On 01/07/2014 09:32 AM, Hans-Christoph Steiner wrote: > > NdK wrote: >> Il 07/01/2014 04:01, Hans-Christoph Steiner ha scritto: >> >>> Does anyone know if there is any chance of using an OpenPGP smart card for >>> Java? I know that GnuPG doesn't support PKCS#11, but I was wondering if >>> things work the otherway around: java using the OpenPGP card. It would be >>> super useful to be able to use the same smartcard for both Android APK >>> signing >>> and OpenPGP signing. >> IIRC there is an OpenSC "driver" for OpenPGP cards, that makes 'em >> accessible throught PKCS#11. >> >> https://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg06206.html >> >> Seems it's quite old... Maybe if you want to take over developement... >> >> BYtE, >> Diego. > > opensc's support for the OpenPGP card has improved quite a bit in 0.13, it > seems. There is now full write support and a specific 'openpgp-tool' even: > https://www.opensc-project.org/opensc/wiki/OpenPGP > > I don't need write support at all, I just want to get keytool to use the > OpenPGP card as a PKCS11 keystore. It seems that things are close: Java can > use NSS as a provider of PKCS11. I guess the question is whether opensc is > making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't > fully understand. > > Once I figure this out, my plan is to integrate my work into the relevant > Debian packages, and then promote the use of the OpenPGP card for Android APK > signing keys. > > .hc
So now I have it to the point where I can see the certificate on the OpenPGP card with keytool, but I can't get jarsigner to use it. Do I have to mark the key on the card as a signing key somehow? Is it just not possible to have the PKCS#11 certificate part of the OpenPGP card be used as a signing key? Here is the debug transcripts of my keytool and jarsigner commands: $ keytool -v -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list Enter keystore password: Keystore type: PKCS11 Keystore provider: SunPKCS11-OpenSC Your keystore contains 1 entry Alias name: Cardholder certificate Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: O=Internet Widgits Pty Ltd, L=Brooklny, ST=New York, C=US Issuer: O=Internet Widgits Pty Ltd, L=Brooklny, ST=New York, C=US Serial number: d76589b02e0f422a Valid from: Mon Jan 06 20:09:06 EST 2014 until: Wed Feb 05 20:09:06 EST 2014 Certificate fingerprints: MD5: 75:CB:92:5C:F8:4B:F3:0D:54:59:48:D5:4D:8A:08:5B SHA1: 57:C1:4B:12:26:55:66:0E:94:5A:D1:53:46:C0:76:6E:D5:3F:08:91 SHA256: F6:EC:49:9A:AB:04:1A:E0:EE:89:E2:D1:21:8D:79:42:7F:B5:5F:2E:B2:F7:10:53:38:CD:85:20:92:78:69:9F Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 85 1F 1B 01 09 3D 12 E2 88 17 0C 91 50 5F 88 1E .....=......P_.. 0010: D3 C1 1B D0 .... ] ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 85 1F 1B 01 09 3D 12 E2 88 17 0C 91 50 5F 88 1E .....=......P_.. 0010: D3 C1 1B D0 .... ] ] ******************************************* ******************************************* $ export OPENSC_DEBUG=2 $ jarsigner -verbose -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /etc/java-7-openjdk/security/opensc.cfg libs/commons-io-2.2.jar "Cardholder certificate" -J-Djava.security.debug=sunpkcs11 SunPKCS11 loading /etc/java-7-openjdk/security/opensc.cfg sunpkcs11: Initializing PKCS#11 library /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Information for provider SunPKCS11-OpenSC Library info: cryptokiVersion: 2.20 manufacturerID: OpenSC (www.opensc-project.org) flags: 0 libraryDescription: Smart card PKCS#11 API libraryVersion: 0.00 All slots: -1, 1, 2 Slots with tokens: 1, 2 Slot info for slot 2: slotDescription: Gemalto GemPC Key 00 00 manufacturerID: OpenSC (www.opensc-project.org) flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT hardwareVersion: 0.00 firmwareVersion: 0.00 Token info for token in slot 2: label: OpenPGP card (User PIN) manufacturerID: ZeitControl model: PKCS#15 emulated serialNumber: 0005000014f9 flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED | CKF_TOKEN_INITIALIZED ulMaxSessionCount: CK_EFFECTIVELY_INFINITE ulSessionCount: 0 ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE ulRwSessionCount: 0 ulMaxPinLen: 32 ulMinPinLen: 6 ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION hardwareVersion: 0.00 firmwareVersion: 0.00 utcTime: Mechanism CKM_SHA_1: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_SHA256: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_SHA384: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_SHA512: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_MD5: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_RIPEMD160: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism Unknown 0x0000000000001210: ulMinKeySize: 0 ulMaxKeySize: 0 flags: 1024 = CKF_DIGEST Mechanism CKM_RSA_X_509: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10753 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY Mechanism CKM_RSA_PKCS: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10753 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY Mechanism CKM_SHA1_RSA_PKCS: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10240 = CKF_SIGN | CKF_VERIFY Mechanism CKM_SHA256_RSA_PKCS: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10240 = CKF_SIGN | CKF_VERIFY Mechanism CKM_MD5_RSA_PKCS: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10240 = CKF_SIGN | CKF_VERIFY Mechanism CKM_RIPEMD160_RSA_PKCS: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 10240 = CKF_SIGN | CKF_VERIFY Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN: ulMinKeySize: 2048 ulMaxKeySize: 3072 flags: 65536 = CKF_GENERATE_KEY_PAIR Enter Passphrase for keystore: sunpkcs11: login operation not required for token - ignoring login request jarsigner: Certificate chain not found for: Cardholder certificate. Cardholder certificate must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain. -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users