Well, I'm replying to myself, but I have some more information. Until and unless I load the muscle card applet, and format it, pkcs15-tool (which I believe is part of opensc) says the card is not supported. So musclecard appears to create a pkcs15 space that opensc can play in.
I was using the opensc pkcs11 module to do all of this. Switching over to the musclelib pkcs11 module, it says that the card is empty. So clearly the pkcs11/pkcs15 (whichever) space that is created as a side effect of loading the applet is permissive (despite the attributes on the keys denying it) about allowing private keys to leave the card. Shocking. However, if I use the PKCS11 JCE provider configured to use the muscle pkcs11 module, jarsigner -storetype pkcs12 -keystore file.p12 foo.jar signer works (this is just a control - file.p12 is a code signing certificate and private key as a PKCS12 file). keytool -importkeystore -srckeystore signer.p12 -srcstoretype pkcs12 -destkeystore NONE -deststoretype pkcs11 works: Entry for alias signer successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled keytool -storetype pkcs11 -keystore NONE -list -v works. Shows me all of the right cert details and that there's a private key to go along with it. jarsigner -storetype pkcs11 -keystore NONE foo.jar signer fails with jarsigner error: java.security.ProviderException: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_TYPE_INVALID Now, signing jars with a smart card isn't what I set out to do, but I figure if I can sign jars with the JCE, that means that openssl ought to be able to use the pkcs11 functionality in the same way to set up SSL connections. Not there yet. _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
