      N/A
ACL for LIST FILES:      NONE

OpenSC [3F00/5015]> ls
FileID  Type  Size
 0100    wEF    23
 4401    wEF   256
 5031    wEF   256
 5032    wEF    48
 4946    wEF   128
[4B01]    DF     0
[4B02]    DF  1356
[4B03]    DF  1356
 4402    wEF   256
 4545    wEF   657
 4404    wEF   512
 4546    wEF   835

Jan


Stef Hoeben wrote:
(Sorry, I missed your previous mail).

Does it help to change
          size    = 7500;
in flex.profile into
         size    = 20000;
(or something else below 31000)?

If not, could you use opensc-explorer to do an "cd 5015" and "info" and "ls"
and send us the results?

Cheers,
Stef

Stef Hoeben wrote:

Hi,

so you deleted the files and dir as I proposed?

And then you did "pkcs15-init -CT" and "pkcs15init -PT",

And then you are trying to stroe certs with "pkcs15-init -S" or "pkcs15-init -X",
and this fails? Could you tell us what the exact commands you used and the error
code (and if possible opensc-errors.log)?

Cheers,
Stef

Jan Schermer wrote:

I tried and I tried and I can't store more than two certs on a card, really...

I tried storing a separate PIN with the cert chain, as well as putting all certs on one PIN, I tried modifying sizes in profiles and combining profiles together... no luck.

Should I try more or is it futile? I'm confused because the memory should be the same on ikey3k and cryptoflex (32K), does ikey3k use it that more efficiently??

Please advise...

Jan

Jan Schermer wrote:

It works! Thanks! :)

Though I have another problem - I can't seem to fit more than one certificate chain to the card:

iso7816.c:98:iso7816_check_sw: Not enough memory space in the file
card-flex.c:986:flex_create_file: Card returned error: Card command failed
card.c:536:sc_create_file: returning with: Card command failed

I haven't messed with profile yet, what should i "tune"? :) I expect it to be able to store at least what ikey3K could (5 chains)

Jan

Stef Hoeben wrote:

Hi,

it seems there's still a PIN file present (the 0000 one) that couldn't
be deleted because 5016and 0100  in the way (Cryptoflex -> deletion
must be done in reverse order of creation...).

So if you are sure you don't need the 0100 file and the 5016 DF,
(better check out what it contains) you could do:

opensc-explorer
verify AUT1 2C:15:E5:26:E9:3E:8A:19
delete 5016
delete 0100
delete 0000

After that, "pkcs15-init -CT ..." should work fine.

If you do need these, you'll have to find out which is the PUK and pin ref
in the 0000 PIN file and unblock that PIN...

Note: NEVER delete the 0011 and 0002 files!!

Good luck,
Stef

Jan Schermer wrote:

Here you go:

OpenSC Explorer version 0.9.6
OpenSC [3F00]> verify AUT1 2C:15:E5:26:E9:3E:8A:19
Code correct.
OpenSC [3F00]> ls
FileID  Type  Size
0011    wEF    38
0002    wEF     8
0000    wEF    23
0100    wEF    23
[5016]    DF     0
OpenSC [3F00]>

Jan

Stef Hoeben wrote:

Hm, maybe the pkcs15-int -ET didn't work?

Could you try after "pkcs15-init -ET" the following:
opensc-explorer
 verify AUT1 2C:15:E5:26:E9:3E:8A:19
 ls

and send us the output?

Cheers,
Stef


Jan Schermer wrote:

The debug file is output of:

pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v 2>debug.log

SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.

If you want and are willing and able to debug it, I'd be happy to give you shell access to a machine with token connected.

If I do initialisation as you wrote:

With SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: PIN code or key incorrect

And without SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x1)
Failed to create PKCS #15 meta structure: Authentication method blocked

Thanks

Jan


Stef Hoeben wrote:

Hi Jan,

SO-PIN does is supported on Cryptoflex.

Not sure what went wrong (or from what the attached log file came),
but the following works here:

* with SO pin:
   pkcs15-init -ET
   pkcs15-init -CT --so-pin 123456 --so-puk 123456
   pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234

* without SO pin (only user PIN):
   pkcs15-init -ET
   pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin

If it doesn't work, pls. make sure the previous commands succeeded,
as send us a log containing only the command that failed.

(PS: the "User unblocking PIN" seems to be a typo -- should be "SO unblockin PIN")

Cheers,
Stef

Jan Schermer wrote:

And the log attached this time.... sorry

Jan Schermer wrote:

I figured out that SO-PIN is not supported on Cryptoflex, but it still doesn't work:

New User PIN.
Please enter User PIN: 123456
Please type again to verify: 123456
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 123456
Please type again to verify: 123456
Failed to store PIN: PIN code or key incorrect

attached is the debug.log with a lot of -vvs

Transport key is correct (checked by using a wrong one).

What's the problem here?

I also tried pkcs15+onepin profile, with no effect.

Thanks
Jan


Jan Schermer wrote:

So I got my new cryptoflex + e-gate

But I've got a problem

pkcs15-init -ET finishes successfuly

pkcs15-init -CT says:

New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: Authentication method blocked

what might be the problem here? I have another two cards here, but I'm not willing to try with them in case i destructed it...

Thanks

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user












------------------------------------------------------------------------

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
In reply to this post by Stef Hoeben-2
Yes, deleting the files solved the problem and made the card useable.

I am storing files with pkcs15-init -S. pkcs15-init -X (which I would expect to be the right thing to do) says that PKCS12 is not supported, pkcs15-init -W sasys "Not enough memory space in the file" right after asking for SO-PIN (tried with size=7500 and 20000). Should I try it with PEM and -X? Or -W? (what is the right format for that option?)

opensc-error contains only (after trying to store the second cert.):

iso7816.c:98:iso7816_check_sw: Not enough memory space in the file
card-flex.c:986:flex_create_file: Card returned error: Card command failed
card.c:536:sc_create_file: returning with: Card command failed

I also have a 300KiB debug.log, but I will not send it to the list (I assume it contains f.e. my .p12 passphrase and keys in hex...), please tell me if you want it.

Jan

Stef Hoeben wrote:
Hi,

so you deleted the files and dir as I proposed?

And then you did "pkcs15-init -CT" and "pkcs15init -PT",

And then you are trying to stroe certs with "pkcs15-init -S" or "pkcs15-init -X",
and this fails? Could you tell us what the exact commands you used and the error
code (and if possible opensc-errors.log)?

Cheers,
Stef

Jan Schermer wrote:

I tried and I tried and I can't store more than two certs on a card, really...

I tried storing a separate PIN with the cert chain, as well as putting all certs on one PIN, I tried modifying sizes in profiles and combining profiles together... no luck.

Should I try more or is it futile? I'm confused because the memory should be the same on ikey3k and cryptoflex (32K), does ikey3k use it that more efficiently??

Please advise...

Jan

Jan Schermer wrote:

It works! Thanks! :)

Though I have another problem - I can't seem to fit more than one certificate chain to the card:

iso7816.c:98:iso7816_check_sw: Not enough memory space in the file
card-flex.c:986:flex_create_file: Card returned error: Card command failed
card.c:536:sc_create_file: returning with: Card command failed

I haven't messed with profile yet, what should i "tune"? :) I expect it to be able to store at least what ikey3K could (5 chains)

Jan

Stef Hoeben wrote:

Hi,

it seems there's still a PIN file present (the 0000 one) that couldn't
be deleted because 5016and 0100  in the way (Cryptoflex -> deletion
must be done in reverse order of creation...).

So if you are sure you don't need the 0100 file and the 5016 DF,
(better check out what it contains) you could do:

opensc-explorer
verify AUT1 2C:15:E5:26:E9:3E:8A:19
delete 5016
delete 0100
delete 0000

After that, "pkcs15-init -CT ..." should work fine.

If you do need these, you'll have to find out which is the PUK and pin ref
in the 0000 PIN file and unblock that PIN...

Note: NEVER delete the 0011 and 0002 files!!

Good luck,
Stef

Jan Schermer wrote:

Here you go:

OpenSC Explorer version 0.9.6
OpenSC [3F00]> verify AUT1 2C:15:E5:26:E9:3E:8A:19
Code correct.
OpenSC [3F00]> ls
FileID  Type  Size
0011    wEF    38
0002    wEF     8
0000    wEF    23
0100    wEF    23
[5016]    DF     0
OpenSC [3F00]>

Jan

Stef Hoeben wrote:

Hm, maybe the pkcs15-int -ET didn't work?

Could you try after "pkcs15-init -ET" the following:
opensc-explorer
 verify AUT1 2C:15:E5:26:E9:3E:8A:19
 ls

and send us the output?

Cheers,
Stef


Jan Schermer wrote:

The debug file is output of:

pkcs15-init -P -a 01 -v -v -v -v -v -v -v -v -v -v -v -v -v -v 2>debug.log

SO-PIN for Cryptoflex is in the ToDo and doesn't work here.
OpenSC-0.9.6, OpenCT-0.6.6. I'm using USB e-gate + cryptoflex.

If you want and are willing and able to debug it, I'd be happy to give you shell access to a machine with token connected.

If I do initialisation as you wrote:

With SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --so-pin 123456 --so-puk 123456
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: PIN code or key incorrect

And without SOPIN:
zviratko@kocicka ~ $ pkcs15-init -ET
zviratko@kocicka ~ $ pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x1)
Failed to create PKCS #15 meta structure: Authentication method blocked

Thanks

Jan


Stef Hoeben wrote:

Hi Jan,

SO-PIN does is supported on Cryptoflex.

Not sure what went wrong (or from what the attached log file came),
but the following works here:

* with SO pin:
   pkcs15-init -ET
   pkcs15-init -CT --so-pin 123456 --so-puk 123456
   pkcs15-init -PT --so-pin 123456 -a 1 --pin 1234 --puk 1234

* without SO pin (only user PIN):
   pkcs15-init -ET
   pkcs15-init -CT --pin 1234 --puk 1234 -p pkcs15+onepin

If it doesn't work, pls. make sure the previous commands succeeded,
as send us a log containing only the command that failed.

(PS: the "User unblocking PIN" seems to be a typo -- should be "SO unblockin PIN")

Cheers,
Stef

Jan Schermer wrote:

And the log attached this time.... sorry

Jan Schermer wrote:

I figured out that SO-PIN is not supported on Cryptoflex, but it still doesn't work:

New User PIN.
Please enter User PIN: 123456
Please type again to verify: 123456
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 123456
Please type again to verify: 123456
Failed to store PIN: PIN code or key incorrect

attached is the debug.log with a lot of -vvs

Transport key is correct (checked by using a wrong one).

What's the problem here?

I also tried pkcs15+onepin profile, with no effect.

Thanks
Jan


Jan Schermer wrote:

So I got my new cryptoflex + e-gate

But I've got a problem

pkcs15-init -ET finishes successfuly

pkcs15-init -CT says:

New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
iso7816.c:98:iso7816_check_sw: Authentication method blocked
sec.c:204:sc_pin_cmd: returning with: Authentication method blocked
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x2)
Failed to create PKCS #15 meta structure: Authentication method blocked

what might be the problem here? I have another two cards here, but I'm not willing to try with them in case i destructed it...

Thanks

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user











------------------------------------------------------------------------

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
In reply to this post by Jan Schermer
Nope, no details on sizes, just general usage (but otherwise very nice
guide).

I can see which file is too small, but I don't really know what to
change (and where), I tried trial-error method without much success... :/

What exactly should I try with ID's? Should I give it a fixed random
one, different for each? But I don't think that's the problem, as
tweaking sizes solves the problem partialy (I can store 2 certs upon
tweaking).

I haven't bought those cards directly from Axalto, but the company said
they purchased it from there and haven't touched it.

