Menu
▾
▴
Re: [Opensc-devel] x509 cert aliases loading problems using opensc-pkcs11.so
|
From: Andrea Dell'A. <ad...@li...> - 2015-07-07 16:22:58
|
Hi, thank you for your reply! I logged both results with pkcs11-spy for the same inputset on the same java program. It simply seems that opensc driver retrieves just one cert. Instead Athena proprietary driver retrieves both certs on the smartcard. Here's the attachments for both driver logs and my testing java program. On Tue, Jul 7, 2015 at 2:52 PM, Douglas E Engert <dee...@gm...> wrote: > What wold help to see if the problem in in the Java side, opensc, or the > vendors pkcs11 implementation, would be a PKCS#11 trace. > > Look at how to use PKCS#11 SPY: > > https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy > > See if you can use it in place of the opensc-pkcs11.so to trace the opensc-pkcs11.so. > > Then try it with the vendor's libASEP11.so by setting: > export PKCS11SPY=/lib64/libASEP11.so > > If using opensc-pkcs11.so, an OpenSC debug output would also help, its on > the same web page as above. > > Look at the queries and what attributes are requested and what > certificates are returned. > > NOTE: that the PIN may be in the output, as well as the certificates. You > may want to edit the output before posting it. > > PKCS#11 does not provide for a NON-REPUDATION attribute, but X509 and > PKCS#15 do. > > Also see OpenSC src/pkcs11/pkcs11-opensc.h > which provides for a PKCS#11 "vendor-specific attribute". But this may > not be implemented for your card. > Your card vendor may have its own "vendor-specific attribute" that is > different. > One should avoid using "vendor-specific attributes" > > Most applications would request all the certificates, and then parse the > certificate to get the KeyUsage flags. > > > > On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote: > > Goodmorning everyone. > > I'm writing my first message here so I hope it's the right place to do > it. > I'm a java developer writing a program for Ubuntu and I need to access to > my Athena smartcard pkcs11 features using opensc-pkcs11.so driver. > > There are two x509 certs into the smartcard: > -One is for "non-repudiation" key usage (digital signature) > -the other one is for "Critical" "Signing" "Key Encipherment" (web > authentication and encryption) > > The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem > using the opensc-pkcs11.so driver. > When I load the pkcs11 keystore and I list all the aliases, my code is > able to see *JUST* the alias with "Critical" "Signing" "Key Encipherment" > (web authentication and encryption) x509 cert, *NOT THE NON-REPUDIATION > ONE!!* > > If I load the pksc11 keystore using the Athena's smartcard Proprietary > driver (/lib64/libASEP11.so), my code is able to load *all my smartcard > keystore aliases*. > > I tried with some other smartcard produced by different vendors (Incard > and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 > provider using opensc-pkcs11.so. > But I'm able to see the non-repudiation x509 cert *only using the > proprietary smartcard driver*. Why? > > Why I'm not able to load the "non-repudiation" key usage x509 cert using > opensc-pkcs11.so? > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today.https://www.gigenetcloud.com/ > > > > _______________________________________________ > Opensc-devel mailing lis...@li...://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
