OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

scott_thomas007
Bonjour All Users,

I have configured opensc with openssl and found this page very helpful : http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
with following config : 

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path =
/usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

and

openssl req -config openssl.conf -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"

It is working fine for me - But the issue is that my application requires 2 smart cards . This configuration only deals with 1 smart card and if multiple cards are attached then it will interact with the 1st card - how can i modify this to access the other card attached on my machine ?

Regards
Scott Thomas


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

Douglas E. Engert


On 1/12/2012 9:52 PM, Scott Thomas wrote:

>         Bonjour All Users,
>
>         I have configured opensc with openssl and found this page very helpful : http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
>
>         with following config :
>
>         openssl_conf            = openssl_def
>         [openssl_def]
>         engines = engine_section
>         [engine_section]
>         pkcs11 = pkcs11_section
>         [pkcs11_section]
>         engine_id = pkcs11
>         dynamic_path =
>           /usr/lib/engines/engine_pkcs11.so
>         MODULE_PATH = /usr/lib/opensc-pkcs11.so
>         init = 0
>
>         and
>
>         openssl req -config openssl.conf -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"
>
>         It is working fine for me - But the issue is that my application requires 2 smart cards . This configuration only deals with 1 smart card and if multiple cards are attached then it will
>         interact with the 1st card - how can i modify this to access the other card attached on my machine ?

The same engine could support more then one card by providing the slot.
The -key could slot_nnnnnnn-id_45 where you would have to determine the slot nnnnnnn in some way.

(I have not tried an OpenSSL application using 2 cards at the same time.)



>
>         Regards
>         Scott Thomas
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

scott_thomas007
In reply to this post by scott_thomas007
Bonjour Douglas E. Engert,

>>The same engine could support more then one card by providing the slot.The -key could slot_nnnnnnn-id_45 where you would have to determine the slot nnnnnnn in some way.
>>(I have not tried an OpenSSL application using 2 cards at the same time.)

I am using Cryptoflex e-gate v4 32k card which contains 8 slots for certificates. I have tried slot0-id_45 to slot7-id_45.
On slot 0 it works fine but from slot 1-7 it gives error of empty slot which means that other 7 slots will must work fine
but if i try slot 8-onwards, it gives error of invalid slot number by which it can be assumed that it does not work with 2 cards in this way.
I have observed 1 thing that when i try to sign the CSR, read light of the 2nd smart card also blinks but it always read from the 1st smart card

Any ideas or way out to interact with 2nd card?

Regards

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

NdK-3
Il 16/01/2012 07:29, Scott Thomas ha scritto:

> I am using Cryptoflex e-gate v4 32k card which contains 8 slots for
> certificates. I have tried slot0-id_45 to slot7-id_45.
> On slot 0 it works fine but from slot 1-7 it gives error of empty slot
> which means that other 7 slots will must work fine
> but if i try slot 8-onwards, it gives error of invalid slot number by
> which it can be assumed that it does not work with 2 cards in this way.
Nope. IIUC, "slot" means "PIN" (or "authentication method"). You "log
in" to a slot and then can use all the keys in that slot.
So your card could easily have just one slot, containing up to 8 keys
and certs. IIRC Aventra MyEID cards can handle 14(15?) different PINS
(plus SO-PIN), so they could need 15 (or 16?) slots to be fully used.
In pcscd.conf you can define how many slots are available for each
reader and system-wide. IIRC by default you should have 4 slots for each
reader and up to 4 readers.
So, in your case, to use the key w/ ID 45 on the second card you should
use slot5-id_45... unless having keys with the same ID confuses the
system, even if they're in different slots.

Try:
$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L -T

BYtE,
 Diego.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

scott_thomas007
>>Nope. IIUC, "slot" means "PIN" (or "authentication method"). You "log
>>in" to a slot and then can use all the keys in that slot.
>>So your card could easily have just one slot, containing up to 8 keys
>>and certs. IIRC Aventra MyEID cards can handle 14(15?) different PINS
>>(plus SO-PIN), so they could need 15 (or 16?) slots to be fully used.
>>In pcscd.conf you can define how many slots are available for each
>>reader and system-wide. IIRC by default you should have 4 slots for each
>>reader and up to 4 readers.

>>So, in your case, to use the key w/ ID 45 on the second card you should
>>use slot5-id_45... unless having keys with the same ID confuses the
>>system, even if they're in different slots.
>>Try:
>>$ pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L -T


Thumbs up man, u solved my problem. Thx :)

Kind Regards

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel