read cert from smart card

Mithat Bozkurt mithatbozkurt at gmail.com
Thu Feb 25 03:25:55 PST 2016


mithat at adige:~$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             ACS ACR38U-CCID 00 00

mithat at adige:~$ opensc-tool --atr
Using reader with a card: ACS ACR38U-CCID 00 00
3b:9f:96:81:31:fe:45:80:67:55:45:4b:41:45:12:92:31:80:73:b3:a1:80:6a

mithat at adige:~$ opensc-tool --name
Using reader with a card: ACS ACR38U-CCID 00 00
Unsupported card

2016-02-25 10:45 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Thu, 2016-02-25 at 09:15 +0200, Mithat Bozkurt wrote:
>>
>> I don't understand why I export cert to file. I think device should
>> block this action because this is my e-signature cert.
>
> No, the non-exportable part is the private key. The certificate is
> public, and declares that anyone who can prove that they have that
> private key, is whoever is identified as the subject of the
> certificate.
>
> If you go to secure web sites, you can inspect their *certificates* to
> check who they are. That's kind of the point. What you can't get is
> their matching private key.
>
> And later...
>
> On Thu, 2016-02-25 at 08:41 +0200, Mithat Bozkurt wrote:
>> Do I need specify 'type=private' to say 'use my private cert for user
>> cert'?
>
> No, OpenConnect needs to use *both* the certificate and the
> corresponding private key. It will append ';type=cert' or
> ';type=private' to the URI you give it, as appropriate. Note that it
> still isn't *exporting* the private key; it's using it in-place.
>
> TBH if OpenSC is supposed to drive this card, I really think you're
> better off pursuing that approach rather than persisting with the
> broken proprietary PKCS#11 token.
>
> Can you try
>  opensc-tool -l
>  opensc-tool --atr
>  opensc-tool --name
>
> as described in the 'Debugging OpenSC' link I gave you?
>
> --
> dwmw2
>



More information about the openconnect-devel mailing list