Menu
▾
▴
Re: [Opensc-devel] x509 cert aliases loading problems using opensc-pkcs11.so
|
From: Douglas E E. <dee...@gm...> - 2015-07-07 12:59:08
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
What wold help to see if the problem in in the Java side, opensc, or
the vendors pkcs11 implementation, would be a PKCS#11 trace.<br>
<br>
Look at how to use PKCS#11 SPY:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy">https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy</a><br>
<br>
See if you can use it in place of the <span
style="font-family:monospace,monospace">opensc-pkcs11.so to trace
the </span><span style="font-family:monospace,monospace">opensc-pkcs11.so.
<br>
Then try it with the </span>vendor's <span class=""><span
style="font-family:monospace,monospace">libASEP11.so</span></span>
by setting:<br>
<code>export PKCS11SPY=</code><code><span class=""><span
style="font-family:monospace,monospace">/lib64/libASEP11.so<br>
<br>
If using opensc-pkcs11.so, an OpenSC debug output would also
help, its on the same web page as above.<br>
</span></span><br>
Look at the queries and what attributes are requested and what
certificates are returned. <br>
</code><br>
NOTE: that the PIN may be in the output, as well as the certificates.
You may want to edit the output before posting it. <br>
<br>
PKCS#11 does not provide for a NON-REPUDATION attribute, but X509
and PKCS#15 do. <br>
<br>
Also see OpenSC src/pkcs11/pkcs11-opensc.h<br>
which provides for a PKCS#11 "vendor-specific attribute". But this
may not be implemented for your card.<br>
Your card vendor may have its own "vendor-specific attribute" that
is different. <br>
One should avoid using "vendor-specific attributes" <br>
<br>
Most applications would request all the certificates, and then parse
the certificate to get the KeyUsage flags. <br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 7/7/2015 5:55 AM, Andrea Dell'Anna
wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Goodmorning everyone.<br>
<br>
</div>
<div>I'm writing my first message here so I hope it's the
right place to do it.<br>
I'm a java developer writing a program for Ubuntu and I need
to access to my Athena smartcard pkcs11 features using <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
<br>
</div>
<div>There are two x509 certs into the smartcard:<br>
-One is for "non-repudiation" key usage (digital signature)
<br>
</div>
<div>-the other one is for "Critical" "Signing" "Key
Encipherment" (web authentication and encryption)<br>
</div>
<br>
The <span style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider is loaded with no problem using the <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
</div>
<div>When I load the pkcs11 keystore and I list all the aliases,
my code is able to see <b><u>JUST</u></b> the alias with
"Critical" "Signing" "Key Encipherment" (web authentication
and encryption) x509 cert, <u><b>NOT THE NON-REPUDIATION
ONE!!</b></u><br>
<br>
</div>
<div>If I load the pksc11 keystore using the Athena's smartcard
<span class="">Proprietary driver (<span
style="font-family:monospace,monospace">/lib64/libASEP11.so</span>),
my code is able to load <b><u>all my smartcard keystore
aliases</u></b>.<br>
<br>
</span></div>
<div><span class="">I tried with some other smartcard produced
by different vendors (Incard and Siemens). I'm always able
to load the </span><span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider<span class=""> using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>.
<br>
But I'm able to see the non-repudiation x509 cert <u>only
using the proprietary smartcard driver</u>. Why?<br>
</div>
<div><span class=""><br>
Why I'm not able to load the "non-repudiation" key usage
x509 cert using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>?</div>
</div>
</blockquote>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a class="moz-txt-link-freetext" href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
