using an OpenPGP card with Java (keytool and jarsigner)

Hans-Christoph Steiner hans at
Wed Jan 8 16:26:12 CET 2014

On 01/08/2014 07:02 AM, Werner Koch wrote:
> On Tue,  7 Jan 2014 15:32, hans at said:
>> OpenPGP card as a PKCS11 keystore.  It seems that things are close: Java can
>> use NSS as a provider of PKCS11.  I guess the question is whether opensc is
>> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't
> Scute also provides an pkcs#11 interface to NSS.  Thus you should be
> able to use it also with Java.

I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11
interface to the OpenPGP card.  I am able to get keytool to report the
certificate in key position #3, but the question I have now is that given that
key #3 is for authentication, is there some restriction in the OpenPGP card
that would prevent the certificate/key combo in position #3 from being used
for signing?

I did read about using opensc with an OpenPGP card to provide S/MIME services.
 What I read there is that in order to use the certificate/key combo in
position #3 for decrypting emails, the key in position #2 (decryption) must
match the key in position number #3.  Is there a similar restriction for signing?

I forget if I mentioned this, but the grand goal is to have a single hardware
security module that can sign the Android APK using jarsigner, then make a
OpenPGP signature on the APK, then optionally provide authentication for
scp'ing the resulting files to the release server.


PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Gnupg-users mailing list