Menu
▾
▴
Re: [Opensc-devel] x509 cert aliases loading problems using opensc-pkcs11.so
|
From: Douglas E E. <dee...@gm...> - 2015-07-08 01:47:50
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Is this an Italian CNS card?<br>
<br>
Can you run the OpenSC commands:<br>
pkcs11-tool -O to see what it is doing? <br>
<br>
adding -v -v -v -v -v -v -v would also help. <br>
<br>
It could be the OpenSC implementation for the CNS applet on your
card is not complete, or the OpenSC card driver is for a previous
version of the applet/card. <br>
Either you or someone with a similar card would need to submit a
patch to OpenSC. <br>
<br>
<div class="moz-cite-prefix">On 7/7/2015 10:52 AM, Andrea Dell'Anna
wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Hi, thank you for your reply!<br>
<br>
</div>
I logged both results with pkcs11-spy for the same inputset on
the same java program. <br>
It simply seems that opensc driver retrieves just one cert.<br>
Instead Athena proprietary driver retrieves both certs on the
smartcard. <br>
<br>
</div>
Here's the attachments for both driver logs and my testing java
program.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 2:52 PM, Douglas
E Engert <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dee...@gm..." target="_blank">dee...@gm...</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What wold help to see
if the problem in in the Java side, opensc, or the vendors
pkcs11 implementation, would be a PKCS#11 trace.<br>
<br>
Look at how to use PKCS#11 SPY:<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy"
target="_blank">https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy</a><br>
<br>
See if you can use it in place of the <span
style="font-family:monospace,monospace">opensc-pkcs11.so
to trace the </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so.
<br>
Then try it with the </span>vendor's <span><span
style="font-family:monospace,monospace">libASEP11.so</span></span>
by setting:<br>
<code>export PKCS11SPY=</code><code><span><span
style="font-family:monospace,monospace">/lib64/libASEP11.so<br>
<br>
If using opensc-pkcs11.so, an OpenSC debug output
would also help, its on the same web page as above.<br>
</span></span><br>
Look at the queries and what attributes are requested
and what certificates are returned. <br>
</code><br>
NOTE: that the PIN may be in the output, as well as the
certificates. You may want to edit the output before
posting it. <br>
<br>
PKCS#11 does not provide for a NON-REPUDATION attribute,
but X509 and PKCS#15 do. <br>
<br>
Also see OpenSC src/pkcs11/pkcs11-opensc.h<br>
which provides for a PKCS#11 "vendor-specific
attribute". But this may not be implemented for your card.<br>
Your card vendor may have its own "vendor-specific
attribute" that is different. <br>
One should avoid using "vendor-specific attributes" <br>
<br>
Most applications would request all the certificates, and
then parse the certificate to get the KeyUsage flags. <br>
<div>
<div class="h5"> <br>
<br>
<br>
<div>On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Goodmorning everyone.<br>
<br>
</div>
<div>I'm writing my first message here so I hope
it's the right place to do it.<br>
I'm a java developer writing a program for
Ubuntu and I need to access to my Athena
smartcard pkcs11 features using <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
<br>
</div>
<div>There are two x509 certs into the
smartcard:<br>
-One is for "non-repudiation" key usage
(digital signature) <br>
</div>
<div>-the other one is for "Critical" "Signing"
"Key Encipherment" (web authentication and
encryption)<br>
</div>
<br>
The <span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider is loaded with no problem using the <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
</div>
<div>When I load the pkcs11 keystore and I list
all the aliases, my code is able to see <b><u>JUST</u></b>
the alias with "Critical" "Signing" "Key
Encipherment" (web authentication and
encryption) x509 cert, <u><b>NOT THE
NON-REPUDIATION ONE!!</b></u><br>
<br>
</div>
<div>If I load the pksc11 keystore using the
Athena's smartcard <span>Proprietary driver (<span
style="font-family:monospace,monospace">/lib64/libASEP11.so</span>),
my code is able to load <b><u>all my
smartcard keystore aliases</u></b>.<br>
<br>
</span></div>
<div><span>I tried with some other smartcard
produced by different vendors (Incard and
Siemens). I'm always able to load the </span><span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider<span> using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>.
<br>
But I'm able to see the non-repudiation x509
cert <u>only using the proprietary smartcard
driver</u>. Why?<br>
</div>
<div><span><br>
Why I'm not able to load the "non-repudiation"
key usage x509 cert using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>?</div>
</div>
</blockquote>
<br>
</div>
</div>
<blockquote type="cite">
<fieldset></fieldset>
<br>
<pre>------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a moz-do-not-send="true" href="https://www.gigenetcloud.com/" target="_blank">https://www.gigenetcloud.com/</a></pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Opensc-devel mailing list
<a moz-do-not-send="true" href="mailto:Ope...@li..." target="_blank">Ope...@li...</a>
<a moz-do-not-send="true" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><span class="HOEnZb"><font color="#888888">
</font></span></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre cols="200">--
Douglas E. Engert <a moz-do-not-send="true" href="mailto:DEE...@gm..." target="_blank"><DEE...@gm...></a>
</pre>
</font></span></div>
<br>
------------------------------------------------------------------------------<br>
Don't Limit Your Business. Reach for the Cloud.<br>
GigeNET's Cloud Solutions provide you with the tools and
support that<br>
you need to offload your IT needs and focus on growing your
business.<br>
Configured For All Businesses. Start Your Cloud Today.<br>
<a moz-do-not-send="true"
href="https://www.gigenetcloud.com/" rel="noreferrer"
target="_blank">https://www.gigenetcloud.com/</a><br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ope...@li...">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
