using an OpenPGP card with Java (keytool and jarsigner)
stefanxe at gmx.net
Tue Jan 21 19:25:37 CET 2014
Am 08.01.2014 16:26, schrieb Hans-Christoph Steiner:
> On 01/08/2014 07:02 AM, Werner Koch wrote:
>> On Tue, 7 Jan 2014 15:32, hans at guardianproject.info said:
>>> OpenPGP card as a PKCS11 keystore. It seems that things are close: Java can
>>> use NSS as a provider of PKCS11. I guess the question is whether opensc is
>>> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't
>> Scute also provides an pkcs#11 interface to NSS. Thus you should be
>> able to use it also with Java.
> I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11
> interface to the OpenPGP card. I am able to get keytool to report the
> certificate in key position #3, but the question I have now is that given that
> key #3 is for authentication, is there some restriction in the OpenPGP card
> that would prevent the certificate/key combo in position #3 from being used
> for signing?
> I did read about using opensc with an OpenPGP card to provide S/MIME services.
> What I read there is that in order to use the certificate/key combo in
> position #3 for decrypting emails, the key in position #2 (decryption) must
> match the key in position number #3. Is there a similar restriction for signing?
There is no restriction for Signing Key (first slot in OpenPGP card).
For me Scute never worked successfully. I would recommend using OpenSC
instead which is maintained actively.
> I forget if I mentioned this, but the grand goal is to have a single hardware
> security module that can sign the Android APK using jarsigner, then make a
> OpenPGP signature on the APK, then optionally provide authentication for
> scp'ing the resulting files to the release server.
More information about the Gnupg-users