Hello,
I am trying to load a certificate from Mozilla (version 1.7.8) and that fails. I am using a GPK card initialised using: $ pkcs15-init --verbose --erase-card $ pkcs15-init --verbose --create-pkcs15 --so-pin 1234 --so-puk 4321 --use-default-transport-keys --profile pkcs15+onepin The logs are: [...] pkcs15-lib.c:2669:sc_pkcs15init_authenticate: path=3f005015, op=3 card.c:574:sc_create_file: called; type=2, path=3f00501530c3, size=516 card-gpk.c:856:gpk_create_file: gpk_create_file(0x30C3) card.c:247:sc_transmit_apdu: called card.c:214:sc_transceive: Sending 17 bytes (resp. 258 bytes): 80 E0 02 00 0C 30 C3 2C 00 02 04 40 A0 40 A0 00 .à...0Ã,...@ @ . 00 . card.c:267:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00) card.c:579:sc_create_file: returning with: 0 card.c:734:sc_select_file: called; type=2, path=3f00501530c3 card-gpk.c:619:gpk_select_file: called card-gpk.c:580:gpk_select_id: gpk_select_id(0x30C3, kind=2) card.c:247:sc_transmit_apdu: called card.c:214:sc_transceive: Sending 8 bytes (resp. 258 bytes): 00 A4 02 00 02 30 C3 00 .€...0Ã. card.c:267:sc_transmit_apdu: Received 0 bytes (SW1=61 SW2=12) card.c:247:sc_transmit_apdu: called card.c:214:sc_transceive: Sending 5 bytes (resp. 258 bytes): 00 C0 00 00 12 .À... card.c:267:sc_transmit_apdu: Received 18 bytes (SW1=90 SW2=00) 85 10 42 07 30 C3 2C 00 02 04 40 A0 40 A0 00 00 ..B.0Ã,...@ @ .. 00 62 .b iso7816.c:591:iso7816_get_response: returning with: 18 card.c:756:sc_select_file: returning with: 0 pkcs15-lib.c:2669:sc_pkcs15init_authenticate: path=3f00501530c3, op=1 misc.c:80:sc_to_cryptoki_error: opensc error: Requested object not found (-1407) pkcs11-session.c:131:C_CloseSession: C_CloseSession(6) I also tried without the onepin option but without much success. I have no problem to load and use the certificate using: $ pkcs15-init --store-private-key ~/[hidden email]-cert.p12 --format pkcs12 --auth-id 01 --use-default-transport-keys --pin 1234 --passphrase xxxxxx I can load the certificate using another PCSC#11 token and another card so Mozilla can load a certificate but the combination Mozilla + OpenSC + GPK fails. What am I doing wrong? Is it something missing in OpenSC libpkcs11.so? Thanks, -- Dr. Ludovic Rousseau For private mail use [hidden email] and not "big brother" Google _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Ah, you want to store key + cert using mozilla?
never worked for me, but it worked for stef under windows. But I think the trunk code has many improvements in that area, so with trunk it should work. did you test with trunk or opensc 0.9.6? Regards, Andreas _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
On 07/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> Ah, you want to store key + cert using mozilla? > never worked for me, but it worked for stef under windows. > > But I think the trunk code has many improvements in that > area, so with trunk it should work. > did you test with trunk or opensc 0.9.6? Mozilla 1.7.8 and OpenSC trunk. I used pkcs11-spy to log the PKCS#11 and it fails on: 188: C_CreateObject [in] hSession = 0x7 [in] pTemplate[14]: CKA_CLASS CKO_PRIVATE_KEY CKA_KEY_TYPE CKK_RSA CKA_TOKEN True CKA_PRIVATE True CKA_SENSITIVE True CKA_ID [size : 0x14 (20)] E5B8C9D5 66450B09 71DF07A1 91DB03B5 7AF893B3 CKA_MODULUS [size : 0x80 (128)] CKA_PRIVATE_EXPONENT [size : 0x80 (128)] CKA_PUBLIC_EXPONENT [size : 0x3 (3)] 010001 CKA_PRIME_1 [size : 0x40 (64)] CKA_PRIME_2 [size : 0x40 (64)] CKA_EXPONENT_1 [size : 0x40 (64)] CKA_EXPONENT_2 [size : 0x40 (64)] CKA_COEFFICIENT [size : 0x40 (64)] Returned: 5 CKR_GENERAL_ERROR The error comes from framework-pkcs15.c:1376:pkcs15_gen_keypair: sc_pkcs15init_generate_key returned -1407 I looked at pkcs11/framework-pkcs15.c function pkcs15_gen_keypair() and the code tries to either generate the key on card or in software. It is not possible to use a key pair from a PKCS#12 certificate? I also had a look at do_store_private_key() in tools/pkcs15-init.c and it uses a completely different code. Someting is missing in pkcs15_gen_keypair()? Thanks, -- Dr. Ludovic Rousseau For private mail use [hidden email] and not "big brother" Google _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Hi,
