Loading a certificate using Mozilla+OpenSC+GPK fails?

Hello,

I am trying to load a certificate from Mozilla (version 1.7.8) and that fails.

I am using a GPK card initialised using:
$ pkcs15-init --verbose --erase-card
$ pkcs15-init --verbose --create-pkcs15 --so-pin 1234 --so-puk 4321
--use-default-transport-keys --profile pkcs15+onepin

The logs are:
[...]
pkcs15-lib.c:2669:sc_pkcs15init_authenticate: path=3f005015, op=3
card.c:574:sc_create_file: called; type=2, path=3f00501530c3, size=516
card-gpk.c:856:gpk_create_file: gpk_create_file(0x30C3)
card.c:247:sc_transmit_apdu: called
card.c:214:sc_transceive: Sending 17 bytes (resp. 258 bytes):
80 E0 02 00 0C 30 C3 2C 00 02 04 40 A0 40 A0 00 .à...0Ã,...@ @ .
00                                              .
card.c:267:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00)
card.c:579:sc_create_file: returning with: 0
card.c:734:sc_select_file: called; type=2, path=3f00501530c3
card-gpk.c:619:gpk_select_file: called
card-gpk.c:580:gpk_select_id: gpk_select_id(0x30C3, kind=2)
card.c:247:sc_transmit_apdu: called
card.c:214:sc_transceive: Sending 8 bytes (resp. 258 bytes):
00 A4 02 00 02 30 C3 00 .€...0Ã.
card.c:267:sc_transmit_apdu: Received 0 bytes (SW1=61 SW2=12)
card.c:247:sc_transmit_apdu: called
card.c:214:sc_transceive: Sending 5 bytes (resp. 258 bytes):
00 C0 00 00 12 .À...
card.c:267:sc_transmit_apdu: Received 18 bytes (SW1=90 SW2=00)
85 10 42 07 30 C3 2C 00 02 04 40 A0 40 A0 00 00 ..B.0Ã,...@ @ ..
00 62                                           .b
iso7816.c:591:iso7816_get_response: returning with: 18
card.c:756:sc_select_file: returning with: 0
pkcs15-lib.c:2669:sc_pkcs15init_authenticate: path=3f00501530c3, op=1
misc.c:80:sc_to_cryptoki_error: opensc error: Requested object not found (-1407)
pkcs11-session.c:131:C_CloseSession: C_CloseSession(6)

I also tried without the onepin option but without much success.

I have no problem to load and use the certificate using:
$ pkcs15-init --store-private-key ~/[hidden email]-cert.p12
--format pkcs12 --auth-id 01 --use-default-transport-keys --pin 1234
--passphrase xxxxxx

I can load the certificate using another PCSC#11 token and another
card so Mozilla can load a certificate but the combination Mozilla +
OpenSC + GPK fails.

What am I doing wrong? Is it something missing in OpenSC libpkcs11.so?

Thanks,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Ah, you want to store key + cert using mozilla?
never worked for me, but it worked for stef under windows.

But I think the trunk code has many improvements in that
area, so with trunk it should work.
did you test with trunk or opensc 0.9.6?

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

On 07/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> Ah, you want to store key + cert using mozilla?
> never worked for me, but it worked for stef under windows.
>
> But I think the trunk code has many improvements in that
> area, so with trunk it should work.
> did you test with trunk or opensc 0.9.6?

Mozilla 1.7.8 and OpenSC trunk.

I used pkcs11-spy to log the PKCS#11 and it fails on:

188: C_CreateObject
[in] hSession = 0x7
[in] pTemplate[14]:
    CKA_CLASS             CKO_PRIVATE_KEY      
    CKA_KEY_TYPE          CKK_RSA            
    CKA_TOKEN             True
    CKA_PRIVATE           True
    CKA_SENSITIVE         True
    CKA_ID                [size : 0x14 (20)]
    E5B8C9D5 66450B09 71DF07A1 91DB03B5 7AF893B3
    CKA_MODULUS           [size : 0x80 (128)]
    CKA_PRIVATE_EXPONENT  [size : 0x80 (128)]
    CKA_PUBLIC_EXPONENT   [size : 0x3 (3)]
    010001
    CKA_PRIME_1           [size : 0x40 (64)]
    CKA_PRIME_2           [size : 0x40 (64)]
    CKA_EXPONENT_1        [size : 0x40 (64)]
    CKA_EXPONENT_2        [size : 0x40 (64)]
    CKA_COEFFICIENT       [size : 0x40 (64)]
Returned:  5 CKR_GENERAL_ERROR

The error comes from
framework-pkcs15.c:1376:pkcs15_gen_keypair: sc_pkcs15init_generate_key
returned -1407

I looked at pkcs11/framework-pkcs15.c function pkcs15_gen_keypair()
and the code tries to either generate the key on card or in software.
It is not possible to use a key pair from a PKCS#12 certificate?

