Menu
▾
▴
opensc-devel
|
From: Andrea Dell'A. <ad...@li...> - 2015-07-07 11:25:05
|
Goodmorning everyone. I'm writing my first message here so I hope it's the right place to do it. I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver. There are two x509 certs into the smartcard: -One is for "non-repudiation" key usage (digital signature) -the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption) The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver. When I load the pkcs11 keystore and I list all the aliases, my code is able to see *JUST* the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, *NOT THE NON-REPUDIATION ONE!!* If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load *all my smartcard keystore aliases*. I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so. But I'm able to see the non-repudiation x509 cert *only using the proprietary smartcard driver*. Why? Why I'm not able to load the "non-repudiation" key usage x509 cert using opensc-pkcs11.so? |
|
From: Douglas E E. <dee...@gm...> - 2015-07-07 12:59:08
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
What wold help to see if the problem in in the Java side, opensc, or
the vendors pkcs11 implementation, would be a PKCS#11 trace.<br>
<br>
Look at how to use PKCS#11 SPY:<br>
<br>
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy">https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy</a><br>
<br>
See if you can use it in place of the <span
style="font-family:monospace,monospace">opensc-pkcs11.so to trace
the </span><span style="font-family:monospace,monospace">opensc-pkcs11.so.
<br>
Then try it with the </span>vendor's <span class=""><span
style="font-family:monospace,monospace">libASEP11.so</span></span>
by setting:<br>
<code>export PKCS11SPY=</code><code><span class=""><span
style="font-family:monospace,monospace">/lib64/libASEP11.so<br>
<br>
If using opensc-pkcs11.so, an OpenSC debug output would also
help, its on the same web page as above.<br>
</span></span><br>
Look at the queries and what attributes are requested and what
certificates are returned. <br>
</code><br>
NOTE: that the PIN may be in the output, as well as the certificates.
You may want to edit the output before posting it. <br>
<br>
PKCS#11 does not provide for a NON-REPUDATION attribute, but X509
and PKCS#15 do. <br>
<br>
Also see OpenSC src/pkcs11/pkcs11-opensc.h<br>
which provides for a PKCS#11 "vendor-specific attribute". But this
may not be implemented for your card.<br>
Your card vendor may have its own "vendor-specific attribute" that
is different. <br>
One should avoid using "vendor-specific attributes" <br>
<br>
Most applications would request all the certificates, and then parse
the certificate to get the KeyUsage flags. <br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 7/7/2015 5:55 AM, Andrea Dell'Anna
wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Goodmorning everyone.<br>
<br>
</div>
<div>I'm writing my first message here so I hope it's the
right place to do it.<br>
I'm a java developer writing a program for Ubuntu and I need
to access to my Athena smartcard pkcs11 features using <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
<br>
</div>
<div>There are two x509 certs into the smartcard:<br>
-One is for "non-repudiation" key usage (digital signature)
<br>
</div>
<div>-the other one is for "Critical" "Signing" "Key
Encipherment" (web authentication and encryption)<br>
</div>
<br>
The <span style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider is loaded with no problem using the <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
</div>
<div>When I load the pkcs11 keystore and I list all the aliases,
my code is able to see <b><u>JUST</u></b> the alias with
"Critical" "Signing" "Key Encipherment" (web authentication
and encryption) x509 cert, <u><b>NOT THE NON-REPUDIATION
ONE!!</b></u><br>
<br>
</div>
<div>If I load the pksc11 keystore using the Athena's smartcard
<span class="">Proprietary driver (<span
style="font-family:monospace,monospace">/lib64/libASEP11.so</span>),
my code is able to load <b><u>all my smartcard keystore
aliases</u></b>.<br>
<br>
</span></div>
<div><span class="">I tried with some other smartcard produced
by different vendors (Incard and Siemens). I'm always able
to load the </span><span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider<span class=""> using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>.
<br>
But I'm able to see the non-repudiation x509 cert <u>only
using the proprietary smartcard driver</u>. Why?<br>
</div>
<div><span class=""><br>
Why I'm not able to load the "non-repudiation" key usage
x509 cert using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>?</div>
</div>
</blockquote>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a class="moz-txt-link-freetext" href="https://www.gigenetcloud.com/">https://www.gigenetcloud.com/</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Andrea Dell'A. <ad...@li...> - 2015-07-07 16:22:58
|
Hi, thank you for your reply! I logged both results with pkcs11-spy for the same inputset on the same java program. It simply seems that opensc driver retrieves just one cert. Instead Athena proprietary driver retrieves both certs on the smartcard. Here's the attachments for both driver logs and my testing java program. On Tue, Jul 7, 2015 at 2:52 PM, Douglas E Engert <dee...@gm...> wrote: > What wold help to see if the problem in in the Java side, opensc, or the > vendors pkcs11 implementation, would be a PKCS#11 trace. > > Look at how to use PKCS#11 SPY: > > https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy > > See if you can use it in place of the opensc-pkcs11.so to trace the opensc-pkcs11.so. > > Then try it with the vendor's libASEP11.so by setting: > export PKCS11SPY=/lib64/libASEP11.so > > If using opensc-pkcs11.so, an OpenSC debug output would also help, its on > the same web page as above. > > Look at the queries and what attributes are requested and what > certificates are returned. > > NOTE: that the PIN may be in the output, as well as the certificates. You > may want to edit the output before posting it. > > PKCS#11 does not provide for a NON-REPUDATION attribute, but X509 and > PKCS#15 do. > > Also see OpenSC src/pkcs11/pkcs11-opensc.h > which provides for a PKCS#11 "vendor-specific attribute". But this may > not be implemented for your card. > Your card vendor may have its own "vendor-specific attribute" that is > different. > One should avoid using "vendor-specific attributes" > > Most applications would request all the certificates, and then parse the > certificate to get the KeyUsage flags. > > > > On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote: > > Goodmorning everyone. > > I'm writing my first message here so I hope it's the right place to do > it. > I'm a java developer writing a program for Ubuntu and I need to access to > my Athena smartcard pkcs11 features using opensc-pkcs11.so driver. > > There are two x509 certs into the smartcard: > -One is for "non-repudiation" key usage (digital signature) > -the other one is for "Critical" "Signing" "Key Encipherment" (web > authentication and encryption) > > The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem > using the opensc-pkcs11.so driver. > When I load the pkcs11 keystore and I list all the aliases, my code is > able to see *JUST* the alias with "Critical" "Signing" "Key Encipherment" > (web authentication and encryption) x509 cert, *NOT THE NON-REPUDIATION > ONE!!* > > If I load the pksc11 keystore using the Athena's smartcard Proprietary > driver (/lib64/libASEP11.so), my code is able to load *all my smartcard > keystore aliases*. > > I tried with some other smartcard produced by different vendors (Incard > and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 > provider using opensc-pkcs11.so. > But I'm able to see the non-repudiation x509 cert *only using the > proprietary smartcard driver*. Why? > > Why I'm not able to load the "non-repudiation" key usage x509 cert using > opensc-pkcs11.so? > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today.https://www.gigenetcloud.com/ > > > > _______________________________________________ > Opensc-devel mailing lis...@li...://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > Don't Limit Your Business. Reach for the Cloud. > GigeNET's Cloud Solutions provide you with the tools and support that > you need to offload your IT needs and focus on growing your business. > Configured For All Businesses. Start Your Cloud Today. > https://www.gigenetcloud.com/ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Douglas E E. <dee...@gm...> - 2015-07-08 01:47:50
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Is this an Italian CNS card?<br>
<br>
Can you run the OpenSC commands:<br>
pkcs11-tool -O to see what it is doing? <br>
<br>
adding -v -v -v -v -v -v -v would also help. <br>
<br>
It could be the OpenSC implementation for the CNS applet on your
card is not complete, or the OpenSC card driver is for a previous
version of the applet/card. <br>
Either you or someone with a similar card would need to submit a
patch to OpenSC. <br>
<br>
<div class="moz-cite-prefix">On 7/7/2015 10:52 AM, Andrea Dell'Anna
wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Hi, thank you for your reply!<br>
<br>
</div>
I logged both results with pkcs11-spy for the same inputset on
the same java program. <br>
It simply seems that opensc driver retrieves just one cert.<br>
Instead Athena proprietary driver retrieves both certs on the
smartcard. <br>
<br>
</div>
Here's the attachments for both driver logs and my testing java
program.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Jul 7, 2015 at 2:52 PM, Douglas
E Engert <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dee...@gm..." target="_blank">dee...@gm...</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> What wold help to see
if the problem in in the Java side, opensc, or the vendors
pkcs11 implementation, would be a PKCS#11 trace.<br>
<br>
Look at how to use PKCS#11 SPY:<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy"
target="_blank">https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy</a><br>
<br>
See if you can use it in place of the <span
style="font-family:monospace,monospace">opensc-pkcs11.so
to trace the </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so.