generating a keypair + signing a cert request + storing a cert should work with OpenSC (trunk) if you are using the "onepin profile" (you could test with pkcs11-tool --moz-cert <cert_in_der_format> --pin 1234) I never tried storing a pkcs12 file (but I thought Andreas used to do this:-) Anyway, C_CreateObject(CKO_PRIVATE_KEY ) shouldn't call sc_pkcs15init_generate_key(), so there's something strange happening.. Best regards, Stef Ludovic Rousseau wrote: >On 07/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote: > > >>Ah, you want to store key + cert using mozilla? >>never worked for me, but it worked for stef under windows. >> >>But I think the trunk code has many improvements in that >>area, so with trunk it should work. >>did you test with trunk or opensc 0.9.6? >> >> > >Mozilla 1.7.8 and OpenSC trunk. > >I used pkcs11-spy to log the PKCS#11 and it fails on: > >188: C_CreateObject >[in] hSession = 0x7 >[in] pTemplate[14]: > CKA_CLASS CKO_PRIVATE_KEY > CKA_KEY_TYPE CKK_RSA > CKA_TOKEN True > CKA_PRIVATE True > CKA_SENSITIVE True > CKA_ID [size : 0x14 (20)] > E5B8C9D5 66450B09 71DF07A1 91DB03B5 7AF893B3 > CKA_MODULUS [size : 0x80 (128)] > CKA_PRIVATE_EXPONENT [size : 0x80 (128)] > CKA_PUBLIC_EXPONENT [size : 0x3 (3)] > 010001 > CKA_PRIME_1 [size : 0x40 (64)] > CKA_PRIME_2 [size : 0x40 (64)] > CKA_EXPONENT_1 [size : 0x40 (64)] > CKA_EXPONENT_2 [size : 0x40 (64)] > CKA_COEFFICIENT [size : 0x40 (64)] >Returned: 5 CKR_GENERAL_ERROR > >The error comes from >framework-pkcs15.c:1376:pkcs15_gen_keypair: sc_pkcs15init_generate_key >returned -1407 > >I looked at pkcs11/framework-pkcs15.c function pkcs15_gen_keypair() >and the code tries to either generate the key on card or in software. >It is not possible to use a key pair from a PKCS#12 certificate? > >I also had a look at do_store_private_key() in tools/pkcs15-init.c and >it uses a completely different code. > >Someting is missing in pkcs15_gen_keypair()? > >Thanks, > > > _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Hello,
Maybe I should migrate this thread to the opensc-devel list now? On 07/06/05, Stef Hoeben <[hidden email]> wrote: > generating a keypair + signing a cert request + storing a cert should > work with > OpenSC (trunk) if you are using the "onepin profile" (you could test with > pkcs11-tool --moz-cert <cert_in_der_format> --pin 1234) Maybe but I don't want to do that. I don't want to generate the keypair onboard by the card but use a keypair from an already existing PKCS#12 certificate. > I never tried storing a pkcs12 file (but I thought Andreas used to do > this:-) So nobody tried to load a .p12 file using OpenSC? :-} > Anyway, C_CreateObject(CKO_PRIVATE_KEY ) shouldn't call > sc_pkcs15init_generate_key(), so there's something strange happening.. In the same logs I also have a call to C_CreateObject() with the key pair as parameter. But this call also fails. I think I mixed the output from pkcs11-spy and the opensc debug output. I added a lot of traces and go down to do_get_and_verify_secret() in pkcs15-lib.c. This function returns Requested object not found (-1407) and then the call to pkcs15_create_object() returns with 5 CKR_GENERAL_ERROR. My trace log contains: pkcs15-gpk.c:584:gpk_pkfile_create: POUET pkcs15-lib.c:2706:sc_pkcs15init_authenticate: path=3f00501530c3, op=1 pkcs15-lib.c:2587:do_verify_pin: POUET pkcs15-lib.c:2435:do_get_and_verify_secret: POUET 143931648 pkcs15-lib.c:2442:do_get_and_verify_secret: POUET 143931648 pkcs15-lib.c:2448:do_get_and_verify_secret: POUET 143931648 pkcs15-lib.c:2497:do_get_and_verify_secret: POUET PIN 143931648 pkcs15-lib.c:2505:do_get_and_verify_secret: POUET -1407 pkcs15-lib.c:2520:do_get_and_verify_secret: POUET -1407 pkcs15-lib.c:2524:do_get_and_verify_secret: POUET -1407 pkcs15-lib.c:2543:do_get_and_verify_secret: POUET -1407 pkcs15-lib.c:2727:sc_pkcs15init_authenticate: POUET -1407 pkcs15-gpk.c:588:gpk_pkfile_create: POUET -1407 pkcs15-gpk.c:446:gpk_create_key: POUET misc.c:80:sc_to_cryptoki_error: opensc error: Requested object not found (-1407) framework-pkcs15.c:1210:pkcs15_create_object: POUET 5 Is do_get_and_verify_secret() supposed to return with an error? Thanks, -- Dr. Ludovic Rousseau For private mail use [hidden email] and not "big brother" Google _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
On Wednesday 08 June 2005 11:50, Ludovic Rousseau wrote:
> So nobody tried to load a .p12 file using OpenSC? :-} the regression test does this all the time, so I have done it gazillion of times! but it uses pkcs15-init -S file.p12 --format pkcs12 and not the opensc-pkcs11.so / pkcs11-tool tool interface. Andreas _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Free forum by Nabble | Edit this page |