Problems personalizing smartcard

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Problems personalizing smartcard

Dominik Fischer
Hi,

I've problems "personalizing"  my smartcard using the OpenSC Mozilla
module.
Our PKI-Server rejects my request. It seems, that the data transmitted
(the CSR I think?)
is not correkt. I recognized, that the pop-up from Mozilla (generating
keypair...) only
apears ("flashes")  very short time.

I tried to generate a key with "pkcs11-tool -v -k". But it only gives
me: "error: PKCS11 function C_GenerateKeyPair failed:  rv =
CKR_GENERAL_ERROR (0x5)"

p15dump can access the card and I can change the pin using "pkcs15-tool
--change-pin"
The smartcard is pre-initialized from the vendor. There's a userpin on
it which is initialized
with a transport pin. "opensc-tool -n" gives: "STARCOS SPK 2.3"

With a Smartcard which was "personalized" with our old tools (with a
proprietary pkcs11-lib) I can login via opensc-pam against an
LDAP-Server.

Can anybody help me getting this card working?
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Andreas Jellinghaus-2
which version of opensc are you using?
if it is 0.9.6: I never had success with
mozilla+server based keygen / certgen.

so I always did create keys with pkcs15-init
and then signed the with openssl + engine(
but you can create a csr as well, send it to
the ca, fetch the result and store it
with pkcs15-init.

this might be fixed in current trunk - I wasn't able to test
so far.

In case you have a web page that asks mozilla to create a key
and upload it (or a csr, etc.): could you send me a copy?
I would like to add such a page to the opensc.org page,
so everyone can use that page for testing mozilla+server
based keygen/certgen.

> The smartcard is pre-initialized from the vendor.
in pkcs#15 format? if not, there is nothing we can do.

even then I'm not sure. I know opensc can deal with
card initialized in pkcs#15 by other vendors and vice
versa, but I never heard anyone did parts of the initialisation
with one software and other parts with some other software.
usualy you do the full initialisation (including keygen and
storing certificates) with the same software, and then
use the card with any software (read, sign, decrypt, unblock).

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Nils Larsch
Andreas Jellinghaus [c] wrote:
...
>>The smartcard is pre-initialized from the vendor.

A.E.T. ?

>
> in pkcs#15 format? if not, there is nothing we can do.
>
> even then I'm not sure. I know opensc can deal with
> card initialized in pkcs#15 by other vendors and vice
> versa,

this doesn't work as the opensc pkcs15init lib doesn't
know where it must put the keys etc.

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Dominik Fischer
Am 29.6.2005 schrieb "Nils Larsch" <[hidden email]>:

>Andreas Jellinghaus [c] wrote:
>...
>>>The smartcard is pre-initialized from the vendor.
>
>A.E.T. ?
Yes.

>>
>> in pkcs#15 format? if not, there is nothing we can do.
>>
>> even then I'm not sure. I know opensc can deal with
>> card initialized in pkcs#15 by other vendors and vice
>> versa,
>
>this doesn't work as the opensc pkcs15init lib doesn't
>know where it must put the keys etc.

Is there a way to tell opensc where it has to put the keys?
Maybe by creating a profile under /usr/share/opensc?

Regards,
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Nils Larsch
Dominik Fischer wrote:
...

>>>in pkcs#15 format? if not, there is nothing we can do.
>>>
>>>even then I'm not sure. I know opensc can deal with
>>>card initialized in pkcs#15 by other vendors and vice
>>>versa,
>>
>>this doesn't work as the opensc pkcs15init lib doesn't
>>know where it must put the keys etc.
>
>
> Is there a way to tell opensc where it has to put the keys?
> Maybe by creating a profile under /usr/share/opensc?

it's currently not possible.  Even more problematic is the
fact that the AET lib afaik makes some implicit assumptions
about card profile which are not specified (and can't be
specified) in the pkcs15 files.

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Dominik Fischer
In reply to this post by Andreas Jellinghaus-2
Am 29.6.2005 schrieb "Andreas Jellinghaus [c]" <[hidden email]>:

>which version of opensc are you using?
>if it is 0.9.6: I never had success with
>mozilla+server based keygen / certgen.

I tried 0.9.6. I will download the latest snapshot and give that one
a try too.

>so I always did create keys with pkcs15-init
>and then signed the with openssl + engine(
>but you can create a csr as well, send it to
>the ca, fetch the result and store it
>with pkcs15-init.
>
>this might be fixed in current trunk - I wasn't able to test
>so far.
>
>In case you have a web page that asks mozilla to create a key
>and upload it (or a csr, etc.): could you send me a copy?
>I would like to add such a page to the opensc.org page,
>so everyone can use that page for testing mozilla+server
>based keygen/certgen.

I'm not sure about the mechanism which is used here. The
PKI from which I will get the cert is "Tivoli PKI 3.7.1".  I don't know
about the license but I think it's not free.

>
>> The smartcard is pre-initialized from the vendor.
>in pkcs#15 format? if not, there is nothing we can do.

I think it's pkcs#15 since p15dump gives me lot of information (SO-Pin,
User-pin and
- on already "personalized" cards -  the cert).

>
>even then I'm not sure. I know opensc can deal with
>card initialized in pkcs#15 by other vendors and vice
>versa, but I never heard anyone did parts of the initialisation
>with one software and other parts with some other software.
>usualy you do the full initialisation (including keygen and
>storing certificates) with the same software, and then
>use the card with any software (read, sign, decrypt, unblock).
The Smardcards which comes in here have a SO-Pin and a User-Pin
on it.

Regards,
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Dominik Fischer
In reply to this post by Nils Larsch
Am 30.6.2005 schrieb "Nils Larsch" <[hidden email]>:

>> Is there a way to tell opensc where it has to put the keys?
>> Maybe by creating a profile under /usr/share/opensc?
>
>it's currently not possible.  Even more problematic is the
>fact that the AET lib afaik makes some implicit assumptions
>about card profile which are not specified (and can't be
>specified) in the pkcs15 files.

Hmmm. I have a (with the old library and tools) personalized card.
p15dump show's
me some information about it. Can't this information be used to get
opensc working
with the cards? I've not read the opensc-source so far, that I can tell
how the
key generation works. I think it calls a function on the card to let it
generate this key?
What information about the card is needed to generate a keypair?

Regards,
Dominik
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Nils Larsch
Dominik Fischer wrote:
...
> Hmmm. I have a (with the old library and tools) personalized card.
> p15dump show's
> me some information about it. Can't this information be used to get
> opensc working with the cards?

this denpends on how you define working. opensc can read/use these
structures to use the card in (more less) read-only mode. However
file/key creation is very card specific and the necessary information
is not covered in the pkcs15 files.

> I've not read the opensc-source so far, that I can tell
> how the
> key generation works. I think it calls a function on the card to let it
> generate this key?
> What information about the card is needed to generate a keypair?

for example you need to know where to store the key ...

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Dominik Fischer
>> Hmmm. I have a (with the old library and tools) personalized card.
>> p15dump show's
>> me some information about it. Can't this information be used to get
>> opensc working with the cards?
>
>this denpends on how you define working. opensc can read/use these
>structures to use the card in (more less) read-only mode. However
>file/key creation is very card specific and the necessary information
>is not covered in the pkcs15 files.

>
>> I've not read the opensc-source so far, that I can tell
>> how the
>> key generation works. I think it calls a function on the card to let it
>> generate this key?
>> What information about the card is needed to generate a keypair?
>
>for example you need to know where to store the key ...
the information of p15dump is not enough? On an already personalized
card I see the following:

 ----8<-----8<----
Enumerating Private keys... 1 found.
Private RSA key [ABCDEs ID]
        Com. Flags  : private, modifiable
        Com. Auth ID: 82
        Usage       : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags: [0xD], sensitive, alwaysSensitive, neverExtract
        ModLength   : 1024
        Key ref     : 132
        Native      : yes
        ID          : 5b40a77a55f9bb70026d3f42deaf7c320dbc03f0

Enumerating Public keys... 1 found.
Public RSA key (no label)
        Com. Flags  : modifiable
        Com. Auth ID: 82
        Usage       : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags: [0x0]
        ModLength   : 1024
        Key ref     : 132
        Native      : yes
        Path        : 0000
        ID          : 5b40a77a55f9bb70026d3f42deaf7c320dbc03f0
 ----8<-----8<----
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Andreas Jellinghaus-2
On Monday 04 July 2005 15:56, Dominik Fischer wrote:
> the information of p15dump is not enough?

In some cases it might be so. But in general there is a lot
more to it, like how the security system of the card works
and how it was set up, and where files are supposed to be
created, how to reference the pin files, and maybe even more
stuff. Forgive me, I don't know the details well.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problems personalizing smartcard [u]

Nils Larsch
In reply to this post by Dominik Fischer
Dominik Fischer wrote:
...
>>for example you need to know where to store the key ...
>
> the information of p15dump is not enough?

in general is not enough. pkcs15 is a rather high level and
(necessary) card specific details to create keys/files are not
included (even though card os should be simple they still got
a lot of options).

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel