Re: [QUAR]Re: [opensc-user] Failing to generate a private key from Fi refox with the iKey3000 USB token

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [QUAR]Re: [opensc-user] Failing to generate a private key from Fi refox with the iKey3000 USB token

Stef Hoeben
Hi,

for the default profile, your need both the SO and User pin in order
to generate keys and store certs. And Mozilla only asks for the user PIN...

Note: the functionality is broken: C_GenerateKeyPair() returns
CKR_GENERAL_ERROR.
I'll try to fix it now.

Cheers,
Stef

Jan Schermer wrote:

>In my case, this is probably the cause... I never used onepin profile.
>Is this a limitation of pkcs11 lib or mozilla? If it's the limitation of
>the pkcs11 lib, it should be mentioned somewhere or fixed.
>
>Jan
>
>Stef Hoeben wrote:
>
>  
>
>>Hi,
>>
>>did you initialised your token with the 'onepin' profile option?
>>(for info see http://www.opensc.org/files/doc/init_perso_guide.html)
>>
>>Having a user PIN in charge of the card (iso the SO PIN) is a
>>requirement for keypair generation with our pkcs11 lib.
>>
>>Could you try if "pkcs11-tool -l -z <any_cert_in_der_format>" works,
>>and let us know some details (e.g. set debug=5 in opensc.conf)?
>>
>>If that works, could you see in the logs where your Firefox experiment
>>fails, or try our pkcs11-spy to log the pkcs11 calls?
>>
>>Cheers,
>>Stef
>>
>>M.-A. DARCHE wrote:
>>
>>    
>>
>>>Hello all,
>>>
>>>I am new to this list and my interest in OpenSC is to be able to
>>>use USB tokens with only free/libre/opensource software in
>>>      
>>>
>conjunction
>  
>
>>>with OpenCA http://www.openca.info/docs/ a libre PKI as you might
>>>      
>>>
>guess
>  
>
>>>from its name.
>>>
>>>Specificaly my problem is that I cannot get the iKey3000 USB token to
>>>generate a private key from Firefox, while it is said at
>>>http://www.opensc.org/openct/wiki/ikey3000
>>>
>>>  OpenCT supports Rainbow iKey 3000 tokens fine. They have been
>>>      
>>>
>tested
>  
>
>>>  with OpenSC under Linux and work perfectly.
>>>
>>>
>>>Configuration Information
>>>------------------------------------------------
>>> Operating System: Stock Debian Sarge + 2.6.8-386
>>> OpenSSL Version : 0.9.7e
>>> Smart card/USB
>>>    * openct         : 0.6.4
>>>    * opensc         : 0.9.6
>>>    * mozilla-opensc : 0.9.6
>>>------------------------------------------------
>>>
>>>
>>>Problem Description
>>>-------------------
>>>
>>>I request a certificate to the OpenCA PKI using a newly defined USB
>>>token security device with Firefox using
>>>/usr/lib/pkcs11/opensc-pkcs11.so
>>>
>>>During this operation no private key is generated on the USB token.
>>>
>>>I have tried the same thing on a Windows machine and the private key
>>>is not generated on the USB token either.
>>>
>>>Then if I use the proprietary lib from SafeSign on the Windows
>>>      
>>>
>machine
>  
>
>>>when I request a certificate to the OpenCA PKI the private key is
>>>generated on the USB token.
>>>
>>>My main concern in this email is not the interoperability between the
>>>key generation procedures (on GNU/Linux and Windows), but to manage
>>>      
>>>
>to
>  
>
>>>have a private key generated in the token, by the token itself, after
>>>the brower (here Firefox) order.
>>>
>>>Bugs in Firefox and OpenCA regarding this procedure seem to be out of
>>>question since other people manage to generate valid certificate
>>>requests to OpenCA using other tokens.
>>>
>>>
>>>Cheers and thanks if you can help,
>>>
>>>
>>>PS: If you are interested in all the details the whole thread of my
>>>problem on the OpenCA users's mailing list can be found here:
>>>
>>>  Failing to Approve Request without Signing from iKey3000 USB token
>>>
>>>
>>>      
>>>
>http://sourceforge.net/mailarchive/forum.php?thread_id=7571949&forum_id=
>2291
>  
>
>>>
>>>
>>>      
>>>
>>_______________________________________________
>>opensc-user mailing list
>>[hidden email]
>>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>>    
>>
>
>
>  
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel