AM DIENSTAG, 13. MäRZ 2007 17:40 SCHRIEB SIMON EISENMANN:
> I TODAY RECIEVED THE PINS FOR MY NE D-TRUST 2048 BIT
SIGNATURE CARD
> WHICH SEEMS TO USE SIEMENS CARDOS 4.3B. I CAN READ THE
CERTIFICATES AND
> KEYS FROM THE CARD USING OPENSC TOOLS PERFECTLY.
>
> THOUGH THERE IS A PROBLEM WHEN CREATING A SIGNATURE
(OPENSC SVN TRUNK).
A) WHICH VERSION OF TRUNK EXACTLY? WHAT CARD READER ARE YOU
USING?
WE DID SOME CHANGES RECENTLY THAT MIGHT BREAK THINGS - BUT I
THINK
IT ONLY AFFECTS CARDS THAT CAN ONLY DO T=0 WITH SOME
READERS, SO IT SHOULDN'T
BE A PROBLEM FOR YOU.
SO MY WILD GUESS IS: CAN THAT KEY BE USED FOR BOTH SIGNING
AND DECRYPTION
(CHECK WITH PKCS11-TOOL OR PKCS15-TOOL) ?
CARDOS DOESN'T ALLOW THAT FOR SOME STUPID REASON. IN REAL
WORLD IT IS NEEDED.
SO THERE ARE TWO HACKS FOR THIS:
A) THE OPENSC HACK: STORE THE PRIVATE KEY TWICE - ONCE WITH
KEY USAGE SIGN
AND ONCE WITH KEY USAGE DECRYPT, AND THEN CHOOSE THE RIGHT
ONE.
B) THE SIEMENS HACK: STORE THE KEY AS DECRYPT KEY AND USE
RAW RSA DECRYPTION
FOR SIGNING.
WE HAVEN'T IMPLEMENTED B) YET, BUT WE SHOULD ADD IT FOR
COMPATIBILITY.
> NOTE: WHEN USING OPENSC 0.11.1 THE CARD IS NOT
RECOGNIZED AS CARDOS (ATR
> NOT IN THE LIST OF CARDOS IMPLEMENTATION).
YES. WE ADDED THAT ATR AFTER 0.11.1.
REGARDS, ANDREAS
_______________________________________________
OPENSC-DEVEL MAILING LIST
OPENSC-DEVEL LISTS.OPENSC-PROJECT.ORG
HTTP://WWW.OPENSC-PROJECT.ORG/MAILMAN/LISTINFO/OPENSC-DEVEL
|