x509 cert aliases loading problems using opensc-pkcs11.so

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

x509 cert aliases loading problems using opensc-pkcs11.so

Andrea Dell'Anna
Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: x509 cert aliases loading problems using opensc-pkcs11.so

Douglas E Engert
What wold help to see if the problem in in the Java side, opensc, or the vendors pkcs11 implementation,  would be a PKCS#11 trace.

Look at how to use PKCS#11 SPY:

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy

See if you can use it in place of the opensc-pkcs11.so to trace the opensc-pkcs11.so.
Then try it with the
vendor's libASEP11.so  by setting:
export PKCS11SPY=/lib64/libASEP11.so

If using opensc-pkcs11.so, an OpenSC debug output would also help, its on the same web page as above.

Look at the queries and what attributes are requested and what certificates are returned.

NOTE: that the PIN may be in the output, as well as the certificates. You may want to edit the output before posting it.

PKCS#11 does not provide for a NON-REPUDATION attribute, but X509 and PKCS#15 do.

Also see OpenSC src/pkcs11/pkcs11-opensc.h
which provides for a  PKCS#11  "vendor-specific attribute". But this may not be implemented for your card.
Your card vendor may have its own "vendor-specific attribute"  that is different.
One should avoid using "vendor-specific attributes"

Most applications would request all the certificates, and then parse the certificate to get the KeyUsage flags.



On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote:
Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: x509 cert aliases loading problems using opensc-pkcs11.so

Andrea Dell'Anna
Hi, thank you for your reply!

I logged both results with pkcs11-spy for the same inputset on the same java program.
It simply seems that opensc driver retrieves just one cert.
Instead Athena proprietary driver retrieves both certs on the smartcard.

Here's the attachments for both driver logs and my testing java program.

On Tue, Jul 7, 2015 at 2:52 PM, Douglas E Engert <[hidden email]> wrote:
What wold help to see if the problem in in the Java side, opensc, or the vendors pkcs11 implementation,  would be a PKCS#11 trace.

Look at how to use PKCS#11 SPY:

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy

See if you can use it in place of the opensc-pkcs11.so to trace the opensc-pkcs11.so.
Then try it with the
vendor's libASEP11.so  by setting:
export PKCS11SPY=/lib64/libASEP11.so

If using opensc-pkcs11.so, an OpenSC debug output would also help, its on the same web page as above.

Look at the queries and what attributes are requested and what certificates are returned.

NOTE: that the PIN may be in the output, as well as the certificates. You may want to edit the output before posting it.

PKCS#11 does not provide for a NON-REPUDATION attribute, but X509 and PKCS#15 do.

Also see OpenSC src/pkcs11/pkcs11-opensc.h
which provides for a  PKCS#11  "vendor-specific attribute". But this may not be implemented for your card.
Your card vendor may have its own "vendor-specific attribute"  that is different.
One should avoid using "vendor-specific attributes"

Most applications would request all the certificates, and then parse the certificate to get the KeyUsage flags.



On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote:
Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

libasep11.log (42K) Download Attachment
opensc.log (23K) Download Attachment
PKCS11GetAlias.java (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: x509 cert aliases loading problems using opensc-pkcs11.so

Douglas E Engert
Is this an Italian CNS card?

Can you run the OpenSC commands:
  pkcs11-tool -O  to see what it is doing?

adding -v -v -v -v -v -v -v would also help.

It could be the OpenSC implementation for the CNS applet on your card is not complete, or the OpenSC card driver is for a previous version of the applet/card.
Either you or someone with a similar card would need to submit a patch to OpenSC.

On 7/7/2015 10:52 AM, Andrea Dell'Anna wrote:
Hi, thank you for your reply!

I logged both results with pkcs11-spy for the same inputset on the same java program.
It simply seems that opensc driver retrieves just one cert.
Instead Athena proprietary driver retrieves both certs on the smartcard.

Here's the attachments for both driver logs and my testing java program.

On Tue, Jul 7, 2015 at 2:52 PM, Douglas E Engert <[hidden email]> wrote:
What wold help to see if the problem in in the Java side, opensc, or the vendors pkcs11 implementation,  would be a PKCS#11 trace.

Look at how to use PKCS#11 SPY:

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy

See if you can use it in place of the opensc-pkcs11.so to trace the opensc-pkcs11.so.
Then try it with the
vendor's libASEP11.so  by setting:
export PKCS11SPY=/lib64/libASEP11.so

If using opensc-pkcs11.so, an OpenSC debug output would also help, its on the same web page as above.

Look at the queries and what attributes are requested and what certificates are returned.

NOTE: that the PIN may be in the output, as well as the certificates. You may want to edit the output before posting it.

PKCS#11 does not provide for a NON-REPUDATION attribute, but X509 and PKCS#15 do.

Also see OpenSC src/pkcs11/pkcs11-opensc.h
which provides for a  PKCS#11  "vendor-specific attribute". But this may not be implemented for your card.
Your card vendor may have its own "vendor-specific attribute"  that is different.
One should avoid using "vendor-specific attributes"

Most applications would request all the certificates, and then parse the certificate to get the KeyUsage flags.



On 7/7/2015 5:55 AM, Andrea Dell'Anna wrote:
Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?


------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



-- 

 Douglas E. Engert  [hidden email]
 

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel