Closed Anabel-Dev closed 4 years ago
A private key must be paired with a certificate public object for pkcs11-helper to locate. The initialization should be done by standard pkcs11 tools ahead.
Thank you for your suggestion. There are so many tools to initialize the pkcs11 such as p11-kit, p11tool, openvpn. Can you please suggest a standard pkcs11 tool for us?
We are using pkcs11-tool and we got a token state uninitiaized as depicted below:
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -I Cryptoki version 2.40 Manufacturer Microchip Technology Inc v Library Cryptoauthlib PKCS11 Interface (ver 3.2) Using slot 0 with a present token (0x0)
Are we going on correct way or share your point of view?
Use pkcs11-tool and make sure you have private key and a matching certificate with the same cka_id. Please use materials available to rich this.
Thank you for your suggestion. Actually We are new to this pkcs11-tool. Still we are facing some issues in token initialization as well as it requires use PIN for --keypairgen. Already we downloaded opensc git from the below mentioned link: https://github.com/OpenSC/OpenSC And followed the steps.
still it does not initialize the token:
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -t -l Using slot 0 with a present token (0x0) Logging in to "0123EE". Please enter User PIN: error: PKCS11 function C_Login failed: rv = CKR_CANT_LOCK (0xa)
Aborting.
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --slot-index 0 --test Using slot with index 0 (0x0) C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported ERR: C_GenerateRandom(buf1,0) failed: CKR_ARGUMENTS_BAD (0x7) Digests: not implemented Signatures: not logged in, skipping signature tests Verify: not logged in, skipping verify tests Key unwrap: not a R/W session, skipping key unwrap tests Decryption: not logged in, skipping decryption tests 1 errors
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --test-hotplug -v Testing card detection using C_GetSlotList() Please press return to continue, x to exit: Available slots: Slot 0 (0x0): 0_3_0 manufacturer: Microchip Technology Inc hardware ver: 0.2 firmware ver: 255.255 flags: token present, hardware slot token label : 0123EE token manufacturer : Microchip Technology Inc token model : ATECC608A token flags : rng, login required hardware version : 0.2 firmware version : 255.255 serial num : xxxxxxxxxxxx Please press return to continue, x to exit: x Testing card detection using C_WaitForSlotEvent() Please press return to continue, x to exit: x Using slot 0 with a present token (0x0)
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --init-token --label device Using slot 0 with a present token (0x0) Please enter the new SO PIN: Please enter the new SO PIN (again): Segmentation fault
How can we label the device. Is that our choice or there is some specific name for it?
Can you please expalin the procedure to generate a private key as well as a certificate with same CKA_ID for us or suggest us a link to follow? Thanks in advance.
Hello, We are still stuck in the token initialization. Could you please help us with this?
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized
On Wed, 4 Mar 2020 at 9:52 Anabel-Dev notifications@github.com wrote:
Hello, We are still stuck in the token initialization. Could you please help us with this?
$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized
Please contact provider vendor.
Hello, Now we are able to initialize the token. But still we dont know how to generate a matching certificate with the same cka_id using private key. can you help us for this one thing?
Are you aware that this is not commercial support?
Yes I'm aware. Thank you for your support so far.
Hello, Currently we are trying to encrypt a folder using ecryptfs via pkcs11-helper(a public key stored in ATECC608A). We able to communicate with the cryptochip through pkcs11(using p11tool). While running the ecryptfs-manager we didn't get any PKCS#11 serialized object id just it returns to the main menu ad depicted below:
$ ecryptfs-manager
eCryptfs key management menu
Make selection: 2
Select key type to use for newly created files: 1) pkcs11-helper 2) passphrase 3) openssl Selection: 1
Returning to main menu
eCryptfs key management menu
Make selection: 4
We configured the ~/.ecryptfsrc.pkcs11 file as pkcs11-log-level=5 pkcs11-provider,name=cryptoauthlib,library=/usr/lib/libcryptoauth.so
can anyone please explain or share your comments what we are doing wrong?