<br>
Then try it with the </span>vendor's <span><span
style="font-family:monospace,monospace">libASEP11.so</span></span>
by setting:<br>
<code>export PKCS11SPY=</code><code><span><span
style="font-family:monospace,monospace">/lib64/libASEP11.so<br>
<br>
If using opensc-pkcs11.so, an OpenSC debug output
would also help, its on the same web page as above.<br>
</span></span><br>
Look at the queries and what attributes are requested
and what certificates are returned. <br>
</code><br>
NOTE: that the PIN may be in the output, as well as the
certificates. You may want to edit the output before
posting it. <br>
<br>
PKCS#11 does not provide for a NON-REPUDATION attribute,
but X509 and PKCS#15 do. <br>
<br>
Also see OpenSC src/pkcs11/pkcs11-opensc.h<br>
which provides for a PKCS#11 "vendor-specific
attribute". But this may not be implemented for your card.<br>
Your card vendor may have its own "vendor-specific
attribute" that is different. <br>
One should avoid using "vendor-specific attributes" <br>
<br>
Most applications would request all the certificates, and
then parse the certificate to get the KeyUsage flags. <br>
<div>
<div class="h5"> <br>
<br>
<br>
<div>On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Goodmorning everyone.<br>
<br>
</div>
<div>I'm writing my first message here so I hope
it's the right place to do it.<br>
I'm a java developer writing a program for
Ubuntu and I need to access to my Athena
smartcard pkcs11 features using <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
<br>
</div>
<div>There are two x509 certs into the
smartcard:<br>
-One is for "non-repudiation" key usage
(digital signature) <br>
</div>
<div>-the other one is for "Critical" "Signing"
"Key Encipherment" (web authentication and
encryption)<br>
</div>
<br>
The <span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider is loaded with no problem using the <span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>
driver.<br>
</div>
<div>When I load the pkcs11 keystore and I list
all the aliases, my code is able to see <b><u>JUST</u></b>
the alias with "Critical" "Signing" "Key
Encipherment" (web authentication and
encryption) x509 cert, <u><b>NOT THE
NON-REPUDIATION ONE!!</b></u><br>
<br>
</div>
<div>If I load the pksc11 keystore using the
Athena's smartcard <span>Proprietary driver (<span
style="font-family:monospace,monospace">/lib64/libASEP11.so</span>),
my code is able to load <b><u>all my
smartcard keystore aliases</u></b>.<br>
<br>
</span></div>
<div><span>I tried with some other smartcard
produced by different vendors (Incard and
Siemens). I'm always able to load the </span><span
style="font-family:monospace,monospace">sun.security.pkcs11.SunPKCS11</span>
provider<span> using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>.
<br>
But I'm able to see the non-repudiation x509
cert <u>only using the proprietary smartcard
driver</u>. Why?<br>
</div>
<div><span><br>
Why I'm not able to load the "non-repudiation"
key usage x509 cert using </span><span
style="font-family:monospace,monospace">opensc-pkcs11.so</span>?</div>
</div>
</blockquote>
<br>
</div>
</div>
<blockquote type="cite">
<fieldset></fieldset>
<br>
<pre>------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
<a moz-do-not-send="true" href="https://www.gigenetcloud.com/" target="_blank">https://www.gigenetcloud.com/</a></pre>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
Opensc-devel mailing list
<a moz-do-not-send="true" href="mailto:Ope...@li..." target="_blank">Ope...@li...</a>
<a moz-do-not-send="true" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><span class="HOEnZb"><font color="#888888">
</font></span></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<pre cols="200">--
Douglas E. Engert <a moz-do-not-send="true" href="mailto:DEE...@gm..." target="_blank"><DEE...@gm...></a>
</pre>
</font></span></div>
<br>
------------------------------------------------------------------------------<br>
Don't Limit Your Business. Reach for the Cloud.<br>
GigeNET's Cloud Solutions provide you with the tools and
support that<br>
you need to offload your IT needs and focus on growing your
business.<br>
Configured For All Businesses. Start Your Cloud Today.<br>
<a moz-do-not-send="true"
href="https://www.gigenetcloud.com/" rel="noreferrer"
target="_blank">https://www.gigenetcloud.com/</a><br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ope...@li...">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X