using an OpenPGP card with Java (keytool and jarsigner)

Stefan Xenon stefanxe at
Tue Jan 21 19:25:37 CET 2014

Am 08.01.2014 16:26, schrieb Hans-Christoph Steiner:
> On 01/08/2014 07:02 AM, Werner Koch wrote:
>> On Tue,  7 Jan 2014 15:32, hans at said:
>>> OpenPGP card as a PKCS11 keystore.  It seems that things are close: Java can
>>> use NSS as a provider of PKCS11.  I guess the question is whether opensc is
>>> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't
>> Scute also provides an pkcs#11 interface to NSS.  Thus you should be
>> able to use it also with Java.
> I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11
> interface to the OpenPGP card.  I am able to get keytool to report the
> certificate in key position #3, but the question I have now is that given that
> key #3 is for authentication, is there some restriction in the OpenPGP card
> that would prevent the certificate/key combo in position #3 from being used
> for signing?
> I did read about using opensc with an OpenPGP card to provide S/MIME services.
>  What I read there is that in order to use the certificate/key combo in
> position #3 for decrypting emails, the key in position #2 (decryption) must
> match the key in position number #3.  Is there a similar restriction for signing?

There is no restriction for Signing Key (first slot in OpenPGP card).

For me Scute never worked successfully. I would recommend using OpenSC
instead which is maintained actively.

Best regards,

> I forget if I mentioned this, but the grand goal is to have a single hardware
> security module that can sign the Android APK using jarsigner, then make a
> OpenPGP signature on the APK, then optionally provide authentication for
> scp'ing the resulting files to the release server.
> .hc

More information about the Gnupg-users mailing list