-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't see the signing certificate on Italian CNS #2782
Comments
I assume that the signing certificate will be on the another slot (under different pin). Please, try |
I have a similar issue:
Output using the proprietary bit4id module for reference:
Notice the presence of the certificate with label "DS User Certificate3" I'm available for further clarification |
I'm not sure it is a CNS because it is a infocamere camere even there is written "Carta Nazionale dei Servizi" (CNS) |
I only see one slot:
|
Ordinarily signing cert and keys on italian cards are not available for floss pkcs11 implementations because they are protected with Secure Messaging, with a static symmetric key embedded in proprietary pkcs11 implementations. |
https://gist.github.com/amreo/33c9584125a2e521be6e2fbc23bb8d52 |
The trace from pkcs15-tool doesn't reveal anything out of the ordinary. so it is likely the problem with the deliberately hidden certificate/key. pkcs11 libraries are not a good way to hide secrets, they are easily reverse engineered. for example, we have some magic key that was hidden in the official eoi middleware. maybe someone dedicated will do the same for itacns... I would expect that there are not many entities putting DS objects onto the card, so it would not be unrealistic to add support for all of them in OpenSC at some point. If you want to start digging, maybe you can produce a PC/SC trace of the "official" pkcs11 module to at least locate the missing files on the card. |
PC/SC trace of opensc (captured using pcsc-spy) PC/SC trace of bit4id, the official proprietary middleware |
FWIW: Let me know if someone got hold of a copy of the secure messaging key; in this case we have a reason to finally implement SM in GnuPG and also support that Italian QeS card in Okular. |
Problem Description
I have an Italian CNS, with an authentication certificate and a signing certificate.
The lector managing software, Firefox and OS X's keychain show me that the card has two certificates: one for logins, and one for signing. I've successfully used both.
When inspecting the card contents with
pkcs11-tool --list-objects
orpkcs15-tool -D
I can see a RSA keypair, the authentication certificate (which I can export) and data fields, but not the signing certificate.Am I missing the tool/option to see it?
Version number
OpenSC-0.23.0, rev: 5497519, commit-time: 2022-11-29 09:34:43 +0100
Operating system
OS X 10.11.6
Card type
Athena
Reader
Bit4id miniLector
The text was updated successfully, but these errors were encountered: