(2012-08-11 01:20:41 отредактировано edo1)

linux, firefox, rutoken ECP

пытаюсь записать на rutoken сертификат с закрытым ключом.

debian

поставил pcscd, libccid, opensc

что сделал:

pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --so-pin "00000001" --so-puk "" --pin "00000002"
pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "00000003"  --so-pin "00000001" --puk ""
pkcs15-init --store-private-key file.pfx --format pkcs12 --auth-id 02  --pin "00000003"

в настройках firefox (вернее iceweasel, но это не должно иметь значения) прописал security device (/usr/lib/i386-linux-gnu/opensc-pkcs11.so).

всё хорошо - firefox видит токен, запрашивает пин-код, видит сертификаты на токене, предлагает нужный сертификат при открытии сайта...
но сайт не открывает, пишет:

Secure Connection Failed
       
          An error occurred during a connection to xxxxxxxx.

A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred.

(Error code: sec_error_pkcs11_general_error)

  The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
  Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

сертификат правильный (если его же импортировать в software security device - всё работает).


если я правильно понимаю, pkcs15-tool -D говорит, что всё хорошо, ключ и сертификат на месте:

Using reader with a card: Aktiv Rutoken ECP 00 00
PKCS#15 Card [Rutoken ECP]:
        Version        : 0
        Serial number  : 000000002B0F7860
        Manufacturer ID: Aktiv Co.
        Last update    : 20120810220039Z
        Flags          : EID compliant

PIN [Security Officer PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x99], case-sensitive, unblock-disabled, initialized, soPin
        Length         : min_len:8, max_len:32, stored_len:32
        Pad char       : 0x00
        Reference      : 1
        Type           : ascii-numeric

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 02
        Flags          : [0x19], case-sensitive, unblock-disabled, initialized
        Length         : min_len:4, max_len:32, stored_len:32
        Pad char       : 0x00
        Reference      : 2
        Type           : ascii-numeric

Private RSA Key [Private Key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x22E], decrypt, sign, signRecover, unwrap, nonRepudiation
        Access Flags   : [0x0]
        ModLength      : 1024
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : 3f001000100060020001
        Auth ID        : 02
        ID             : 651e1227cdfe73414aeb136965878079fca9541a
        GUID           : {651e1227-cdfe-7341-4aeb-136965878079}

X.509 Certificate [/C=RU/L=Moscow/O=xxxx/OU=IT/CN=xxxxxx/emailAddress=support@xxxxx]
        Object Flags   : [0x2], modifiable
        Authority      : no
        Path           : 3f0050000300
        ID             : 651e1227cdfe73414aeb136965878079fca9541a
        GUID           : {651e1227-cdfe-7341-4aeb-136965878079}
        Encoded serial : 02 0A 275C8B65000000000330

пробовал также сертификат импортировать не через pkcs15-init, а средствами firefox - тот же результат (хотя вывод pkcs15-tool -D чуть отличается, в частности появляется публичный ключ).


куда дальше копать - не представляю совершенно :(

Re: linux, firefox, rutoken ECP

сначала пробовал дистрибутивный opensc (0.12.2), потом самосборный - pkcs15-crypt так и не заработал.

вот "хвост" вывода с "-vvvvvv":

0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)
PIN code correct.
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:190:sc_pkcs15_compute_signature: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:191:sc_pkcs15_compute_signature: security operation flags 0x0
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:273:sc_pkcs15_compute_signature: supported algorithm flags 0x80000011, private key usage 0x2E
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:273:sc_get_encoding_flags: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:277:sc_get_encoding_flags: iFlags 0x0, card capabilities 0x80000011
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:306:sc_get_encoding_flags: pad flags 0x0, secure algorithm flags 0x1
0xf73256c0 03:24:35.178 [pkcs15-crypt] padding.c:307:sc_get_encoding_flags: returning with: 0 (Success)
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:324:sc_pkcs15_compute_signature: DEE flags:0x00000000 alg_info->flags:0x80000011 pad:0x00000000 sec:0x00000001
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] pkcs15-sec.c:42:select_key_file: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:571:sc_select_file: called; type=2, path=3f001000100060020003
0xf73256c0 03:24:35.178 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.178 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.178 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [   13 bytes] =====================================
00 A4 08 00 08 10 00 10 00 60 02 00 03 .........`...
======================================================================
0xf73256c0 03:24:35.178 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] iso7816.c:480:iso7816_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] card-rtecp.c:268:rtecp_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:597:sc_select_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] pkcs15-sec.c:68:select_key_file: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:66:sc_set_security_env: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [   12 bytes] =====================================
00 22 41 B6 07 81 02 00 03 84 01 03 ."A.........
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:70:sc_set_security_env: returning with: 0 (Success)
0xf73256c0 03:24:35.180 [pkcs15-crypt] sec.c:52:sc_compute_signature: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:525:sc_transmit_apdu: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] card.c:292:sc_lock: called
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:243:pcsc_transmit: reader 'Aktiv Rutoken ECP 00 00'
0xf73256c0 03:24:35.180 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [  134 bytes] =====================================
00 2A 9E 9A 80 00 00 00 00 00 00 00 00 00 00 00 .*..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00                               ......
======================================================================
0xf73256c0 03:24:35.180 [pkcs15-crypt] reader-pcsc.c:176:pcsc_internal_transmit: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
69 89 i.
======================================================================
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] iso7816.c:106:iso7816_check_sw: Unknown SWs; SW1=69, SW2=89
0xf73256c0 03:24:35.181 [pkcs15-crypt] card-rtecp.c:400:rtecp_cipher: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] card-rtecp.c:423:rtecp_compute_signature: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] sec.c:56:sc_compute_signature: returning with: -1200 (Card command failed)
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15-sec.c:380:sc_pkcs15_compute_signature: sc_compute_signature() failed: -1200 (Card command failed)
Compute signature failed: Card command failed
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15.c:969:sc_pkcs15_unbind: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] card.c:330:sc_unlock: called
0xf73256c0 03:24:35.181 [pkcs15-crypt] reader-pcsc.c:548:pcsc_unlock: called
0xf73256c0 03:24:35.187 [pkcs15-crypt] card.c:242:sc_disconnect_card: called
0xf73256c0 03:24:35.187 [pkcs15-crypt] reader-pcsc.c:498:pcsc_disconnect: called
0xf73256c0 03:24:35.188 [pkcs15-crypt] card.c:258:sc_disconnect_card: returning with: 0 (Success)
0xf73256c0 03:24:35.188 [pkcs15-crypt] ctx.c:737:sc_release_context: called
0xf73256c0 03:24:35.188 [pkcs15-crypt] reader-pcsc.c:736:pcsc_finish: called

Re: linux, firefox, rutoken ECP

нашёл ответ:
http://www.opensc-project.org/pipermail … 16673.html

сделал "pkcs15-init --auth-id 02 --finalize" и всё заработало.