|
List Info
Thread: Key generation with Aladdin PRO 64k
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 14:00:51 |
Hi,
I'm experimenting with the Aladdin eToken PRO 64 in a linux
environment
with the following installed:
opensc-0.11.1-svn-r3015
openct-0.6.8-svn-r893
pcsc-lite-1.3.2
etoken-3-60.24-linux-i386
I'm attempting to generate a key pair on the card using:
pkcs11-tool -k --key-type rsa:2048 -a keypair -p pass -v
-v --module
libetpkcs11.so
Which outputs:
Key pair generated:
Private Key Object; RSA
label: keypair
Usage: decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
label: keypair
Usage: encrypt, verify, wrap
However when I list the objects on the card (either with
pkcs11-tool or
aladdin's etckdump) it only shows the private key. This
holds true no
matter what label, if any I use, as well as any key size. I
use
rsa:2048 because that is the ideal deployment key size.
Private Key Object; RSA
label:
Usage: decrypt, sign, unwrap
Does anybody have any experience with this device and
possibly know why
this is happening? Ideally I'd like to be able to use this
card to
generate a key pair and sign an x509 cert for use in a VPN.
If anyone
has any experience with making this work I'd love to hear
from them.
Josh.
_______________________________________________
opensc-user mailing list
opensc-user lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 14:37:52 |
Hi there,
strange enough. I do not know, why this pub key object is
not visible
after the creation. I guess since it is not associated with
the
certificate yet.
Besides, what you see it not really the private key itself.
Just go on signing your certifiate. The public key will be
taken from
the eToken and the certificate will be generated.
Take a look at http://www.etokenonlinux
.org and jsut go on with
http://www.opensc-project.org/engine_pkcs11/wiki/Qui
ckStart.
Kind regards
Cornelius
Josh Mahonin schrieb:
> Hi,
>
> I'm experimenting with the Aladdin eToken PRO 64 in a
linux environment
> with the following installed:
> opensc-0.11.1-svn-r3015
> openct-0.6.8-svn-r893
> pcsc-lite-1.3.2
> etoken-3-60.24-linux-i386
>
> I'm attempting to generate a key pair on the card
using:
> pkcs11-tool -k --key-type rsa:2048 -a keypair -p
pass -v -v --module
> libetpkcs11.so
> Which outputs:
> Key pair generated:
> Private Key Object; RSA
> label: keypair
> Usage: decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
> label: keypair
> Usage: encrypt, verify, wrap
>
> However when I list the objects on the card (either
with pkcs11-tool or
> aladdin's etckdump) it only shows the private key.
This holds true no
> matter what label, if any I use, as well as any key
size. I use
> rsa:2048 because that is the ideal deployment key size.
>
> Private Key Object; RSA
> label:
> Usage: decrypt, sign, unwrap
>
> Does anybody have any experience with this device and
possibly know why
> this is happening? Ideally I'd like to be able to use
this card to
> generate a key pair and sign an x509 cert for use in a
VPN. If anyone
> has any experience with making this work I'd love to
hear from them.
>
> Josh.
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>
--
Cornelius Kölbel (Senior Security Consultant), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201
Darmstadt
Tel: +49 6151 9067-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt:
HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 15:33:06 |
Hi Cornelius,
I'm actually glad you replied, I have seen
etokenonlinux.org and it has
been very helpful in my research (although I wish I'd found
it
earlier!). I have in fact tried the steps outlined in the
engine_pkcs11
wiki, as well as your own site, and I am unable to create
the
self-signed certificate on the card.
My commands are:
# openssl engine -t dynamic -pre
SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
-pre LIST_ADD:1
-pre LOAD -pre MODULE_PATH:/usr/lib/libetpkcs11.so
>(dynamic) Dynamic engine loading support
>[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>[Success]: ID:pkcs11
>[Success]: LIST_ADD:1
>[Success]: LOAD
>[Success]: MODULE_PATH:/usr/lib/libetpkcs11.so
>Loaded: (pkcs11) pkcs11 engine
> [ available ]
# openssl req -engine pkcs11 -new -key id_45 -keyform
engine -out
req.pem -text -x509 -subj "/CN=Andreas
Jellinghaus"
> engine "pkcs11" set.
> PKCS#11 token PIN:
# pkcs11-tool -O -p pass -v --module libetpkcs11.so
> Private Key Object; RSA
> label:
> ID: 45
> Usage: decrypt, sign, unwrap
And testing using thunderbird yields no certificate,
although if I write
a privkey and a cert manually it will show up. Oddly
enough, this is
the first time openssl req has worked for me without
spitting out a
private key not found error. If I can get this working,
I'll have to
write an internal wiki for my company, and I'd be more than
happy to
pass it on to you Cornelius. I noticed your etoken +
openssl section is
unfortunately empty!
Thanks,
Josh.
Cornelius Kölbel wrote:
> Hi there,
>
> strange enough. I do not know, why this pub key object
is not visible
> after the creation. I guess since it is not associated
with the
> certificate yet.
> Besides, what you see it not really the private key
itself.
>
> Just go on signing your certifiate. The public key will
be taken from
> the eToken and the certificate will be generated.
> Take a look at http://www.etokenonlinux
.org and jsut go on with
> http://www.opensc-project.org/engine_pkcs11/wiki/Qui
ckStart.
>
> Kind regards
> Cornelius
>
> Josh Mahonin schrieb:
>
>> Hi,
>>
>> I'm experimenting with the Aladdin eToken PRO 64
in a linux environment
>> with the following installed:
>> opensc-0.11.1-svn-r3015
>> openct-0.6.8-svn-r893
>> pcsc-lite-1.3.2
>> etoken-3-60.24-linux-i386
>>
>> I'm attempting to generate a key pair on the card
using:
>> pkcs11-tool -k --key-type rsa:2048 -a keypair
-p pass -v -v --module
>> libetpkcs11.so
>> Which outputs:
>> Key pair generated:
>> Private Key Object; RSA
>> label: keypair
>> Usage: decrypt, sign, unwrap
>> Public Key Object; RSA 2048 bits
>> label: keypair
>> Usage: encrypt, verify, wrap
>>
>> However when I list the objects on the card (either
with pkcs11-tool or
>> aladdin's etckdump) it only shows the private key.
This holds true no
>> matter what label, if any I use, as well as any key
size. I use
>> rsa:2048 because that is the ideal deployment key
size.
>>
>> Private Key Object; RSA
>> label:
>> Usage: decrypt, sign, unwrap
>>
>> Does anybody have any experience with this device
and possibly know why
>> this is happening? Ideally I'd like to be able to
use this card to
>> generate a key pair and sign an x509 cert for use
in a VPN. If anyone
>> has any experience with making this work I'd love
to hear from them.
>>
>> Josh.
>> _______________________________________________
>> opensc-user mailing list
>> opensc-userlists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>>
>>
>
>
>
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 15:53:43 |
Whoops! So I turned req.pem into req.der, wrote it and it
works fine!
This is highly unusual that it's working on monday morning,
when the
same steps on friday afternoon yielded no results, although
I did a
fresh re-install of all the pertinent packages, so perhaps
that's why.
However, I have run into a new problem. I just realized I
had
reinitialized the card with a 1024 bit key -- this worked
with openssl
req and created a certificate for me. After reinitializing
with a 2048
bit key, I receive the following error:
# openssl req -engine pkcs11 -new -key id_45 -keyform engine
-out
req.pem -text -x509 -subj "/CN=Josh Mahonin"
>engine "pkcs11" set.
>PKCS#11 token PIN:
>10842:error:8000A006:Vendor
defined:PKCS11_rsa_sign:Function
failed:p11_ops.c:96:
>10842:error:0D0C3006:asn1 encoding
routines:ASN1_item_sign:EVP
lib:a_sign.c:276:
I can't tell if that's a software problem or
hardware...the 64k supports
2048 bit keys, so is it safe to assume it can sign them as
well? Or is
there something I have to change in my openssl config to
handle signing
with a 2048 bit key?
Thanks,
Josh.
Josh Mahonin wrote:
> Hi Cornelius,
>
> I'm actually glad you replied, I have seen
etokenonlinux.org and it has
> been very helpful in my research (although I wish I'd
found it
> earlier!). I have in fact tried the steps outlined in
the engine_pkcs11
> wiki, as well as your own site, and I am unable to
create the
> self-signed certificate on the card.
>
> My commands are:
> # openssl engine -t dynamic -pre
> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1
> -pre LOAD -pre MODULE_PATH:/usr/lib/libetpkcs11.so
>
>> (dynamic) Dynamic engine loading support
>> [Success]:
SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/libetpkcs11.so
>> Loaded: (pkcs11) pkcs11 engine
>> [ available ]
>>
>
> # openssl req -engine pkcs11 -new -key id_45 -keyform
engine -out
> req.pem -text -x509 -subj "/CN=Andreas
Jellinghaus"
>
>> engine "pkcs11" set.
>> PKCS#11 token PIN:
>>
>
> # pkcs11-tool -O -p pass -v --module libetpkcs11.so
>
>> Private Key Object; RSA
>> label:
>> ID: 45
>> Usage: decrypt, sign, unwrap
>>
>
> And testing using thunderbird yields no certificate,
although if I write
> a privkey and a cert manually it will show up. Oddly
enough, this is
> the first time openssl req has worked for me without
spitting out a
> private key not found error. If I can get this
working, I'll have to
> write an internal wiki for my company, and I'd be more
than happy to
> pass it on to you Cornelius. I noticed your etoken +
openssl section is
> unfortunately empty!
>
> Thanks,
>
> Josh.
>
>
>
>
>
> Cornelius Kölbel wrote:
>
>> Hi there,
>>
>> strange enough. I do not know, why this pub key
object is not visible
>> after the creation. I guess since it is not
associated with the
>> certificate yet.
>> Besides, what you see it not really the private key
itself.
>>
>> Just go on signing your certifiate. The public key
will be taken from
>> the eToken and the certificate will be generated.
>> Take a look at http://www.etokenonlinux
.org and jsut go on with
>> http://www.opensc-project.org/engine_pkcs11/wiki/Qui
ckStart.
>>
>> Kind regards
>> Cornelius
>>
>> Josh Mahonin schrieb:
>>
>>
>>> Hi,
>>>
>>> I'm experimenting with the Aladdin eToken PRO
64 in a linux environment
>>> with the following installed:
>>> opensc-0.11.1-svn-r3015
>>> openct-0.6.8-svn-r893
>>> pcsc-lite-1.3.2
>>> etoken-3-60.24-linux-i386
>>>
>>> I'm attempting to generate a key pair on the
card using:
>>> pkcs11-tool -k --key-type rsa:2048 -a
keypair -p pass -v -v --module
>>> libetpkcs11.so
>>> Which outputs:
>>> Key pair generated:
>>> Private Key Object; RSA
>>> label: keypair
>>> Usage: decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>> label: keypair
>>> Usage: encrypt, verify, wrap
>>>
>>> However when I list the objects on the card
(either with pkcs11-tool or
>>> aladdin's etckdump) it only shows the private
key. This holds true no
>>> matter what label, if any I use, as well as any
key size. I use
>>> rsa:2048 because that is the ideal deployment
key size.
>>>
>>> Private Key Object; RSA
>>> label:
>>> Usage: decrypt, sign, unwrap
>>>
>>> Does anybody have any experience with this
device and possibly know why
>>> this is happening? Ideally I'd like to be
able to use this card to
>>> generate a key pair and sign an x509 cert for
use in a VPN. If anyone
>>> has any experience with making this work I'd
love to hear from them.
>>>
>>> Josh.
>>> _______________________________________________
>>> opensc-user mailing list
>>> opensc-userlists.opensc-project.org
>>> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>>>
>>>
>>>
>>
>>
>
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 17:19:25 |
Am Montag, 18. September 2006 17:53 schrieb Josh Mahonin:
[snip]
> However, I have run into a new problem. I just
realized I had
> reinitialized the card with a 1024 bit key -- this
worked with openssl
> req and created a certificate for me. After
reinitializing with a 2048
> bit key, I receive the following error:
> # openssl req -engine pkcs11 -new -key id_45 -keyform
engine -out
> req.pem -text -x509 -subj "/CN=Josh
Mahonin"
>
> >engine "pkcs11" set.
> >PKCS#11 token PIN:
> >10842:error:8000A006:Vendor
defined:PKCS11_rsa_sign:Function
>
> failed:p11_ops.c:96:
> >10842:error:0D0C3006:asn1 encoding
routines:ASN1_item_sign:EVP
>
> lib:a_sign.c:276:
>
> I can't tell if that's a software problem or
hardware...the 64k supports
> 2048 bit keys, so is it safe to assume it can sign them
as well? Or is
> there something I have to change in my openssl config
to handle signing
> with a 2048 bit key?
...I had a similar problem with a 2048bit key on Siemens
CardOS 4.3b. In my
case I came across limitations of the APDU size in
pcsc-1.3.1 and ccid-1.0.1
The opensc code fell back from a doing a CKM_SHA1_RSA_PKCS
operation on the
token to something like calculating SHA-1 in memory and
delegating the rest
to the token via a CKM_RSA_PKCS operation. However these
methods somehow
generate different signatures, apparently because they use
different padding
schemes.
Do you access your token via pcsc, openct or ctapi ?
Please post an output of opensc running with debug=2 in the
config.
Wolfgang
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| Key generation with Aladdin PRO 64k |
|
2006-09-18 18:04:10 |
Hi,
I have set debug=2 in both openct.conf and opensc.conf,
however after
restarting the services, nothing of any use seems to show up
in dmesg,
/var/log/messages, and no files are created in /tmp. The
only way I use
the eToken is via pkcs11-tool, Aladdin's etckinit/etckdump
and
openssl+engine_pkcs11, so I'm not sure that opensc / openct
are doing
much in this case. Using 'opensc-tool -l' tells me that
the eToken is
using the pcsc driver, however. I logged the pcscd debug
output and it
is attached, it doesn't tell me much, but perhaps you can
make heads or
tails from it.
As an added note, I checked the eToken properties on a
windows box and
2048 bit keys are enabled.
Josh.
Wolfgang Glas wrote:
> Am Montag, 18. September 2006 17:53 schrieb Josh
Mahonin:
>
> [snip]
>
>
>> However, I have run into a new problem. I just
realized I had
>> reinitialized the card with a 1024 bit key -- this
worked with openssl
>> req and created a certificate for me. After
reinitializing with a 2048
>> bit key, I receive the following error:
>> # openssl req -engine pkcs11 -new -key id_45
-keyform engine -out
>> req.pem -text -x509 -subj "/CN=Josh
Mahonin"
>>
>>
>>> engine "pkcs11" set.
>>> PKCS#11 token PIN:
>>> 10842:error:8000A006:Vendor
defined:PKCS11_rsa_sign:Function
>>>
>> failed:p11_ops.c:96:
>>
>>> 10842:error:0D0C3006:asn1 encoding
routines:ASN1_item_sign:EVP
>>>
>> lib:a_sign.c:276:
>>
>> I can't tell if that's a software problem or
hardware...the 64k supports
>> 2048 bit keys, so is it safe to assume it can sign
them as well? Or is
>> there something I have to change in my openssl
config to handle signing
>> with a 2048 bit key?
>>
>
> ...I had a similar problem with a 2048bit key on
Siemens CardOS 4.3b. In my
> case I came across limitations of the APDU size in
pcsc-1.3.1 and ccid-1.0.1
>
> The opensc code fell back from a doing a
CKM_SHA1_RSA_PKCS operation on the
> token to something like calculating SHA-1 in memory and
delegating the rest
> to the token via a CKM_RSA_PKCS operation. However
these methods somehow
> generate different signatures, apparently because they
use different padding
> schemes.
>
> Do you access your token via pcsc, openct or ctapi ?
> Please post an output of opensc running with debug=2 in
the config.
>
> Wolfgang
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user |
|
| Key generation with Aladdin PRO 64k |
|
2006-09-19 15:23:21 |
After checking through the code finding where these errors
are coming
from, it seems like it could be the same padding problem you
had
Wolfgang. I have since upgraded to the SVN version of
pcsc-lite and
still the error is occuring. I'm curious what you changed
to get around
the issue, if you did at all.
Thanks,
Josh.
Wolfgang Glas wrote:
> Am Montag, 18. September 2006 17:53 schrieb Josh
Mahonin:
>
> [snip]
>
>
>> However, I have run into a new problem. I just
realized I had
>> reinitialized the card with a 1024 bit key -- this
worked with openssl
>> req and created a certificate for me. After
reinitializing with a 2048
>> bit key, I receive the following error:
>> # openssl req -engine pkcs11 -new -key id_45
-keyform engine -out
>> req.pem -text -x509 -subj "/CN=Josh
Mahonin"
>>
>>
>>> engine "pkcs11" set.
>>> PKCS#11 token PIN:
>>> 10842:error:8000A006:Vendor
defined:PKCS11_rsa_sign:Function
>>>
>> failed:p11_ops.c:96:
>>
>>> 10842:error:0D0C3006:asn1 encoding
routines:ASN1_item_sign:EVP
>>>
>> lib:a_sign.c:276:
>>
>> I can't tell if that's a software problem or
hardware...the 64k supports
>> 2048 bit keys, so is it safe to assume it can sign
them as well? Or is
>> there something I have to change in my openssl
config to handle signing
>> with a 2048 bit key?
>>
>
> ...I had a similar problem with a 2048bit key on
Siemens CardOS 4.3b. In my
> case I came across limitations of the APDU size in
pcsc-1.3.1 and ccid-1.0.1
>
> The opensc code fell back from a doing a
CKM_SHA1_RSA_PKCS operation on the
> token to something like calculating SHA-1 in memory and
delegating the rest
> to the token via a CKM_RSA_PKCS operation. However
these methods somehow
> generate different signatures, apparently because they
use different padding
> schemes.
>
> Do you access your token via pcsc, openct or ctapi ?
> Please post an output of opensc running with debug=2 in
the config.
>
> Wolfgang
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
[1-7]
|
|