Issue with recent Belgium Identity Card, openconnect 7.06 and

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Thanks for your fast feedback.

The command $ p11tool --list-mechanisms produce more or less the same
output. There is just the serial that is different.

Here are the result when signing with pkcs11-tool:
Old:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -M --id 02
Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-PKCS, keySize={1024,1024}, hw, decrypt, sign, verify
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
test message
<some unreadable characters>

New:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -M --id 02
Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-PKCS, keySize={1024,1024}, hw, decrypt, sign, verify
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
test message

Nothing happens.


When I tried to use an input file, I got the following results:
Old:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -m RSA-PKCS --id 02
 --input-file /tmp/test-file
Using slot 1 with a present token (0x1)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
<some unreadable characters>

New:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -m RSA-PKCS --id 02
 --input-file /tmp/test-file
Using slot 1 with a present token (0x1)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
error: PKCS11 function C_SignFinal failed: rv =
CKR_FUNCTION_NOT_SUPPORTED (0x54)

Aborting.

So indeed, it seems that my card couldn't sign.
Is there any solution for it?

Regards,
Sebastien

On 04/09/2015 10:20 AM, Nikos Mavrogiannopoulos wrote:
> On Thu, Apr 9, 2015 at 10:05 AM, Sebastien Canart
> <sebastien.canart at onprvp.fgov.be> wrote:
>> Hello,
>> The command that I'm currently using (I need to go through our internal
>> proxy):
>> # openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic
>> -c 'pkcs11:model=PKCS%2315;mycert[...];object-type=cert' vpnserver
> [...]
>> From the error I'm getting (Error signing test data with private key:
>> PKCS #11
>> unsupported feature), I'm guessing that the error is coming directly
>> from gnutls.
> 
> The error is from the PKCS #11 library (I guess it is opensc) and
> probably the card itself.
> Do you see any difference in "p11tool --list-mechanisms" with the new
> and old card? It may
> be that the new key is not allowed to sign using RSA-PKCS.
> 
> You can verify whether signing works with pkcs11-tool (from opensc)
> using something like:
> pkcs11-tool --module /path/to/opensc-pkcs11.so -s -M
> pkcs11-tool --module /path/to/opensc-pkcs11.so -s -m RSA-PKCS --id 02
> 
> regards,
> Nikos
> 

-- 
Sebastien Canart <sebastien.canart at onprvp.fgov.be>
[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux