-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem while reading out certificate in browser or in SSH clent #3001
Comments
Can you provide the output from
|
`` PIN [Basic PIN] PIN [Signature PIN] PIN [SO-PIN] Private EC Key [ECDH Keyexchange key [kx00]] Private EC Key [ECDH Keyexchange key [kx01]] X.509 Certificate [Encryption certificate for key (69) [kxc00]] X.509 Certificate [Encryption certificate for key (70) [kxc01]] |
Can you get a spy trace? https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy |
You are trying to perform an ECDSA operation (signature) with a key that only has the "derive" operation (ECDH) enabled.
|
Can i disable the ECDSA opeation ? |
We do not know who is requesting an ECDSA operation, it is a matter of your application which requests the operation from the card. SSH, for example, only uses ECDSA. Rather, I suspect that the ECDSA operation was also performed on Windows, where you say that the card worked without problems. I assume that the pkcs11 module on Windows does not check key attributes reliably enough. If the specified key is really to be used for ECDSA operation, it can be added to the description of the key on the card. |
I use easy rsa as a certificate controller and generate an user pki
https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts
Den sön 28 jan. 2024 13:58Peter Popovec ***@***.***> skrev:
… We do not know who is requesting an ECDSA operation, it is a matter of
your application which requests the operation from the card. SSH, for
example, only uses ECDSA. Rather, I suspect that the ECDSA operation was
also performed on Windows, where you say that the card worked without
problems. I assume that the pkcs11 module on Windows does not check key
attributes reliably enough.
If the specified key is really to be used for ECDSA operation, it can be
added to the description of the key on the card.
But I'm also interested in how this key was created (which has a flag only
for "derive" and the "label" indicates that it was only for ECDH
operation.This key probably shouldn't have been used for SSH or client
verification (browser).
—
Reply to this email directly, view it on GitHub
<#3001 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACRR4F3XBNSSVFG4W3JJUHDYQZDPDAVCNFSM6AAAAABCOBV7CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGU4DQMJVGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
There is no detail on the mentioned page that would indicate whether you generated the keys on the card or imported the keys to the card. There is no indication of the use of the pkcs11 interface anywhere. |
I will send you an more detail way but. Ma y I shoud generate an new ssl
Den sön 28 jan. 2024 15:09Peter Popovec ***@***.***> skrev:
… There is no detail on the mentioned page that would indicate whether you
generated the keys on the card or imported the keys to the card. There is
no indication of the use of the pkcs11 interface anywhere.
—
Reply to this email directly, view it on GitHub
<#3001 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACRR4FYDV6YG7EV4UM3RTPLYQZL2ZAVCNFSM6AAAAABCOBV7CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGYYDSNJRGM>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem openssl pkcs12 -export -out peter1.p12 -inkey my.key.pem -in BLV-pki.crt -certfile my.csr openssl pkcs12 -export -out peter.pfx -inkey my.key.pem -in BLV-pki.crt |
PKCS#15 Card [MyEID]: PIN [Basic PIN] PIN [Signature PIN] PIN [SO-PIN] Private EC Key [ECDH Keyexchange key [kx00]] Private EC Key [ECDH Keyexchange key [kx01]] Private EC Key [ECDH Keyexchange key [kx02]] Private EC Key [ECDH Keyexchange key [kx03]] X.509 Certificate [Encryption certificate for key (69) [kxc00]] X.509 Certificate [Encryption certificate for key (70) [kxc01]] X.509 Certificate [Encryption certificate for key (71) [kxc02]] X.509 Certificate [Encryption certificate for key (71) [kxc03]] |
According to what you state, the keys were not generated on the card but were generated via openssl.
It is still not clear what command you used to write the pkcs12 key to the card. At the same time, this procedure is absolutely insecure. The correct procedure generates the keys on the card, for example, as follows:
To check what flags the generated key has:
Next, a CSR is generated using this key.
(modify the path to the pkcs11 module according to your system)
consult the The CSR (from file
If you generate a certificate authority using openssl ca, the following command is used to sign the csr and create the certificate: (Please google how to prepare the CA configuration...)
For the average user, it is advantageous to have this whole system in one application (maybe easy-rsa?) .. I haven't used easy-rsa for years. If you are using another application, you need to seek support from the creators of this application, this is really outside the scope of OpenSC. |
ok i try just got stock with message Connecting to card in reader Alcor Micro AU9540 00 00... |
That card does not have unlimited capacity.,let's try and see what you already have written on the card.. Example from my card:
|
OpenSC [3F00]> ls |
4402 wEF 432 <<< This file is small (here is list of private keys on card) I don't know how you formatted the card, but the profile that was used no longer allows you to add additional keys to the card. MyEID supports automatic file extension, but it is not supported in OpenSC, the file length is fixed. It might be better to start from the beginning, delete the card (pkcs15-init -E) and then initialize normally under OpenSC (pkcs15-init -C). Then you can try to generate EC keys as I have already described.
If you repeat the mentioned procedure, at the end you will receive a public key in a format suitable for writing to
|
Thanks for the help got ssh to work. |
To create a self-signed certificate, you can use the procedure I have already described - generated CSR. But the last point (openssl signing) will change as follows:
Of course, change the key number (Id) - you can get it from But this is not a very good way (self signed certificate), if you really want to use PKI, just generate a CSR. Next, according to the instructions (for example from here: https://pki-tutorial.readthedocs.io/en/latest/ try the "simple PKI" procedure, skip point 3.4 use csr generated from card), prepare a CA and then sign this CSR in this CA (here, the card will not apply at all). Next, import the certificate to the card.. Use google to find out how to configure your web server to accept your CA and require client authentication. |
now a got a strage behvior can se X509 cert but i crash on use P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] sc.c:351:sc_detect_card_presence: returning with: 1 Using reader with a card: Alcor Micro AU9540 00 00 PIN [Security Officer PIN] PIN [] Private EC Key [LLLL] Public EC Key [LLLL] X.509 Certificate [Certificate] X.509 Certificate [Certificate] |
Key (public/private ) Id = 15 .. but there is no corresponding certificate with ID 15 .. When importing the certificate, use Alternatively, when generating the key, you can omit `--id', then the ID will be calculated automatically and you do not have to specify it even when importing the certificate. |
Thanks for all help got it to work :) |
Problem Description
Im using a aventra myeid card.
it works on my windows system.
i get all the PKI certificates listed in openSC and the shows up in the application.
but ass soon as i use the i get
Enter PIN for 'MyEID (Basic PIN)':
C_SignInit failed: 99
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for ECDSA "Encryption certificate for key (69) [kxc00]": error in libcrypto
C_SignInit failed: 99
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for ECDSA "Encryption certificate for key (70) [kxc01]": error in libcrypto
Logs
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898591888: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x55d0b636aee0
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898595552: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 1 matching objects
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_TYPE_INCONSISTENT
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898591888: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x55d0b636aee0
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898595552: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 1 matching objects
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_TYPE_INCONSISTENT
The text was updated successfully, but these errors were encountered: