Openssl signing with smartcard does not find certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl signing with smartcard does not find certificate

Georg Lohrer-6
Hi,

I'm just experimenting with a new TCOS-card from signtrust.de (a german
PKI-vendor).

The card is accessible via pkcs15-tool and pkcs11-tool from opensc.

With openssl I can use the engine_pkcs11 dynamic engine with simply:

$ openssl
> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> req -engine pkcs11 -new -key id_01 -keyform engine -out req.pem -text -x509 -subj "/CN=Georg Lohrer"

to get a self-signed certificate.
The card-pin will be requested correctly, so the communication between
engine_pkcs11.so and the GemPC Twin reader runs successfully.

Now, I want to sign a text using the certificates on the SmartCard. Therefore
I thought of something like:

$ openssl
> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> smime -sign -engine pkcs11 -in email.txt -out signed.email.txt -signer 0:1 -keyform engine -outform DER

but do only get a:

engine "pkcs11" set.
Error opening signer certificate 0:1
22432:error:02001002:system library:fopen:No such file or
directory:bss_file.c:349:fopen('0:1','r')
22432:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
unable to load certificate
error in smime

I have had a look into the source code of openssl-0.9.8a/apps and the
engine_pkcs11.so-sources to see the general API of the dynamic-engines. And I
detected that there is a function called pkcs11_load_key() been called from
the 'req' command with the engine option. So, the key will be found, but not
the certificate for signing.

Is there a way to let the 'smime' command know that it should not use a file
'0:1' ('-signer' option), but use something out of the engine.
Or do I have to extract the certificate from the SmartCard to use it?

I thought that I want to send the md5sum (sha1sum) of a text to the SmartCard
for signing automatically, but perhaps I might be wrong with this thinking. I
always get into trouble with all these libs and responsibilities. Maybe I am
totally wrong with openssl at this point and I have to use different tools.

Do you have any idea or a proper way of using SmartCards for signing
documents with openssl?

Ciao, Georg




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Dr. Stephen Henson
On Sat, Feb 18, 2006, Georg Lohrer wrote:

> Hi,
>
> I'm just experimenting with a new TCOS-card from signtrust.de (a german
> PKI-vendor).
>
> The card is accessible via pkcs15-tool and pkcs11-tool from opensc.
>
> With openssl I can use the engine_pkcs11 dynamic engine with simply:
>
> $ openssl
> > engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> > req -engine pkcs11 -new -key id_01 -keyform engine -out req.pem -text -x509 -subj "/CN=Georg Lohrer"
>
> to get a self-signed certificate.
> The card-pin will be requested correctly, so the communication between
> engine_pkcs11.so and the GemPC Twin reader runs successfully.
>
> Now, I want to sign a text using the certificates on the SmartCard. Therefore
> I thought of something like:
>
> $ openssl
> > engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> > smime -sign -engine pkcs11 -in email.txt -out signed.email.txt -signer 0:1 -keyform engine -outform DER
>
> but do only get a:
>
> engine "pkcs11" set.
> Error opening signer certificate 0:1
> 22432:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:349:fopen('0:1','r')
> 22432:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
> unable to load certificate
> error in smime
>
> I have had a look into the source code of openssl-0.9.8a/apps and the
> engine_pkcs11.so-sources to see the general API of the dynamic-engines. And I
> detected that there is a function called pkcs11_load_key() been called from
> the 'req' command with the engine option. So, the key will be found, but not
> the certificate for signing.
>
> Is there a way to let the 'smime' command know that it should not use a file
> '0:1' ('-signer' option), but use something out of the engine.
> Or do I have to extract the certificate from the SmartCard to use it?
>

Yes currently you have to extract the certificate into a file to use it. There
is no equivalent function in the ENGINE at present to extract the certificate.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
Hmmm.  This might more properly belong on the -dev list, but would
there be a way to add that functionality without breaking the current
ABI?  e.g., test for the existence of a symbol in the library, and if
present add it to the engine structure, else leave that function
pointer at NULL?  I know that can be done by GetProcAddress under
Win32, but I'm not sure how to do it with dlopen() etc.

-Kyle H

On 2/18/06, Dr. Stephen Henson <[hidden email]> wrote:

> On Sat, Feb 18, 2006, Georg Lohrer wrote:
>
> > Hi,
> >
> > I'm just experimenting with a new TCOS-card from signtrust.de (a german
> > PKI-vendor).
> >
> > The card is accessible via pkcs15-tool and pkcs11-tool from opensc.
> >
> > With openssl I can use the engine_pkcs11 dynamic engine with simply:
> >
> > $ openssl
> > > engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> > > req -engine pkcs11 -new -key id_01 -keyform engine -out req.pem -text -x509 -subj "/CN=Georg Lohrer"
> >
> > to get a self-signed certificate.
> > The card-pin will be requested correctly, so the communication between
> > engine_pkcs11.so and the GemPC Twin reader runs successfully.
> >
> > Now, I want to sign a text using the certificates on the SmartCard. Therefore
> > I thought of something like:
> >
> > $ openssl
> > > engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so -pre VERBOSE
> > > smime -sign -engine pkcs11 -in email.txt -out signed.email.txt -signer 0:1 -keyform engine -outform DER
> >
> > but do only get a:
> >
> > engine "pkcs11" set.
> > Error opening signer certificate 0:1
> > 22432:error:02001002:system library:fopen:No such file or
> > directory:bss_file.c:349:fopen('0:1','r')
> > 22432:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:351:
> > unable to load certificate
> > error in smime
> >
> > I have had a look into the source code of openssl-0.9.8a/apps and the
> > engine_pkcs11.so-sources to see the general API of the dynamic-engines. And I
> > detected that there is a function called pkcs11_load_key() been called from
> > the 'req' command with the engine option. So, the key will be found, but not
> > the certificate for signing.
> >
> > Is there a way to let the 'smime' command know that it should not use a file
> > '0:1' ('-signer' option), but use something out of the engine.
> > Or do I have to extract the certificate from the SmartCard to use it?
> >
>
> Yes currently you have to extract the certificate into a file to use it. There
> is no equivalent function in the ENGINE at present to extract the certificate.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
In reply to this post by Dr. Stephen Henson
Hi Steve,
   
On Sa, 18 Feb 2006, Dr. Stephen Henson wrote:

> On Sat, Feb 18, 2006, Georg Lohrer wrote:
>
[snipped]
> >
> > Is there a way to let the 'smime' command know that it should not use a file
> > '0:1' ('-signer' option), but use something out of the engine.
> > Or do I have to extract the certificate from the SmartCard to use it?
> >
>
> Yes currently you have to extract the certificate into a file to use it. There
> is no equivalent function in the ENGINE at present to extract the certificate.
>

Thank you for answering.

The signtrust.de-SmartCard is issued by a so called "accredited
certification service vendor" (directly translated from german) and is
prepared under absolutely strong conditions. signtrust.de assures the
authentification of the card-holder and offers a way of validation.
Documents been signed with the certificates from this vendor are treated as
valid for legal affairs (there is a special signature-law).
Therefore extracting something from this card and storing it at a none safe
place is not feasible. There is at least a class-2 pinpad-reader necessary to
prevent transfer of pin-codes to the card.

I have to look for another way to get my mail-signatures with this
SmartCard :-(

Ciao, Georg

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
Extracting certificates for validation purposes is not possible?  You
don't need to extract the private key to use it for signing.

-Kyle H

On 2/19/06, Georg Lohrer <[hidden email]> wrote:

> Hi Steve,
>
> On Sa, 18 Feb 2006, Dr. Stephen Henson wrote:
>
> > On Sat, Feb 18, 2006, Georg Lohrer wrote:
> >
> [snipped]
> > >
> > > Is there a way to let the 'smime' command know that it should not use a file
> > > '0:1' ('-signer' option), but use something out of the engine.
> > > Or do I have to extract the certificate from the SmartCard to use it?
> > >
> >
> > Yes currently you have to extract the certificate into a file to use it. There
> > is no equivalent function in the ENGINE at present to extract the certificate.
> >
>
> Thank you for answering.
>
> The signtrust.de-SmartCard is issued by a so called "accredited
> certification service vendor" (directly translated from german) and is
> prepared under absolutely strong conditions. signtrust.de assures the
> authentification of the card-holder and offers a way of validation.
> Documents been signed with the certificates from this vendor are treated as
> valid for legal affairs (there is a special signature-law).
> Therefore extracting something from this card and storing it at a none safe
> place is not feasible. There is at least a class-2 pinpad-reader necessary to
> prevent transfer of pin-codes to the card.
>
> I have to look for another way to get my mail-signatures with this
> SmartCard :-(
>
> Ciao, Georg
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
Hi Kyle,
   
On So, 19 Feb 2006, Kyle Hamilton wrote:

> Extracting certificates for validation purposes is not possible?  You
> don't need to extract the private key to use it for signing.

Ah, of course you could get the certificate out of the card and store it on
another media.
Perhaps I might be wrong, but does using this certificate not break any
security issues? Do I have to have the SmartCard available in case
of using this certificate? Or will anybody holding this certificate be able
to sign documents pretending to be myself?

I am a little bit puzzled, because I already do not have the big picture with
these SSL-affairs.

Ciao, Georg

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
How these things work is by a process called "Asymmetric
cryptography", or "public/private key cryptography".  Your smartcard
has both a public and a private key stored on it.  The private key
will never leave the card, but the public key is embedded in the
certificate, and that is what makes it possible to create a digital
signature.

Only the private key on the card can generate a signature that can be
verified with your public key, in your certificate.  As well, the only
way that the signature generated by the private key on your card can
be verified is if someone has your certificate.  Thus, letting people
have your certificate is actually necessary for the system to work.
That's why it can be extracted, and stored on insecure media -- you
have to be able to give it to others for them to verify your
signature.

-Kyle H

On 2/19/06, Georg Lohrer <[hidden email]> wrote:

> Hi Kyle,
>
> On So, 19 Feb 2006, Kyle Hamilton wrote:
>
> > Extracting certificates for validation purposes is not possible?  You
> > don't need to extract the private key to use it for signing.
>
> Ah, of course you could get the certificate out of the card and store it on
> another media.
> Perhaps I might be wrong, but does using this certificate not break any
> security issues? Do I have to have the SmartCard available in case
> of using this certificate? Or will anybody holding this certificate be able
> to sign documents pretending to be myself?
>
> I am a little bit puzzled, because I already do not have the big picture with
> these SSL-affairs.
>
> Ciao, Georg
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
Hi Kyle,
   
On So, 19 Feb 2006, Kyle Hamilton wrote:

> How these things work is by a process called "Asymmetric
> cryptography", or "public/private key cryptography".  Your smartcard
> has both a public and a private key stored on it.  The private key
> will never leave the card, but the public key is embedded in the
> certificate, and that is what makes it possible to create a digital
> signature.
>
> Only the private key on the card can generate a signature that can be
> verified with your public key, in your certificate.  As well, the only
> way that the signature generated by the private key on your card can
> be verified is if someone has your certificate.  Thus, letting people
> have your certificate is actually necessary for the system to work.
> That's why it can be extracted, and stored on insecure media -- you
> have to be able to give it to others for them to verify your
> signature.

thank you for your explanation. Now the fog begins to vanish.

Asymetric cryptography is well known but not the way it will be done with
SmartCard, or better with my SmartCard.
I was disturbed, because signtrust.de has to offer an official public
verification access to gain access to everybody for validating my signed
documents. Due to this official way I do not thought that there of course
must be a public key within a certificate on the card.

To go one step ahead: I get the following output about the contents of my
SmartCard:

georg@gkar:~/projects/openssl/$ pkcs15-tool --list-certificates
X.509 Certificate [SignTrust Signatur Zertifikat]
        Flags    : 2
        Authority: no
        Path     : 8000df01c000
        ID       : 01

X.509 Certificate [SignTrust Authentifizierungs Zertifikat]
        Flags    : 2
        Authority: no
        Path     : 800082008220
        ID       : 02

X.509 Certificate [SignTrust Verschlüsselungs Zertifikat]
        Flags    : 2
        Authority: no
        Path     : 800083008320
        ID       : 03

georg@gkar:~/projects/openssl/$ pkcs15-tool --list-keys
Private RSA Key [Signatur Schlüssel]
        Com. Flags  : 1
        Usage       : [0x204], sign, nonRepudiation
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 128
        Native      : yes
        Path        : 8000df015331
        Auth ID     : 01
        ID          : 01

Private RSA Key [Authentifzierungs Schlüssel]
        Com. Flags  : 1
        Usage       : [0x7], encrypt, decrypt, sign
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 128
        Native      : yes
        Path        : 800082008210
        Auth ID     : 02
        ID          : 02

Private RSA Key [Verschlüsselungs Schlüssel]
        Com. Flags  : 1
        Usage       : [0x7], encrypt, decrypt, sign
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 128
        Native      : yes
        Path        : 800083008310
        Auth ID     : 03
        ID          : 03

Unfortunately I cannot get the contents of a certificate with:

> pkcs15-tool --read-certificate 01 | openssl x509 -text -noout

because the certificates contain postal address informations and there seems
to be a rather old problem with ASN-1 decoding. So I do not know what this
certificate contains.
Am I right, that these certificates should probably contain my public-key and
additional information?

And if that is right, how should be the actions between my mail-user-agent,
the certificate and the SmartCard within the pinpad-reader? Maybe you know
some accessible HOWTO-SmartCard-for-Beginners information?
I have scrutinized through lots of documents, but meanwhile I do not see the
wood for the trees.

Ciao, Georg
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Dr. Stephen Henson
On Sun, Feb 19, 2006, Georg Lohrer wrote:

> Hi Kyle,
>    
> On So, 19 Feb 2006, Kyle Hamilton wrote:
>
> Asymetric cryptography is well known but not the way it will be done with
> SmartCard, or better with my SmartCard.

If it has a public, private key pait it will use asymmetric encryption...

> I was disturbed, because signtrust.de has to offer an official public
> verification access to gain access to everybody for validating my signed
> documents. Due to this official way I do not thought that there of course
> must be a public key within a certificate on the card.
>

The certificate is often sent in the clear using various protocols. The
"signed documents" in various standard formats will often contain it.

>
> Unfortunately I cannot get the contents of a certificate with:
>
> > pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
>
> because the certificates contain postal address informations and there seems
> to be a rather old problem with ASN-1 decoding. So I do not know what this
> certificate contains.
> Am I right, that these certificates should probably contain my public-key and
> additional information?
>

Try the -inform DER option to that command. If you are extracting a
certificate from a PKCS#15 compliant card then you should be able to read it
with OpenSSL.

If you still can't access it then either post or send me the output of that
"pkc15-tool" command. As I said before the certificate is considered public
information so there's no security issues involved with doing this.

> And if that is right, how should be the actions between my mail-user-agent,
> the certificate and the SmartCard within the pinpad-reader? Maybe you know
> some accessible HOWTO-SmartCard-for-Beginners information?
> I have scrutinized through lots of documents, but meanwhile I do not see the
> wood for the trees.
>

There isn't a general Smartcard howto because vendors do things in different
ways.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
In reply to this post by Georg Lohrer-6
On 2/19/06, Georg Lohrer <[hidden email]> wrote:

> Hi Kyle,
>
> thank you for your explanation. Now the fog begins to vanish.
>
> Asymetric cryptography is well known but not the way it will be done with
> SmartCard, or better with my SmartCard.
> I was disturbed, because signtrust.de has to offer an official public
> verification access to gain access to everybody for validating my signed
> documents. Due to this official way I do not thought that there of course
> must be a public key within a certificate on the card.

From what I can see, it's Deutsche Post that's running the Signtrust
program.  (Interesting... they own DHL, the parcel shipment company
that fairly-recently started operations in the US.)

I'll also mention that according to the web site, I could download
your certificate directly from them.  (Which I just did... that is, if
your certificate ID number is 33754, and the serial number is... 1?)
Now... I'm looking at this, and I'm utterly confused as to what they
expect us to do with it.

(BTW, Steve: I've got a small gripe about the asn1parse utility -- if
you use -strparse or -offset, it will start its count from 0 after the
offset you specify.  The downside is, you can't just use that info
directly to do another asn1parse drilldown, you have to add the
current offset to the offset that is reported for the object inside
the string.)

I haven't got the faintest clue WHAT format they're using -- for the
downloaded certificate, I'm seeing what appears to be an OCSP
response.

The best thing to do would be something like:

pkcs15tool --read-certificate 01 > cert01.der
pkcs15tool --read-certificate 02 > cert02.der
pkcs15tool --read-certificate 03 > cert03.der

and then send those three files to me as attachments directly.  Once I
have those files, I can figure out (by abusing asn1parse) how to
extract the actual certificates from what you have in there.  If
OpenSSL doesn't have the capability of handling them, I have other
ASN.1 tools to parse them with.

I do have to inform you that I am located in the United States, where
the laws on protection of personal information are not as strict as
the EU.  However, I will not use these certificates for any other
purpose than to determine how they've been formatted in your card, and
once I have that, I will delete your personal information from my
system.  [trying to comply with the EU's privacy law... I don't know
if I have to say that, or if it's just commercial entities, but I
REALLY don't want to take the chance.]  By sending me those
certificates, you consent to the handling of your information where I
am located.

(BTW, you have three certificates and three keys stored in your smart
card.  Key 01 is your "I'm signing a contract" key, keys 02 and 03 are
"I'm logging onto a website or encrypting or decrypting or signing
email that I send" keys.)

1024 bits for a non-repudiation certificate?  I'm fairly paranoid and
don't use anything fewer than 2048; however, there's a peer-to-peer
chat system I use, called WASTE, that defaults to generating 1536-bit
RSA keys.  1024 is fairly close to being able to be factored through
the general number field seive algorithm.

> > pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
>
> because the certificates contain postal address informations and there seems
> to be a rather old problem with ASN-1 decoding. So I do not know what this
> certificate contains.

I can figure it out.  The certificates DO contain your public key, as
well as your legal identity, the identity of the signer of the
certificates, and the signature of that signer to create a valid
certificate.

> Am I right, that these certificates should probably contain my public-key and
> additional information?
>
> And if that is right, how should be the actions between my mail-user-agent,
> the certificate and the SmartCard within the pinpad-reader? Maybe you know
> some accessible HOWTO-SmartCard-for-Beginners information?
> I have scrutinized through lots of documents, but meanwhile I do not see the
> wood for the trees.

I haven't figured this part out yet, because of the weird ASN.1
wrapping of the certificates... but if you help me by sending me the
certificates you can extract, I will figure it out and probably write
the HOWTO for it.  (I'll also share this with the Mozilla
dev-tech-crypto team, so they can get it into Thunderbird.)

(Ideally, your MUA has S/MIME signing capability built-in.  It needs a
valid certificate for it, though, which means that it needs to be able
to extract what it considers a certificate to be from what you've
actually got.)

-Kyle H
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
In reply to this post by Dr. Stephen Henson
Hi Stephen,
   
thank you for coming back on my questions.
   
On So, 19 Feb 2006, Dr. Stephen Henson wrote:

> On Sun, Feb 19, 2006, Georg Lohrer wrote:
>
> >
> > Unfortunately I cannot get the contents of a certificate with:
> >
> > > pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
> >
> > because the certificates contain postal address informations and there seems
> > to be a rather old problem with ASN-1 decoding. So I do not know what this
> > certificate contains.
> > Am I right, that these certificates should probably contain my public-key and
> > additional information?
> >
>
> Try the -inform DER option to that command. If you are extracting a
> certificate from a PKCS#15 compliant card then you should be able to read it
> with OpenSSL.

This will only give me:

georg@gkar:~/projects/openssl$ pkcs15-tool -r 01 | openssl x509 -noout -text -inform DER
unable to load certificate
16987:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282:
16987:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

>
> If you still can't access it then either post or send me the output of that
> "pkc15-tool" command. As I said before the certificate is considered public
> information so there's no security issues involved with doing this.

I have just sent an email to Kyle giving him the certificates for
scrutinizing. So I'm very excited seeing any output.

Ciao, Georg
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Dr. Stephen Henson
On Sun, Feb 19, 2006, Georg Lohrer wrote:

>
> I have just sent an email to Kyle giving him the certificates for
> scrutinizing. So I'm very excited seeing any output.
>

Your initial suspicion was correct about postal address. When OpenSSL is
patched to tolerate it it will parse the certifiate just fine.

The next OpenSSL 0.9.8 and 0.9.9-dev snapshots will include the fix.
Alternatively you can get it here:

http://cvs.openssl.org/chngview?cn=14988

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
In reply to this post by Georg Lohrer-6
Georg,

would you mind if I forwarded the certificates to Dr. Henson?  (I
believe he's in the UK, which has stricter privacy laws. ;) )

-Kyle

On 2/19/06, Georg Lohrer <[hidden email]> wrote:

> Hi Stephen,
>
> thank you for coming back on my questions.
>
> On So, 19 Feb 2006, Dr. Stephen Henson wrote:
>
> > On Sun, Feb 19, 2006, Georg Lohrer wrote:
> >
> > >
> > > Unfortunately I cannot get the contents of a certificate with:
> > >
> > > > pkcs15-tool --read-certificate 01 | openssl x509 -text -noout
> > >
> > > because the certificates contain postal address informations and there seems
> > > to be a rather old problem with ASN-1 decoding. So I do not know what this
> > > certificate contains.
> > > Am I right, that these certificates should probably contain my public-key and
> > > additional information?
> > >
> >
> > Try the -inform DER option to that command. If you are extracting a
> > certificate from a PKCS#15 compliant card then you should be able to read it
> > with OpenSSL.
>
> This will only give me:
>
> georg@gkar:~/projects/openssl$ pkcs15-tool -r 01 | openssl x509 -noout -text -inform DER
> unable to load certificate
> 16987:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1282:
> 16987:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509
>
> >
> > If you still can't access it then either post or send me the output of that
> > "pkc15-tool" command. As I said before the certificate is considered public
> > information so there's no security issues involved with doing this.
>
> I have just sent an email to Kyle giving him the certificates for
> scrutinizing. So I'm very excited seeing any output.
>
> Ciao, Georg
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
In reply to this post by Dr. Stephen Henson
Hi Stephen,
   
On So, 19 Feb 2006, Dr. Stephen Henson wrote:

> On Sun, Feb 19, 2006, Georg Lohrer wrote:
>
> >
> > I have just sent an email to Kyle giving him the certificates for
> > scrutinizing. So I'm very excited seeing any output.
> >
>
> Your initial suspicion was correct about postal address. When OpenSSL is
> patched to tolerate it it will parse the certifiate just fine.

Great.

>
> The next OpenSSL 0.9.8 and 0.9.9-dev snapshots will include the fix.
> Alternatively you can get it here:
>
> http://cvs.openssl.org/chngview?cn=14988

I will just stress your CVS-Server :-)

Thank you for your help. Sunday morning, isn't it? Very amazing.

Ciao, Georg
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Dr. Stephen Henson
In reply to this post by Kyle Hamilton
On Sun, Feb 19, 2006, Kyle Hamilton wrote:

> Georg,
>
> would you mind if I forwarded the certificates to Dr. Henson?  (I
> believe he's in the UK, which has stricter privacy laws. ;) )
>

No need. I pulled the certificate out of that OCSP response and I've applied a
fix to OpenSSL to tolerate it now.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
Okay. :)

Anyway, the files that I got were perfectly fine PEM.  It was having
trouble with the postal address, but asn1parse was able to handle them
fine.

