Issue with recent Belgium Identity Card, openconnect 7.06 and
Sebastien Canart
sebastien.canart at onprvp.fgov.be
Thu Apr 9 01:46:18 PDT 2015
Hello,
Thanks for your fast feedback.
The command $ p11tool --list-mechanisms produce more or less the same
output. There is just the serial that is different.
Here are the result when signing with pkcs11-tool:
Old:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -M --id 02
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-PKCS, keySize={1024,1024}, hw, decrypt, sign, verify
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
test message
<some unreadable characters>
New:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -M --id 02
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
RSA-PKCS, keySize={1024,1024}, hw, decrypt, sign, verify
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
test message
Nothing happens.
When I tried to use an input file, I got the following results:
Old:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -m RSA-PKCS --id 02
--input-file /tmp/test-file
Using slot 1 with a present token (0x1)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
<some unreadable characters>
New:
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so -s -m RSA-PKCS --id 02
--input-file /tmp/test-file
Using slot 1 with a present token (0x1)
Logging in to "BELPIC (Basic PIN)".
Please enter User PIN:
Using signature algorithm RSA-PKCS
error: PKCS11 function C_SignFinal failed: rv =
CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
So indeed, it seems that my card couldn't sign.
Is there any solution for it?
Regards,
Sebastien
On 04/09/2015 10:20 AM, Nikos Mavrogiannopoulos wrote:
> On Thu, Apr 9, 2015 at 10:05 AM, Sebastien Canart
> <sebastien.canart at onprvp.fgov.be> wrote:
>> Hello,
>> The command that I'm currently using (I need to go through our internal
>> proxy):
>> # openconnect --timestamp --proxy=localhost:3128 -v --dump-http-traffic
>> -c 'pkcs11:model=PKCS%2315;mycert[...];object-type=cert' vpnserver
> [...]
>> From the error I'm getting (Error signing test data with private key:
>> PKCS #11
>> unsupported feature), I'm guessing that the error is coming directly
>> from gnutls.
>
> The error is from the PKCS #11 library (I guess it is opensc) and
> probably the card itself.
> Do you see any difference in "p11tool --list-mechanisms" with the new
> and old card? It may
> be that the new key is not allowed to sign using RSA-PKCS.
>
> You can verify whether signing works with pkcs11-tool (from opensc)
> using something like:
> pkcs11-tool --module /path/to/opensc-pkcs11.so -s -M
> pkcs11-tool --module /path/to/opensc-pkcs11.so -s -m RSA-PKCS --id 02
>
> regards,
> Nikos
>
--
Sebastien Canart <sebastien.canart at onprvp.fgov.be>
More information about the openconnect-devel
mailing list