Hello, it works fine when you specify the "sign" method. If you leave it with the default (auto) OpenSC tricks your code to think that it supports SignRecover and it fails.
OpenSC says that the private key supports SignRecover (CKA_SIGN_RECOVER) when you ask it (see function pkcs15_prkey_get_attribute in http://www.opensc.org/opensc/file/releases/opensc-0.9.6/src/pkcs11/framework-pkcs15.c), but the problem is that OpenSC itself doesn't implement the function C_SignRecover and C_SignRecoverInit. The problem is clearly on OpenSC pkcs#11 implementation, but with the option --pkcs11-sign-mode you have included we can workarround it! I agree to drop support for OpenSC. The PKCS#11 approach works well with OpenSC and it will broad the support for other PKCS#11-aware smartcards/libraries. One suggestion. I have noticed that if you don't give the argument --askpass to OpenVPN it will not start (doesn't have the PIN to the smartcard), giving a bit confusing message: "Cannot set PKCS#11 parameters 7-CKR_ARGUMENTS_BAD". Can the code check wether there's a PIN specified by the user before calling pkcs11_openSession and give a message like "You need to specify a PIN to access the smartcard."? Iván Casado Ruiz SADIEL, S.A. -----Mensaje original----- De: openvpn-devel-ad...@lists.sourceforge.net [mailto:openvpn-devel-ad...@lists.sourceforge.net]En nombre de Alon Bar-Lev Enviado el: lunes, 12 de septiembre de 2005 22:40 Para: openvpn-devel@lists.sourceforge.net Asunto: [Openvpn-devel] openvpn - support PKCS#11 smartcards Hello, C. Ruiz, Ivan wrote: > > I only changed C_SignRecover to C_Sign and C_SignRecoverInit to C_SignInit > (pkcs11.c) and > it worked for me with OpenSC. Can you test if it's OK for you with this minor > change? Hmmm... It should be SignRecover... strange they don't support it... Anyway, please check the new patch... I've added a new argument: --pkcs11-sign-mode mode auto (default) - try to find out which to use. recover - use sign recover. sign - use sign. Please tell me if the default works. > > Apart from this i've tested that I can specify certs both by label and by id > <- OK! I am very glad!!! > > Not been able to test under Windows as I don't have the compiler for this > platform. > I hope someone will check it out... So... Can we drop the request for OpenSC support and focus on PKCS#11? Best Regards, Alon Bar-Lev.
