inconsistency between pkcs11-tool and pkcs15-tool

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

inconsistency between pkcs11-tool and pkcs15-tool

Anthony Foiani
Greetings!

I'm experimenting with a CardContact HSM, and I'm finding some
peculiar results when trying to install multiple certificates on the
token.  Loading three certificates onto the token seemed to work, but
when I went to remove them, things fell apart.

I think that the crux of the problem is that pkcs11-tool shows only one object:

  $ tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219"

  $ $tool -O
  Using slot 1 with a present token (0x1)
  Private Key Object; RSA
    label:      Foo2A
    ID:         0f48886a19793c9e
    Usage:      decrypt, sign, unwrap

But the pkcs15-tool shows quite a few more:

  $ pkcs15-tool -D
  [...]

  Private RSA Key [Foo2A]
          Object Flags   : [0x3], private, modifiable
          Usage          : [0x2E], decrypt, sign, signRecover, unwrap
          Access Flags   : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
          ModLength      : 2048
          Key ref        : 1 (0x1)
          Native         : yes
          Path           : e82b0601040181c31f0201::
          Auth ID        : 01
          ID             : 0f48886a19793c9e
          GUID           : {be6fda39-699a-d073-68e5-9629a54eafff}

  X.509 Certificate [Bar Intermediate Certificate (2013)]
          Object Flags   : [0x2], modifiable
          Authority      : no
          Path           : e82b0601040181c31f0201::ca01
          ID             : 02
          GUID           : {55f338e7-137c-67e9-a6db-9135ca0aa884}

  X.509 Certificate [Certificate]
          Object Flags   : [0x2], modifiable
          Authority      : no
          Path           : e82b0601040181c31f0201::ca02
          ID             : 03
          GUID           : {f89468b8-6674-1c8a-b01e-1a244eaaaf54}

  X.509 Certificate [Foo2A (2013)]
          Object Flags   : [0x2], modifiable
          Authority      : no
          Path           : e82b0601040181c31f0201::ca03
          ID             : 03
          GUID           : {f89468b8-6674-1c8a-b01e-1a244eaaaf54}
          Encoded serial : 02 01 01

I tried modifying the tools, but I found myself in pkcs15-tool without
a way to discover the correct sc_profile object,...

Thanks
Tony
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Fwd: inconsistency between pkcs11-tool and pkcs15-tool

Anthony Foiani
Greetings.

Andreas is (obviously) helping me with this, but if anyone else has
ideas about what's going on here, I would love to hear them.

Many thanks,
Tony

---------- Forwarded message ----------
From: Anthony Foiani <[hidden email]>
Date: Sat, Dec 8, 2012 at 1:34 PM
Subject: Re: inconsistency between pkcs11-tool and pkcs15-tool
To: Andreas Schwier <[hidden email]>


Andreas --

I must say, your customer support hours are impressive.  :)

On Sat, Dec 8, 2012 at 7:31 AM, Andreas Schwier
<[hidden email]> wrote:
> can you create a log using export OPENSC_DEBUG=9 ?

Of which steps?

> Seems that the last two certificates are the same, at the least GUID is
> the same. Did you import certificates in DER encoding or PEM encoding ?

They were in DER.

Actual sequence of operations:

1. Use XCA to create key and certificate signing request.

This had some issues as well: it would wait long enough for the
creation to take place, but on the first try, it would give me an
error.  Second try gave me another error (because I used the same name
as first key, and even though it wasn't shown in the XCA window, it
was indeed on the key, so the error came when XCA tried to label the
second key).  Third try, with a different name, worked.

2. Use OpenSSL and my in-house CA to sign the CSR and create a cert.

These were all in PEM format, so I transformed them using:

    for i in ca-2013 ca-root foo2a-2013
    do
      openssl x509 -inform  pem -in  $i-cert.pem \
                   -outform der -out $i-cert.der
    done

3. Use pkcs11-tool to load them onto the token:

    tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219"

    $tool --write-object ca-root-cert.der     --id 1 --type cert \
          --label 'Foiani CA Root Certificate'
    $tool --write-object ca-2013-cert.der     --id 2 --type cert \
          --label 'Foiani CA Intermediate Certificate (2013)'
    $tool --write-object foo2a-2013-cert.der --id 3 --type cert \
          --label 'Foo2A (2013)'

At that point, the list of objects on the token was:

    $tool -O
    Using slot 1 with a present token (0x1)
    Private Key Object; RSA
      label:      Foo2A
      ID:         0f48886a19793c9e
      Usage:      decrypt, sign, unwrap
    Certificate Object, type = X.509 cert
      label:      Foiani CA Intermediate Certificate (2013)
      ID:         02
    Public Key Object; RSA 2048 bits
      label:      Foiani CA Intermediate Certificate (2013)
      ID:         02
      Usage:      encrypt, verify
    Certificate Object, type = X.509 cert
      label:      Foiani CA Root Certificate
      ID:         01
    Public Key Object; RSA 8192 bits
      label:      Foiani CA Root Certificate
      ID:         01
      Usage:      encrypt, verify
    Certificate Object, type = X.509 cert
      label:      Certificate
      ID:         03
    Public Key Object; RSA 2048 bits
      label:      Certificate
      ID:         03
      Usage:      encrypt, verify
    Certificate Object, type = X.509 cert
      label:      Foo2A (2013)
      ID:         03
    Public Key Object; RSA 2048 bits
      label:      Foo2A (2013)
      ID:         03
      Usage:      encrypt, verify

So there's already one problem, with multiple entries at id 03.

I suspect that I want to start over with a fresh pkcs15-tool init, and
see if I can get a working setup from there.

Thanks to your help, though, I feel I'm getting very close.

Best regards,
Anthony Foiani
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel