using an OpenPGP card with Java (keytool and jarsigner)
Hans-Christoph Steiner
hans at guardianproject.info
Wed Jan 8 16:26:12 CET 2014
On 01/08/2014 07:02 AM, Werner Koch wrote:
> On Tue, 7 Jan 2014 15:32, hans at guardianproject.info said:
>
>> OpenPGP card as a PKCS11 keystore. It seems that things are close: Java can
>> use NSS as a provider of PKCS11. I guess the question is whether opensc is
>> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't
>
> Scute also provides an pkcs#11 interface to NSS. Thus you should be
> able to use it also with Java.
I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11
interface to the OpenPGP card. I am able to get keytool to report the
certificate in key position #3, but the question I have now is that given that
key #3 is for authentication, is there some restriction in the OpenPGP card
that would prevent the certificate/key combo in position #3 from being used
for signing?
I did read about using opensc with an OpenPGP card to provide S/MIME services.
What I read there is that in order to use the certificate/key combo in
position #3 for decrypting emails, the key in position #2 (decryption) must
match the key in position number #3. Is there a similar restriction for signing?
I forget if I mentioned this, but the grand goal is to have a single hardware
security module that can sign the Android APK using jarsigner, then make a
OpenPGP signature on the APK, then optionally provide authentication for
scp'ing the resulting files to the release server.
.hc
--
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
More information about the Gnupg-users
mailing list