I also had a look at do_store_private_key() in tools/pkcs15-init.c and
it uses a completely different code.

Someting is missing in pkcs15_gen_keypair()?

Thanks,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Hi,

generating a keypair + signing a cert request + storing a cert should
work with
OpenSC (trunk) if you are using the "onepin profile" (you could test with
pkcs11-tool --moz-cert <cert_in_der_format> --pin 1234)

I never tried storing a pkcs12 file (but I thought Andreas used to do
this:-)

Anyway, C_CreateObject(CKO_PRIVATE_KEY ) shouldn't call
sc_pkcs15init_generate_key(), so there's something strange happening..

Best regards,
Stef

Ludovic Rousseau wrote:

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Hello,

Maybe I should migrate this thread to the opensc-devel list now?

On 07/06/05, Stef Hoeben <[hidden email]> wrote:
> generating a keypair + signing a cert request + storing a cert should
> work with
> OpenSC (trunk) if you are using the "onepin profile" (you could test with
> pkcs11-tool --moz-cert <cert_in_der_format> --pin 1234)

Maybe but I don't want to do that. I don't want to generate the
keypair onboard by the card but use a keypair from an already existing
PKCS#12 certificate.

> I never tried storing a pkcs12 file (but I thought Andreas used to do
> this:-)

So nobody tried to load a .p12 file using OpenSC? :-}

> Anyway, C_CreateObject(CKO_PRIVATE_KEY ) shouldn't call
> sc_pkcs15init_generate_key(), so there's something strange happening..

In the same logs I also have a call to C_CreateObject() with the key
pair as parameter. But this call also fails. I think I mixed the
output from pkcs11-spy and the opensc debug output.

I added a lot of traces and go down to do_get_and_verify_secret() in
pkcs15-lib.c. This function returns Requested object not found (-1407)
and then the call to pkcs15_create_object() returns with 5
CKR_GENERAL_ERROR.

My trace log contains:
pkcs15-gpk.c:584:gpk_pkfile_create: POUET
pkcs15-lib.c:2706:sc_pkcs15init_authenticate: path=3f00501530c3, op=1
pkcs15-lib.c:2587:do_verify_pin: POUET
pkcs15-lib.c:2435:do_get_and_verify_secret: POUET 143931648
pkcs15-lib.c:2442:do_get_and_verify_secret: POUET 143931648
pkcs15-lib.c:2448:do_get_and_verify_secret: POUET 143931648
pkcs15-lib.c:2497:do_get_and_verify_secret: POUET PIN 143931648
pkcs15-lib.c:2505:do_get_and_verify_secret: POUET -1407
pkcs15-lib.c:2520:do_get_and_verify_secret: POUET -1407
pkcs15-lib.c:2524:do_get_and_verify_secret: POUET -1407
pkcs15-lib.c:2543:do_get_and_verify_secret: POUET -1407
pkcs15-lib.c:2727:sc_pkcs15init_authenticate: POUET -1407
pkcs15-gpk.c:588:gpk_pkfile_create: POUET -1407
pkcs15-gpk.c:446:gpk_create_key: POUET
misc.c:80:sc_to_cryptoki_error: opensc error: Requested object not found (-1407)
framework-pkcs15.c:1210:pkcs15_create_object: POUET 5

Is do_get_and_verify_secret() supposed to return with an error?

Thanks,

--
  Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

On Wednesday 08 June 2005 11:50, Ludovic Rousseau wrote:
> So nobody tried to load a .p12 file using OpenSC? :-}

the regression test does this all the time, so I have done it
gazillion of times! but it uses pkcs15-init -S file.p12 --format pkcs12
and not the opensc-pkcs11.so / pkcs11-tool tool interface.

Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user