Now, to try to import them into Firefox and see if they can be
handled... and it looks like they can't.  Time to head over to the
dev-tech-crypto list and see what's going on.

(I'm going to build a PEM chain of all of the Deutsche Post
certificates.  They put them all in one huge zip file, independent of
each other. :P )

-Kyle H

On 2/19/06, Dr. Stephen Henson <[hidden email]> wrote:

> On Sun, Feb 19, 2006, Kyle Hamilton wrote:
>
> > Georg,
> >
> > would you mind if I forwarded the certificates to Dr. Henson?  (I
> > believe he's in the UK, which has stricter privacy laws. ;) )
> >
>
> No need. I pulled the certificate out of that OCSP response and I've applied a
> fix to OpenSSL to tolerate it now.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Funding needed! Details on homepage.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Kyle Hamilton
Incidentally: I have no idea what the concept of "serial number" that
Deutsche Post is using, but those aren't serial number 1 or 2, no
matter what the website OCSP responder says.  I don't speak or read
German, which makes it difficult for me to read the CPS they've got,
especially as regards the extensions they put in or how they define
'serial number'.  (And of course, they don't have an English
translation.)

Also: Does the OpenSSL project have an OID assigned to it?  If not,
would it like one?

{iso(1) identified-organization(3) dod(6) internet(1) private(4)
enterprise(1) open-source(22232)} -- I'm the one it's assigned to and
the registration authority for it.

-Kyle H

On 2/19/06, Kyle Hamilton <[hidden email]> wrote:

> Okay. :)
>
> Anyway, the files that I got were perfectly fine PEM.  It was having
> trouble with the postal address, but asn1parse was able to handle them
> fine.
>
> Now, to try to import them into Firefox and see if they can be
> handled... and it looks like they can't.  Time to head over to the
> dev-tech-crypto list and see what's going on.
>
> (I'm going to build a PEM chain of all of the Deutsche Post
> certificates.  They put them all in one huge zip file, independent of
> each other. :P )
>
> -Kyle H
>
> On 2/19/06, Dr. Stephen Henson <[hidden email]> wrote:
> > On Sun, Feb 19, 2006, Kyle Hamilton wrote:
> >
> > > Georg,
> > >
> > > would you mind if I forwarded the certificates to Dr. Henson?  (I
> > > believe he's in the UK, which has stricter privacy laws. ;) )
> > >
> >
> > No need. I pulled the certificate out of that OCSP response and I've applied a
> > fix to OpenSSL to tolerate it now.
> >
> > Steve.
> > --
> > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> > OpenSSL project core developer and freelance consultant.
> > Funding needed! Details on homepage.
> > Homepage: http://www.drh-consultancy.demon.co.uk
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                    [hidden email]
> > Automated List Manager                           [hidden email]
> >
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Openssl signing with smartcard does not find certificate

Georg Lohrer-6
On So, 19 Feb 2006, Kyle Hamilton wrote:

> Incidentally: I have no idea what the concept of "serial number" that
> Deutsche Post is using, but those aren't serial number 1 or 2, no
> matter what the website OCSP responder says.  I don't speak or read
> German, which makes it difficult for me to read the CPS they've got,
> especially as regards the extensions they put in or how they define
> 'serial number'.  (And of course, they don't have an English
> translation.)

There is an english website, too.
http://www.deutschepost.de/dpag?skin=hi&check=yes&lang=de_EN&xmlFile=49490

I will be able to translate.

Where do you have found the CPS? I only get these "Principles of digital
signatures" (a link at the URL given above).
There is a special pdf-brochure given by starting the registration wizard.
This document seems to be at least something like a Certification Practice
Statement describing the organizational and judical environment of
signtrust.de-services.
But there seems to be no technical details of the used certification entries
inside of this document.
If you want to have further details I will contact the offical signtrust line
to get these.

ciao, Georg
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]