Italian CNS smartcard - Digital Signing Certificate not listed

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Italian CNS smartcard - Digital Signing Certificate not listed

Shaun Schutte (TIS innovation park)
Hi all,

Our Italian CNS card can accommodate two certificates, one for authentication and one for digital signatures. The certificate for authentication can be read using OpenSC and logging into the local eGov website works fine.
However the second certificate that gets used for digital signing does not work and unfortunately we dont have a lot of information about the card or the cert since it is all proprietary (I would like to avoid getting into that discussion now). So while OpenSC does not see the second cert, the Siemens CardOS API Viewer does.

I have attached the log file, set to level 9 and can provide the following information in addition to the certificate that cannot be read:

Sigbature Algorithm:    sh256RSA
Issuer                           Actalis Qualified Certificatio....
CKA_LABEL                   CNS DS01 X.509 Certificate
CKA_CERTIFICATE_TYPE  X.509 Public Key Certificate

Anyone here have any similar issues? Pretty stumped on what could be the reason why OpenSC cannot list the cert.

--
shaun

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

debug.log (233K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Italian CNS smartcard - Digital Signing Certificate not listed

Roberto Resoli-2
Il 21/07/2014 15:04, Shaun Schutte ha scritto:
> Hi all,
>
> Our Italian CNS card can accommodate two certificates, one for
> authentication and one for digital signatures. The certificate for
> authentication can be read using OpenSC and logging into the local eGov
> website works fine.

Yes, opensc library is known to work well with CNS certificates.

> However the second certificate that gets used for digital signing does
> not work and unfortunately we dont have a lot of information about the
> card or the cert since it is all proprietary (I would like to avoid
> getting into that discussion now). So while OpenSC does not see the
> second cert, the Siemens CardOS API Viewer does.

Unfortunately, Italian signature filesystems for CNS (and of course any
other type of card) are not regulated.
It is a known italian habit to lock signature functions with Secure
Messaging, using static 3DES keys for that. It's impossible to do
signature related functions without knowing the key.

In the past Emanuele Pucciarelli (which is the author of CNS driver)
provided a preliminar implementation of SM for CNS cards, but AFAIK this
is no more maintained, since that present lock-in situation prevents any
real use for that.

Best Regards,
Rob

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel