using an OpenPGP card with Java (keytool and jarsigner)

Hans-Christoph Steiner hans at guardianproject.info
Tue Jan 7 22:37:05 CET 2014



On 01/07/2014 09:32 AM, Hans-Christoph Steiner wrote:
> 
> NdK wrote:
>> Il 07/01/2014 04:01, Hans-Christoph Steiner ha scritto:
>>
>>> Does anyone know if there is any chance of using an OpenPGP smart card for
>>> Java?  I know that GnuPG doesn't support PKCS#11, but I was wondering if
>>> things work the otherway around: java using the OpenPGP card.  It would be
>>> super useful to be able to use the same smartcard for both Android APK signing
>>> and OpenPGP signing.
>> IIRC there is an OpenSC "driver" for OpenPGP cards, that makes 'em
>> accessible throught PKCS#11.
>>
>> https://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg06206.html
>>
>> Seems it's quite old... Maybe if you want to take over developement...
>>
>> BYtE,
>>  Diego.
> 
> opensc's support for the OpenPGP card has improved quite a bit in 0.13, it
> seems.  There is now full write support and a specific 'openpgp-tool' even:
> https://www.opensc-project.org/opensc/wiki/OpenPGP
> 
> I don't need write support at all, I just want to get keytool to use the
> OpenPGP card as a PKCS11 keystore.  It seems that things are close: Java can
> use NSS as a provider of PKCS11.  I guess the question is whether opensc is
> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't
> fully understand.
> 
> Once I figure this out, my plan is to integrate my work into the relevant
> Debian packages, and then promote the use of the OpenPGP card for Android APK
> signing keys.
> 
> .hc

So now I have it to the point where I can see the certificate on the OpenPGP
card with keytool, but I can't get jarsigner to use it.  Do I have to mark the
key on the card as a signing key somehow?  Is it just not possible to have the
PKCS#11 certificate part of the OpenPGP card be used as a signing key?

Here is the debug transcripts of my keytool and jarsigner commands:


$ keytool -v -keystore NONE -storetype PKCS11 -providerName SunPKCS11-OpenSC -list
Enter keystore password:

Keystore type: PKCS11
Keystore provider: SunPKCS11-OpenSC

Your keystore contains 1 entry

Alias name: Cardholder certificate
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: O=Internet Widgits Pty Ltd, L=Brooklny, ST=New York, C=US
Issuer: O=Internet Widgits Pty Ltd, L=Brooklny, ST=New York, C=US
Serial number: d76589b02e0f422a
Valid from: Mon Jan 06 20:09:06 EST 2014 until: Wed Feb 05 20:09:06 EST 2014
Certificate fingerprints:
	 MD5:  75:CB:92:5C:F8:4B:F3:0D:54:59:48:D5:4D:8A:08:5B
	 SHA1: 57:C1:4B:12:26:55:66:0E:94:5A:D1:53:46:C0:76:6E:D5:3F:08:91
	 SHA256:
F6:EC:49:9A:AB:04:1A:E0:EE:89:E2:D1:21:8D:79:42:7F:B5:5F:2E:B2:F7:10:53:38:CD:85:20:92:78:69:9F
	 Signature algorithm name: SHA1withRSA
	 Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 85 1F 1B 01 09 3D 12 E2   88 17 0C 91 50 5F 88 1E  .....=......P_..
0010: D3 C1 1B D0                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 85 1F 1B 01 09 3D 12 E2   88 17 0C 91 50 5F 88 1E  .....=......P_..
0010: D3 C1 1B D0                                        ....
]
]



*******************************************
*******************************************



$ export OPENSC_DEBUG=2
$ jarsigner -verbose -keystore NONE -storetype PKCS11  -providerClass
sun.security.pkcs11.SunPKCS11 -providerArg
/etc/java-7-openjdk/security/opensc.cfg libs/commons-io-2.2.jar "Cardholder
certificate" -J-Djava.security.debug=sunpkcs11
SunPKCS11 loading /etc/java-7-openjdk/security/opensc.cfg
sunpkcs11: Initializing PKCS#11 library /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Information for provider SunPKCS11-OpenSC
Library info:
  cryptokiVersion: 2.20
  manufacturerID: OpenSC (www.opensc-project.org)
  flags: 0
  libraryDescription: Smart card PKCS#11 API
  libraryVersion: 0.00
All slots: -1, 1, 2
Slots with tokens: 1, 2
Slot info for slot 2:
  slotDescription: Gemalto GemPC Key 00 00

  manufacturerID: OpenSC (www.opensc-project.org)
  flags: CKF_TOKEN_PRESENT | CKF_REMOVABLE_DEVICE | CKF_HW_SLOT
  hardwareVersion: 0.00
  firmwareVersion: 0.00
Token info for token in slot 2:
  label: OpenPGP card (User PIN)
  manufacturerID: ZeitControl
  model: PKCS#15 emulated
  serialNumber: 0005000014f9
  flags: CKF_RNG | CKF_LOGIN_REQUIRED | CKF_USER_PIN_INITIALIZED |
CKF_TOKEN_INITIALIZED
  ulMaxSessionCount: CK_EFFECTIVELY_INFINITE
  ulSessionCount: 0
  ulMaxRwSessionCount: CK_EFFECTIVELY_INFINITE
  ulRwSessionCount: 0
  ulMaxPinLen: 32
  ulMinPinLen: 6
  ulTotalPublicMemory: CK_UNAVAILABLE_INFORMATION
  ulFreePublicMemory: CK_UNAVAILABLE_INFORMATION
  ulTotalPrivateMemory: CK_UNAVAILABLE_INFORMATION
  ulFreePrivateMemory: CK_UNAVAILABLE_INFORMATION
  hardwareVersion: 0.00
  firmwareVersion: 0.00
  utcTime:
Mechanism CKM_SHA_1:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA256:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA384:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_SHA512:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_MD5:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_RIPEMD160:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism Unknown 0x0000000000001210:
  ulMinKeySize: 0
  ulMaxKeySize: 0
  flags: 1024 = CKF_DIGEST
Mechanism CKM_RSA_X_509:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10753 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY
Mechanism CKM_RSA_PKCS:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10753 = CKF_HW | CKF_DECRYPT | CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA1_RSA_PKCS:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_SHA256_RSA_PKCS:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_MD5_RSA_PKCS:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_RIPEMD160_RSA_PKCS:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 10240 = CKF_SIGN | CKF_VERIFY
Mechanism CKM_RSA_PKCS_KEY_PAIR_GEN:
  ulMinKeySize: 2048
  ulMaxKeySize: 3072
  flags: 65536 = CKF_GENERATE_KEY_PAIR
Enter Passphrase for keystore:
sunpkcs11: login operation not required for token - ignoring login request
jarsigner: Certificate chain not found for: Cardholder certificate.
Cardholder certificate must reference a valid KeyStore key entry containing a
private key and corresponding public key certificate chain.





-- 
PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81



More information about the Gnupg-users mailing list