сделал "pkcs15-init --auth-id 02 --finalize" и всё заработало.
]]>вот "хвост" вывода с "-vvvvvv":
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)
PIN code correct.
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:190:sc_pkcs15_compute_signature: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:191:sc_pkcs15_compute_signature: security operation flags 0x0
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:273:sc_pkcs15_compute_signature: supported algorithm flags 0x80000011, private key usage 0x2E
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:273:sc_get_encoding_flags: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:277:sc_get_encoding_flags: iFlags 0x0, card capabilities 0x80000011
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:306:sc_get_encoding_flags: pad flags 0x0, secure algorithm flags 0x1
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:307:sc_get_encoding_flags: returning with: 0 (Success)
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:324:sc_pkcs15_compute_signature: DEE flags:0x00000000 alg_info->flags:0x80000011 pad:0x00000000 sec:0x00000001
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:42:select_key_file: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:571:sc_select_file: called; type=2, path=3f001000100060020003
0xf73256c0 03:24:35.178 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.178 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Outgoing APDU data [ 13 bytes] =====================================
00 A4 08 00 08 10 00 10 00 60 02 00 03 .........`...
======================================================================
0xf73256c0 03:24:35.178 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Incoming APDU data [ 2 bytes] =====================================
90 00 ..
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] iso7816.c:480:iso7816_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] card-rtecp.c:268:rtecp_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:597:sc_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] pkcs15-sec.c:68:select_key_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:66:sc_set_security_env: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Outgoing APDU data [ 12 bytes] =====================================
00 22 41 B6 07 81 02 00 03 84 01 03 ."A.........
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Incoming APDU data [ 2 bytes] =====================================
90 00 ..
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:70:sc_set_security_env: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:52:sc_compute_signature: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Outgoing APDU data [ 134 bytes] =====================================
00 2A 9E 9A 80 00 00 00 00 00 00 00 00 00 00 00 .*..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 ......
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] apdu.c:184:sc_apdu_log:
Incoming APDU data [ 2 bytes] =====================================
69 89 i.
======================================================================
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] iso7816.c:106:iso7816_check_sw: Unknown SWs; SW1=69, SW2=89
0xf73256c0 03:24:35.181 [pkcs15-crypt] card-rtecp.c:400:rtecp_cipher: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] card-rtecp.c:423:rtecp_compute_signature: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] sec.c:56:sc_compute_signature: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15-sec.c:380:sc_pkcs15_compute_signature: sc_compute_signature() failed: -1200 (Card command failed)
Compute signature failed: Card command failed
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15.c:969:sc_pkcs15_unbind: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] reader-pcsc.c:548:pcsc_unlock: called
0xf73256c0 03:24:35.187 [pkcs15-crypt] card.c:242:sc_disconnect_card: called
0xf73256c0 03:24:35.187 [pkcs15-crypt] reader-pcsc.c:498:pcsc_disconnect: called
0xf73256c0 03:24:35.188 [pkcs15-crypt] card.c:258:sc_disconnect_card: returning with: 0 (Success)
0xf73256c0 03:24:35.188 [pkcs15-crypt] ctx.c:737:sc_release_context: called
0xf73256c0 03:24:35.188 [pkcs15-crypt] reader-pcsc.c:736:pcsc_finish: calleddebian
поставил pcscd, libccid, opensc
что сделал:
pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --so-pin "00000001" --so-puk "" --pin "00000002"
pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "00000003" --so-pin "00000001" --puk ""
pkcs15-init --store-private-key file.pfx --format pkcs12 --auth-id 02 --pin "00000003"в настройках firefox (вернее iceweasel, но это не должно иметь значения) прописал security device (/usr/lib/i386-linux-gnu/opensc-pkcs11.so).
всё хорошо - firefox видит токен, запрашивает пин-код, видит сертификаты на токене, предлагает нужный сертификат при открытии сайта...
но сайт не открывает, пишет:
Secure Connection Failed
An error occurred during a connection to xxxxxxxx.A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.
(Error code: sec_error_pkcs11_general_error)
The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
сертификат правильный (если его же импортировать в software security device - всё работает).
если я правильно понимаю, pkcs15-tool -D говорит, что всё хорошо, ключ и сертификат на месте:
Using reader with a card: Aktiv Rutoken ECP 00 00
PKCS#15 Card [Rutoken ECP]:
Version : 0
Serial number : 000000002B0F7860
Manufacturer ID: Aktiv Co.
Last update : 20120810220039Z
Flags : EID compliant
PIN [Security Officer PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x99], case-sensitive, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:32, stored_len:32
Pad char : 0x00
Reference : 1
Type : ascii-numeric
PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 02
Flags : [0x19], case-sensitive, unblock-disabled, initialized
Length : min_len:4, max_len:32, stored_len:32
Pad char : 0x00
Reference : 2
Type : ascii-numeric
Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x22E], decrypt, sign, signRecover, unwrap, nonRepudiation
Access Flags : [0x0]
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 651e1227cdfe73414aeb136965878079fca9541a
GUID : {651e1227-cdfe-7341-4aeb-136965878079}
X.509 Certificate [/C=RU/L=Moscow/O=xxxx/OU=IT/CN=xxxxxx/emailAddress=support@xxxxx]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f0050000300
ID : 651e1227cdfe73414aeb136965878079fca9541a
GUID : {651e1227-cdfe-7341-4aeb-136965878079}
Encoded serial : 02 0A 275C8B65000000000330пробовал также сертификат импортировать не через pkcs15-init, а средствами firefox - тот же результат (хотя вывод pkcs15-tool -D чуть отличается, в частности появляется публичный ключ).
куда дальше копать - не представляю совершенно :(
]]>