Thanks

Jan

Andreas Jellinghaus wrote:

>Nils wrote the pkcs15init guide, but I'm not sure if it covers
>the details of changeing profiles.
>
>basicaly you can increase the debugging to see which file is
>too small and then edit the profiles for that file.
>
>also you might need to set id's when adding so many files / keys / certs:
>usualy some offset + id results in the final object id, and those
>need to be unique, as far as I know.
>
>someone wanted to improve the situation and allocate the file ids
>dynamicaly, but so far I haven't seen code for that.
>
>btw: no idea why your card came with funny files.
>all cards I have came entirely blank - hmm, maybe didn't check
>but at least none of them caused any problem.
>
>Andreas
>  
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Stef Hoeben-2
Hi,

if you'd give me the commands you do (and if possible the keys/certs
or otherwise their key lengths), I'll to reproduce it tonight.

Cheers,
Stef

Jan Schermer wrote:

> Nope, no details on sizes, just general usage (but otherwise very nice
> guide).
>
> I can see which file is too small, but I don't really know what to
> change (and where), I tried trial-error method without much success... :/
>
> What exactly should I try with ID's? Should I give it a fixed random
> one, different for each? But I don't think that's the problem, as
> tweaking sizes solves the problem partialy (I can store 2 certs upon
> tweaking).
>
> I haven't bought those cards directly from Axalto, but the company
> said they purchased it from there and haven't touched it.
>
> Thanks
>
> Jan
>
> Andreas Jellinghaus wrote:
>
>> Nils wrote the pkcs15init guide, but I'm not sure if it covers
>> the details of changeing profiles.
>>
>> basicaly you can increase the debugging to see which file is
>> too small and then edit the profiles for that file.
>>
>> also you might need to set id's when adding so many files / keys /
>> certs:
>> usualy some offset + id results in the final object id, and those
>> need to be unique, as far as I know.
>> someone wanted to improve the situation and allocate the file ids
>> dynamicaly, but so far I haven't seen code for that.
>>
>> btw: no idea why your card came with funny files.
>> all cards I have came entirely blank - hmm, maybe didn't check
>> but at least none of them caused any problem.
>> Andreas
>>  
>>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
Sorry, I can't give you my certs :( But basicaly they are all in pkcs12
format, 4 from Thawte, one from CACert, all RSA/1024. But it doesn't
really matter, I can't store more than any two of them. They are all
chained, every single one contains Thawte root, Thawte intermediate, my
cert. Thawte root and intermediate gets stored once only.

I'll be happy if I could store at least 3 of them on one card.

Thanks
Jan


Stef Hoeben wrote:

> Hi,
>
> if you'd give me the commands you do (and if possible the keys/certs
> or otherwise their key lengths), I'll to reproduce it tonight.
>
> Cheers,
> Stef
>
> Jan Schermer wrote:
>
>> Nope, no details on sizes, just general usage (but otherwise very
>> nice guide).
>>
>> I can see which file is too small, but I don't really know what to
>> change (and where), I tried trial-error method without much
>> success... :/
>>
>> What exactly should I try with ID's? Should I give it a fixed random
>> one, different for each? But I don't think that's the problem, as
>> tweaking sizes solves the problem partialy (I can store 2 certs upon
>> tweaking).
>>
>> I haven't bought those cards directly from Axalto, but the company
>> said they purchased it from there and haven't touched it.
>>
>> Thanks
>>
>> Jan
>>
>> Andreas Jellinghaus wrote:
>>
>>> Nils wrote the pkcs15init guide, but I'm not sure if it covers
>>> the details of changeing profiles.
>>>
>>> basicaly you can increase the debugging to see which file is
>>> too small and then edit the profiles for that file.
>>>
>>> also you might need to set id's when adding so many files / keys /
>>> certs:
>>> usualy some offset + id results in the final object id, and those
>>> need to be unique, as far as I know.
>>> someone wanted to improve the situation and allocate the file ids
>>> dynamicaly, but so far I haven't seen code for that.
>>>
>>> btw: no idea why your card came with funny files.
>>> all cards I have came entirely blank - hmm, maybe didn't check
>>> but at least none of them caused any problem.
>>> Andreas
>>>  
>>>
>> _______________________________________________
>> opensc-user mailing list
>> [hidden email]
>> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Andreas Jellinghaus-2
On Thursday 13 October 2005 11:59, Jan Schermer wrote:
> Sorry, I can't give you my certs :( But basicaly they are all in pkcs12
> format, 4 from Thawte, one from CACert, all RSA/1024. But it doesn't
> really matter, I can't store more than any two of them. They are all
> chained, every single one contains Thawte root, Thawte intermediate, my
> cert. Thawte root and intermediate gets stored once only.
>
> I'll be happy if I could store at least 3 of them on one card.

I'm registered with thawte too, so I could generate a few certificates.

can you write down the exact sequence?
something like

pkcs15-init -ET
pkcs15-init -CT
pkcs15-init -P -a 01 --label "me number one" --pin 123456
pkcs15-init -P -a 02 --label "me number two" --pin 234561
pkcs15-init -P -a 03 --label "me number three" --pin 345612
pkcs15-init -P -a 04 --label "me number four" --pin 456123
pkcs15-init -S file1.p12 --format pkcs12 -a 01 --pin 123456
pkcs15-init -S file2.p12 --format pkcs12 -a 02 --pin 123456
pkcs15-init -S file3.p12 --format pkcs12 -a 03 --pin 123456
pkcs15-init -S file4.p12 --format pkcs12 -a 04 --pin 123456

and each file contains:
 - private rsa key 1024 bit,
 - certificate for the key
 - middle cert
 - ca cert

right?

so we can create some dummy test data / keys / certs and
thus simulate what you are doing.

Regards, Andreas
p.s. and we can even make it an regression test so we can
try that on all keys and everytime we test a new release.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Cryptoflex problems

Jan Schermer
Hi,

I sent this to Stef:

I initialize the card like this:

pkcs15-init -ET
pkcs15-init -CT
pkcs15-init -T -P -a 01 --label Zviratko1
pkcs15-init -T -S file.p12 -a 01 -f PKCS12

and then I tried both:
a) pkcs15-init -T -P -a 02 --label Zviratko2
   pkcs15-init -T -S file2.p12 -a 02 -f PKCS12

and
b) pkcs15-init -T -S file2.p12 -a 01 -f PKCS12

I hit the limit either way.

The files are exports of thawte generated email certificates from Firefox (pkcs12 format). They contain Thawte root authority , Thawte intermediate authority and my own cert+key.

I'm pretty surprised there is such a big difference between what ikey3k can store and what cryptoflex can store, I only wonder if it's profile inefficiency or card inefficiency.. we'll see ;)

Thanks

Jan


Andreas Jellinghaus wrote:
On Thursday 13 October 2005 11:59, Jan Schermer wrote:
  
Sorry, I can't give you my certs :( But basicaly they are all in pkcs12 
format, 4 from Thawte, one from CACert, all RSA/1024. But it doesn't 
really matter, I can't store more than any two of them. They are all 
chained, every single one contains Thawte root, Thawte intermediate, my 
cert. Thawte root and intermediate gets stored once only.

I'll be happy if I could store at least 3 of them on one card.
    

I'm registered with thawte too, so I could generate a few certificates.

can you write down the exact sequence?
something like

pkcs15-init -ET
pkcs15-init -CT
pkcs15-init -P -a 01 --label "me number one" --pin 123456 
pkcs15-init -P -a 02 --label "me number two" --pin 234561
pkcs15-init -P -a 03 --label "me number three" --pin 345612
pkcs15-init -P -a 04 --label "me number four" --pin 456123
pkcs15-init -S file1.p12 --format pkcs12 -a 01 --pin 123456
pkcs15-init -S file2.p12 --format pkcs12 -a 02 --pin 123456
pkcs15-init -S file3.p12 --format pkcs12 -a 03 --pin 123456
pkcs15-init -S file4.p12 --format pkcs12 -a 04 --pin 123456

and each file contains:
 - private rsa key 1024 bit,
 - certificate for the key
 - middle cert
 - ca cert

right?

so we can create some dummy test data / keys / certs and
thus simulate what you are doing.

Regards, Andreas
p.s. and we can even make it an regression test so we can
try that on all keys and everytime we test a new release.
  

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment