strange behavior when generating keys in openpgp card

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

strange behavior when generating keys in openpgp card

Nikos Mavrogiannopoulos
Hello,
 I am still experimenting with my (FSFE) openpgp card. I have the
following issues compared to other smart cards:
* generating a key as security officer, generates a key of 16384 bits no
matter how many bits I specify.
* I cannot use that key afterwards neither as user or security officer
* copying an RSA key to the card fails with CKR_ATTRIBUTE_VALUE_INVALID
* the openpgp key present in the card is invisible to the PKCS #11 API,
or even from pkcs15-tool.

Am I supposed to do something differently or are these bugs in the card
driver?

regards,
Nikos

$ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -k --key-type
rsa:2048
Using slot 1 with a present token (0x1)
Logging in to "OpenPGP card (User PIN (sig))".
Please enter SO PIN:
Key pair generated:
Private Key Object; RSA
  label:      Private Key
  ID:         a3a92d439f458884771af2e334660571eecae5dd
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 16384 bits
  label:      Private Key
  ID:         a3a92d439f458884771af2e334660571eecae5dd
  Usage:      encrypt, verify, wrap

log at: http://pastebin.com/3PTF9aWX

Trying to use the generated key, also fails:

$ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -d
a3a92d439f458884771af2e334660571eecae5dd -s
error: Private key not found
Aborting.

log at: http://pastebin.com/jzk7ttp3

Copying a private key in the card:
$ certtool --generate-privkey --bits 2048 --outraw >/tmp/key
$ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -w /tmp/key
-y privkey
error: PKCS11 function C_CreateObject failed: rv =
CKR_ATTRIBUTE_VALUE_INVALID (0x13)

Aborting.

log at: http://pastebin.com/q9KmXbLQ




------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: strange behavior when generating keys in openpgp card

Ludovic Rousseau
2013/12/23 Nikos Mavrogiannopoulos <[hidden email]>:
> Hello,
>  I am still experimenting with my (FSFE) openpgp card. I have the
> following issues compared to other smart cards:
> * generating a key as security officer, generates a key of 16384 bits no
> matter how many bits I specify.
> * I cannot use that key afterwards neither as user or security officer
> * copying an RSA key to the card fails with CKR_ATTRIBUTE_VALUE_INVALID
> * the openpgp key present in the card is invisible to the PKCS #11 API,
> or even from pkcs15-tool.

I am not really sure the card generated a 16384 bits key. It looks
like a bug at displaying the key size.

> Am I supposed to do something differently or are these bugs in the card
> driver?

Maybe you should use the GnuPG application to use your openpgp card.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: strange behavior when generating keys in openpgp card

Stefan Xenon
In reply to this post by Nikos Mavrogiannopoulos
Hi Nikos!
Did you try executing the steps described here?
https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#3-generating-keys

Regards,
Stefan

Am 23.12.2013 19:05, schrieb Nikos Mavrogiannopoulos:

> Hello,
>  I am still experimenting with my (FSFE) openpgp card. I have the
> following issues compared to other smart cards:
> * generating a key as security officer, generates a key of 16384 bits no
> matter how many bits I specify.
> * I cannot use that key afterwards neither as user or security officer
> * copying an RSA key to the card fails with CKR_ATTRIBUTE_VALUE_INVALID
> * the openpgp key present in the card is invisible to the PKCS #11 API,
> or even from pkcs15-tool.
>
> Am I supposed to do something differently or are these bugs in the card
> driver?
>
> regards,
> Nikos
>
> $ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -k --key-type
> rsa:2048
> Using slot 1 with a present token (0x1)
> Logging in to "OpenPGP card (User PIN (sig))".
> Please enter SO PIN:
> Key pair generated:
> Private Key Object; RSA
>   label:      Private Key
>   ID:         a3a92d439f458884771af2e334660571eecae5dd
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 16384 bits
>   label:      Private Key
>   ID:         a3a92d439f458884771af2e334660571eecae5dd
>   Usage:      encrypt, verify, wrap
>
> log at: http://pastebin.com/3PTF9aWX
>
> Trying to use the generated key, also fails:
>
> $ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -d
> a3a92d439f458884771af2e334660571eecae5dd -s
> error: Private key not found
> Aborting.
>
> log at: http://pastebin.com/jzk7ttp3
>
> Copying a private key in the card:
> $ certtool --generate-privkey --bits 2048 --outraw >/tmp/key
> $ pkcs11-tool --module opensc-pkcs11.so -l --login-type so -w /tmp/key
> -y privkey
> error: PKCS11 function C_CreateObject failed: rv =
> CKR_ATTRIBUTE_VALUE_INVALID (0x13)
>
> Aborting.
>
> log at: http://pastebin.com/q9KmXbLQ
>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: strange behavior when generating keys in openpgp card

Nikos Mavrogiannopoulos
On 01/12/2014 02:33 PM, Stefan Xenon wrote:
> Hi Nikos!
> Did you try executing the steps described here?
> https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#3-generating-keys

Hello Stefan,
 No, as I was not interested on the result. I was interested to see
whether the PKCS #11 library from opensc could be used to handle the
openpgp smart card.

regards,
Nikos


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: strange behavior when generating keys in openpgp card

Stefan Xenon
Hi Nikos,

Am 12.01.2014 17:56, schrieb Nikos Mavrogiannopoulos:
> On 01/12/2014 02:33 PM, Stefan Xenon wrote:
>> Hi Nikos!
>> Did you try executing the steps described here?
>> https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#3-generating-keys
>
> Hello Stefan,
>  No, as I was not interested on the result. I was interested to see
> whether the PKCS #11 library from opensc could be used to handle the
> openpgp smart card.

It has been tested successfully and *should* work. However, please
report any issues you encounter so that it can be fixed.

Regards,
Stefan

> regards,
> Nikos
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: strange behavior when generating keys in openpgp card

Nikos Mavrogiannopoulos
On 01/15/2014 09:10 PM, Stefan Xenon wrote:

> Hi Nikos,
>
> Am 12.01.2014 17:56, schrieb Nikos Mavrogiannopoulos:
>> On 01/12/2014 02:33 PM, Stefan Xenon wrote:
>>> Hi Nikos!
>>> Did you try executing the steps described here?
>>> https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card#3-generating-keys
>> Hello Stefan,
>>  No, as I was not interested on the result. I was interested to see
>> whether the PKCS #11 library from opensc could be used to handle the
>> openpgp smart card.
> It has been tested successfully and *should* work. However, please
> report any issues you encounter so that it can be fixed.

This was the purpose of my previous e-mail.

regards,
Nikos


------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel