Problem while reading out certificate in browser or in SSH clent

[sa2blv]

Problem Description

Im using a aventra myeid card.
it works on my windows system.
i get all the PKI certificates listed in openSC and the shows up in the application.
but ass soon as i use the i get

Enter PIN for 'MyEID (Basic PIN)':
C_SignInit failed: 99
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for ECDSA "Encryption certificate for key (69) [kxc00]": error in libcrypto
C_SignInit failed: 99
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for ECDSA "Encryption certificate for key (70) [kxc01]": error in libcrypto

Logs

P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898591888: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x55d0b636aee0
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898595552: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 1 matching objects
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_TYPE_INCONSISTENT
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898591888: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x55d0b636aee0
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:5328:pkcs15_profile_get_attribute: pkcs15_profile_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/94354898595552: Attribute 0x0 does NOT match.
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 1 matching objects
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:10820; T:0x140083710812352 11:00:28.536 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_KEY_TYPE_INCONSISTENT

[popovec]

Can you provide the output from pkcs15-tool -D ? I am interested in how you identified the keys/certificates. example:

Private EC Key [secp521r1]
        Object Flags   : [0x03], private, modifiable
        Usage          : [0x0C], sign, signRecover
        Access Flags   : [0x01], sensitive
        Algo_refs      : 0
        FieldLength    : 521
        Key ref        : 5 (0x05)
        Native         : yes
        Path           : 3f0050154b05
        Auth ID        : 01
        ID             : c771786daeebf96a2bf99195748088cf4507db66
        MD:guid        : 45f0a4c5-eb8f-2179-d0e9-fcbb736dbc3d

Public EC Key [secp521r1]
        Object Flags   : [0x02], modifiable
        Usage          : [0xC0], verify, verifyRecover
        Access Flags   : [0x00]
        FieldLength    : 521
        Key ref        : 0 (0x00)
        Native         : no
        Path           : 3f0050155505
        ID             : c771786daeebf96a2bf99195748088cf4507db66

X.509 Certificate [secp521r1]
        Object Flags   : [0x02], modifiable
        Authority      : no
        Path           : 3f0050154304
        ID             : c771786daeebf96a2bf99195748088cf4507db66
        Encoded serial : 02 14 43C427A0076CB76F4525F93EB599443449E70E6B

[sa2blv]

``
Using reader with a card: Alcor Micro AU9540 00 00
Connecting to card in reader Alcor Micro AU9540 00 00...
Using card driver MyEID cards with PKCS#15 applet.
PKCS#15 Card [MyEID]:
Version : 0
Serial number : 189990003056009837090717
Manufacturer ID: Aventra Oy
Flags : EID compliant

PIN [Basic PIN]
Object Flags : [0x03], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1 (0x01)
Type : ascii-numeric
Path : 3f00
Tries left : 10

PIN [Signature PIN]
Object Flags : [0x03], private, modifiable
ID : 02
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 2 (0x02)
Type : ascii-numeric
Path : 3f00
Tries left : 10

PIN [SO-PIN]
Object Flags : [0x03], private, modifiable
ID : 03
Flags : [0xB2], local, initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 3 (0x03)
Type : ascii-numeric
Path : 3f00
Tries left : 5

Private EC Key [ECDH Keyexchange key [kx00]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 45
MD:guid : 639c8d1c-6557-a74d-73fd-8eba2e4c123c

Private EC Key [ECDH Keyexchange key [kx01]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b02
Auth ID : 01
ID : 46
MD:guid : 6079a60a-6a8c-dd96-4e4c-5c3f221874c1

X.509 Certificate [Encryption certificate for key (69) [kxc00]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154331
ID : 45
Encoded serial : 02 11 00E3E449D357FFE1FAF91F6318CD32A292

X.509 Certificate [Encryption certificate for key (70) [kxc01]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154332
ID : 46
Encoded serial : 02 11 00D1406A851AD82C537398D665871C847D
``

[dengert]

Can you get a spy trace? https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy

[popovec]

You are trying to perform an ECDSA operation (signature) with a key that only has the "derive" operation (ECDH) enabled.

Usage : [0x100], derive

[sa2blv]

Can i disable the ECDSA opeation ?

[popovec]

We do not know who is requesting an ECDSA operation, it is a matter of your application which requests the operation from the card. SSH, for example, only uses ECDSA. Rather, I suspect that the ECDSA operation was also performed on Windows, where you say that the card worked without problems. I assume that the pkcs11 module on Windows does not check key attributes reliably enough.

If the specified key is really to be used for ECDSA operation, it can be added to the description of the key on the card.
But I'm also interested in how this key was created (which has a flag only for "derive" and the "label" indicates that it was only for ECDH operation.This key probably shouldn't have been used for SSH or client verification (browser).

[sa2blv]

I use easy rsa as a certificate controller and generate an user pki https://wiki.gentoo.org/wiki/Create_a_Public_Key_Infrastructure_Using_the_easy-rsa_Scripts Den sön 28 jan. 2024 13:58Peter Popovec ***@***.***> skrev:

…

We do not know who is requesting an ECDSA operation, it is a matter of your application which requests the operation from the card. SSH, for example, only uses ECDSA. Rather, I suspect that the ECDSA operation was also performed on Windows, where you say that the card worked without problems. I assume that the pkcs11 module on Windows does not check key attributes reliably enough. If the specified key is really to be used for ECDSA operation, it can be added to the description of the key on the card. But I'm also interested in how this key was created (which has a flag only for "derive" and the "label" indicates that it was only for ECDH operation.This key probably shouldn't have been used for SSH or client verification (browser). — Reply to this email directly, view it on GitHub <#3001 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACRR4F3XBNSSVFG4W3JJUHDYQZDPDAVCNFSM6AAAAABCOBV7CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGU4DQMJVGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[popovec]

There is no detail on the mentioned page that would indicate whether you generated the keys on the card or imported the keys to the card. There is no indication of the use of the pkcs11 interface anywhere.

[sa2blv]

I will send you an more detail way but. Ma y I shoud generate an new ssl Den sön 28 jan. 2024 15:09Peter Popovec ***@***.***> skrev:

…

There is no detail on the mentioned page that would indicate whether you generated the keys on the card or imported the keys to the card. There is no indication of the use of the pkcs11 interface anywhere. — Reply to this email directly, view it on GitHub <#3001 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACRR4FYDV6YG7EV4UM3RTPLYQZL2ZAVCNFSM6AAAAABCOBV7CCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJTGYYDSNJRGM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[sa2blv]

openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem
openssl req -new -sha256 -key my.key.pem -out my.csr

openssl pkcs12 -export -out peter1.p12 -inkey my.key.pem -in BLV-pki.crt -certfile my.csr

openssl pkcs12 -export -out peter.pfx -inkey my.key.pem -in BLV-pki.crt
mv /opt/easy-rsa/pki/issued/BLV-pki2.crt ./
openssl pkcs12 -export -out peter.pfx -inkey my.key.pem -in BLV-pki2.crt

[sa2blv]

PKCS#15 Card [MyEID]:
Version : 0
Serial number : 189990003056009837090717
Manufacturer ID: Aventra Oy
Flags : EID compliant

PIN [Basic PIN]
Object Flags : [0x03], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1 (0x01)
Type : ascii-numeric
Path : 3f00
Tries left : 10

PIN [Signature PIN]
Object Flags : [0x03], private, modifiable
ID : 02
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 2 (0x02)
Type : ascii-numeric
Path : 3f00
Tries left : 10

PIN [SO-PIN]
Object Flags : [0x03], private, modifiable
ID : 03
Flags : [0xB2], local, initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 3 (0x03)
Type : ascii-numeric
Path : 3f00
Tries left : 5

Private EC Key [ECDH Keyexchange key [kx00]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 45
MD:guid : 639c8d1c-6557-a74d-73fd-8eba2e4c123c

Private EC Key [ECDH Keyexchange key [kx01]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b02
Auth ID : 01
ID : 46
MD:guid : 6079a60a-6a8c-dd96-4e4c-5c3f221874c1

Private EC Key [ECDH Keyexchange key [kx02]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 521
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b03
Auth ID : 01
ID : 47
MD:guid : 5681c476-4f6c-6acf-21cb-ab6a9fee5b4d

Private EC Key [ECDH Keyexchange key [kx03]]
Object Flags : [0x03], private, modifiable
Usage : [0x100], derive
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 521
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b04
Auth ID : 01
ID : 48
MD:guid : faa03adc-fb27-c00b-9cfa-7ebff63b442a

X.509 Certificate [Encryption certificate for key (69) [kxc00]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154331
ID : 45
Encoded serial : 02 11 00E3E449D357FFE1FAF91F6318CD32A292

X.509 Certificate [Encryption certificate for key (70) [kxc01]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154332
ID : 46
Encoded serial : 02 11 00D1406A851AD82C537398D665871C847D

X.509 Certificate [Encryption certificate for key (71) [kxc02]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154333
ID : 47
Encoded serial : 02 11 00E276802235EE513915F4C111009AE5D0

X.509 Certificate [Encryption certificate for key (71) [kxc03]]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154334
ID : 47
Encoded serial : 02 11 00E276802235EE513915F4C111009AE5D0

[popovec]

According to what you state, the keys were not generated on the card but were generated via openssl.

openssl ecparam -name secp521r1 -genkey -noout -out my.key.pem openssl req -new -sha256 -key my.key.pem -out my.csr

openssl pkcs12 -export -out peter1.p12 -inkey my.key.pem -in BLV-pki.crt -certfile my.csr

openssl pkcs12 -export -out peter.pfx -inkey my.key.pem -in BLV-pki.crt mv /opt/easy-rsa/pki/issued/BLV-pki2.crt ./ openssl pkcs12 -export -out peter.pfx -inkey my.key.pem -in BLV-pki2.crt

It is still not clear what command you used to write the pkcs12 key to the card.

At the same time, this procedure is absolutely insecure. The correct procedure generates the keys on the card, for example, as follows:

pkcs15-init --generate-key ec:secp384r1 --label LLLL --auth-id=1 --pin XXXX --so-pin YYYY --id 15 --key-usage digitalSignature

To check what flags the generated key has: pkcs15-tool -D

Private EC Key [LLLL]
        Object Flags   : [0x03], private, modifiable
        Usage          : [0x0C], sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        Algo_refs      : 0
        FieldLength    : 384
        Key ref        : 10 (0x0A)
        Native         : yes
        Path           : 3f0050154b0a
        Auth ID        : 01
        ID             : 15
        MD:guid        : 7a3be6c3-ceb5-a080-1703-610a876699b5

Next, a CSR is generated using this key.

1. prepare openssl.conf.file (for example in /tmp/openssl.conf)

openssl_conf            = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
init = 0

[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]

(modify the path to the pkcs11 module according to your system)

2. generate CSR:

openssl req -config /tmp/openssl.conf -new -engine pkcs11 -key slot_0-id_15 -keyform engine -out request.csr -text -multivalue-rdn -subj "/O=EX/ST=Example/L=Example/O=example/CN=Joe Random/[email protected]/"

consult the subj format in the documentation for openssl ca

The slot_0-id_15 comes from the id of the key (id 15 was entered in the key generation command) and find out the slot number, for example, using pkcs11-tool -L

CSR (from file request.csr) is signed by CA and returned for example in file certificate.crt, this is then imported to card:

pkcs15-init --store-certificate certificate.crt

If you generate a certificate authority using openssl ca, the following command is used to sign the csr and create the certificate: (Please google how to prepare the CA configuration...)

     openssl ca -config ca_openssl.conf   -notext -md sha256  -in request.csr  -out certificate.crt

For the average user, it is advantageous to have this whole system in one application (maybe easy-rsa?) .. I haven't used easy-rsa for years. If you are using another application, you need to seek support from the creators of this application, this is really outside the scope of OpenSC.

[sa2blv]

ok i try just got stock with message
Failed to generate key: File too small

Connecting to card in reader Alcor Micro AU9540 00 00...
Using card driver MyEID cards with PKCS#15 applet.
Failed to generate key: File too small

[popovec]

That card does not have unlimited capacity.,let's try and see what you already have written on the card.. Example from my card:

$ opensc-explorer 
OpenSC Explorer version 0.24.0
Using reader with a card: Gemalto PC Twin Reader (E73C2C84) 00 00
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> ls
FileID  Type  Size
 4402    wEF  1530
 5031    wEF   255
 4404    wEF  1530
 4407    wEF  1530
 4403    wEF  1530
 4405    wEF   510
 4406    wEF  1530
 4401    wEF   255
 5032    wEF   180
 4946    wEF   128
 4B01    iEF  2048
 5501    wEF   140
 4301    wEF   953
 4B02   0x22   256
 5502    wEF    91
 4302    wEF   900
OpenSC [3F00/5015]> 

[sa2blv]

OpenSC [3F00]> ls
FileID Type Size
[5015] DF 32767 Name: \xA0\x00\x00\x00cPKCS-15
2F00 wEF 31
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> ls
FileID Type Size
5032 wEF 42
5031 wEF 84
4401 wEF 160
4402 wEF 432
4409 wEF 1
4403 wEF 396
4404 wEF 1
4405 wEF 1
4406 wEF 45
5033 wEF 1
433E wEF 1
433F wEF 1
DF00 wEF 10
ACCF wEF 8
4B01 0x22 384
ACC0 wEF 860
4331 wEF 540
4B02 0x22 384
4332 wEF 543
4B03 0x22 521
4333 wEF 705
4B04 0x22 521
4334 wEF 705
4B05 0x22 384
4B06 0x22 384
4B07 0x22 384
4B08 0x22 384
4B09 0x22 384
4B0A iEF 2048
4B0B iEF 2048
OpenSC [3F00/5015]>

[popovec]

4402 wEF 432 <<< This file is small (here is list of private keys on card)
4403 wEF 396 <<< This file is small (here is list of public keys on card)

I don't know how you formatted the card, but the profile that was used no longer allows you to add additional keys to the card. MyEID supports automatic file extension, but it is not supported in OpenSC, the file length is fixed.

It might be better to start from the beginning, delete the card (pkcs15-init -E) and then initialize normally under OpenSC (pkcs15-init -C). Then you can try to generate EC keys as I have already described.
Example:

$ pkcs15-init -E
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
PIN [Security Officer PIN] required.
Please enter PIN [Security Officer PIN]: 
$ pkcs15-init -C
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 
$ pkcs15-init --store-pin --id 01 
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
New User PIN.
Please enter User PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 
$ pkcs15-init -F
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
$ pkcs15-init --generate-key ec:secp384r1 --label LLLL  --auth-id=1  --id 15 --key-usage digitalSignature
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
User PIN required.
Please enter User PIN: 
Security officer PIN [Security Officer PIN] required.
Please enter Security officer PIN [Security Officer PIN]: 
$ pkcs15-tool --read-ssh-key 15
Using reader with a card: Gemalto PC Twin Reader (E73C2C85) 00 00
ecdsa-sha2-nistp384 AAAAE2VjZHNh/// snipped ///  QAAAAIbmlzdHAzODw== LLLL

If you repeat the mentioned procedure, at the end you will receive a public key in a format suitable for writing to .ssh/authorized_keys. Save this on the remote system and then you can log in there via ssh -I _path to pkcs11 module_ [email protected] ..

[sa2blv]

Thanks for the help got ssh to work.
Do you know how to generate an certificate that i can use for usr validation on an website ?

[popovec]

To create a self-signed certificate, you can use the procedure I have already described - generated CSR. But the last point (openssl signing) will change as follows:

openssl req -config /tmp/openssl.conf -new -x509 -engine pkcs11 -key slot_0-id_15 -keyform engine  -out certificate.crt -text  -multivalue-rdn -subj "/O=EX/ST=Example/L=Example/O=example/CN=Joe Random/[email protected]/"

Of course, change the key number (Id) - you can get it from pkcs15-tool -D and set your appropriate "subj".

But this is not a very good way (self signed certificate), if you really want to use PKI, just generate a CSR. Next, according to the instructions (for example from here: https://pki-tutorial.readthedocs.io/en/latest/ try the "simple PKI" procedure, skip point 3.4 use csr generated from card), prepare a CA and then sign this CSR in this CA (here, the card will not apply at all). Next, import the certificate to the card.. Use google to find out how to configure your web server to accept your CA and require client authentication.

[sa2blv]

now a got a strage behvior can se X509 cert but i crash on use

P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] sc.c:351:sc_detect_card_presence: returning with: 1
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] slot.c:376:card_detect: Alcor Micro AU9540 00 00: Detection ended
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] slot.c:432:card_detect_all: All cards detected
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] pkcs11-global.c:558:C_GetSlotList: VSS C_GetSlotList after card_detect_all
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] VSS size:1
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] VSS [i] id flags LU events nsessions slot_info.flags reader p11card description
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] VSS [0] 0x00 0x0001 1 1 1 0007 0x7f0c76a30870 0x7f0c65af07e0 Alcor Micro AU9540 00 00
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] VSS END
P:67089; T:0x139692009834176 20:52:02.715 [opensc-pkcs11] pkcs11-global.c:561:C_GetSlotList: was only a size inquiry (1)
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238494016: CKA_ID =
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238494016: CKA_CLASS =
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x7f0c69ac8430, hObject=0x7f0c66a60f40) = CKR_OK
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238494016: CKA_ID = 355C54B9787BA27B96422B096D62A199E6CB4621
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238494016: CKA_CLASS = CKO_CERTIFICATE
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x7f0c69ac8430, hObject=0x7f0c66a60f40) = CKR_OK
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:377:C_FindObjectsInit: C_FindObjectsInit(slot = 0)
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:378:C_FindObjectsInit: C_FindObjectsInit(): CKA_ID = 355C54B9787BA27B96422B096D62A199E6CB4621
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:378:C_FindObjectsInit: C_FindObjectsInit(): CKA_CLASS = CKO_PRIVATE_KEY
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:267:session_start_operation: called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:268:session_start_operation: Session 0x7f0c69ac8430, type 0
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c596e9e20
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691016756768: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a60280
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238490752: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a60f40
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:427:C_FindObjectsInit: Object 0/139691238494016: Attribute 0x102 matches.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238494016: Attribute 0x0 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66b39940
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:427:C_FindObjectsInit: Object 0/139691239381312: Attribute 0x102 matches.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691239381312: Attribute 0x0 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a813a0
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238626208: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c67698760
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691251304288: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 0 matching objects
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238626208: CKA_ID =
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238626208: CKA_CLASS =
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x7f0c69ac8430, hObject=0x7f0c66a813a0) = CKR_OK
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238626208: CKA_ID = 44
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:270:C_GetAttributeValue: Object 139691238626208: CKA_CLASS = CKO_CERTIFICATE
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:294:C_GetAttributeValue: C_GetAttributeValue(hSession=0x7f0c69ac8430, hObject=0x7f0c66a813a0) = CKR_OK
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:377:C_FindObjectsInit: C_FindObjectsInit(slot = 0)
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:378:C_FindObjectsInit: C_FindObjectsInit(): CKA_ID = 44
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:378:C_FindObjectsInit: C_FindObjectsInit(): CKA_CLASS = CKO_PRIVATE_KEY
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:267:session_start_operation: called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] misc.c:268:session_start_operation: Session 0x7f0c69ac8430, type 0
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c596e9e20
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4000:pkcs15_prkey_get_attribute: pkcs15_prkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691016756768: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a60280
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238490752: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a60f40
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.715 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238494016: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66b39940
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691239381312: Attribute 0x102 does NOT match.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c66a813a0
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:427:C_FindObjectsInit: Object 0/139691238626208: Attribute 0x102 matches.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3896:pkcs15_cert_cmp_attribute: pkcs15_cert_cmp_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:3789:pkcs15_cert_get_attribute: pkcs15_cert_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691238626208: Attribute 0x0 does NOT match.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:400:C_FindObjectsInit: Object with handle 0x7f0c67698760
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:427:C_FindObjectsInit: Object 0/139691251304288: Attribute 0x102 matches.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] framework-pkcs15.c:4891:pkcs15_pubkey_get_attribute: pkcs15_pubkey_get_attribute() called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:419:C_FindObjectsInit: Object 0/139691251304288: Attribute 0x0 does NOT match.
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] pkcs11-object.c:452:C_FindObjectsInit: 0 matching objects
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] misc.c:289:session_get_operation: called
P:67089; T:0x139692118619840 20:52:02.716 [opensc-pkcs11] misc.c:289:session_get_operation: called

Using reader with a card: Alcor Micro AU9540 00 00
Connecting to card in reader Alcor Micro AU9540 00 00...
Using card driver MyEID cards with PKCS#15 applet.
PKCS#15 Card [MyEID]:
Version : 0
Serial number : 00003056009839090717
Manufacturer ID: Aventra Ltd.
Last update : 20240129182931Z
Flags : PRN generation, EID compliant
sc_supported_algo_info[0]:
reference : 1 (0x01)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.1
algo_ref : [0x00]
sc_supported_algo_info[1]:
reference : 2 (0x02)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.2
algo_ref : [0x00]
sc_supported_algo_info[2]:
reference : 3 (0x03)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.41
algo_ref : [0x00]
sc_supported_algo_info[3]:
reference : 4 (0x04)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.42
algo_ref : [0x00]

PIN [Security Officer PIN]
Object Flags : [0x03], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3 (0x03)
Type : ascii-numeric
Tries left : 3

PIN []
Object Flags : [0x03], private, modifiable
ID : 01
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 1 (0x01)
Type : ascii-numeric
Tries left : 3

Private EC Key [LLLL]
Object Flags : [0x03], private, modifiable
Usage : [0x0C], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Algo_refs : 0
FieldLength : 384
Key ref : 1 (0x01)
Native : yes
Path : 3f0050154b01
Auth ID : 01
ID : 15
MD:guid : e0f5808e-5920-d386-e6f4-d8fe853f6dff

Public EC Key [LLLL]
Object Flags : [0x02], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x00]
FieldLength : 384
Key ref : 0 (0x00)
Native : no
Path : 3f0050155501
ID : 15

X.509 Certificate [Certificate]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154301
ID : 355c54b9787ba27b96422b096d62a199e6cb4621
Encoded serial : 02 11 00E1AEB49030A7AC8C85594D7174536C14

X.509 Certificate [Certificate]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0050154302
ID : 44
Encoded serial : 02 10 01859E60CD28ABCC737FF8B0478E2702

[popovec]

Key (public/private ) Id = 15 .. but there is no corresponding certificate with ID 15 ..

When importing the certificate, use --id 15: pkcs15-init --store-certificate certificate.crt --id 15.

Alternatively, when generating the key, you can omit `--id', then the ID will be calculated automatically and you do not have to specify it even when importing the certificate.

[sa2blv]

Thanks for all help got it to work :)