Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Show smartcard token's labels and certs' key usage #101

Open
bburky opened this issue Jan 28, 2022 · 2 comments
Open

Show smartcard token's labels and certs' key usage #101

bburky opened this issue Jan 28, 2022 · 2 comments

Comments

@bburky
Copy link

bburky commented Jan 28, 2022

Please consider exposing the label such as "Certificate For Digital Signature" and the key usage ("Digital Signature" and "Non Repudiation"). My PIV token has multiple certificates on it, one of which for the purpose of making signatures. One certificate has the usage of "Key Encipherment" and is inappropriate to use for any signing operations. I cannot currently distinguish between my certificates using the output of smimesign --list-keys.

It may also make sense to filter out any keys that do not have the "Digital Signature" key usage. (This isn't enough alone, 3 of my 4 keys have this usage.) This setting could be optional.

  1. Add a Usages: section to the --list-keys output. This information is available in the .KeyUsage .ExtKeyUsage properties of the ident.Certificate().

  2. Add the "label" of each certificate on the token to the output. This information is not available in the certificate itself, it will need to be added to the platform specific certstore code. On macOS it is available in the labl attribute of the identity (test with the command line comand:security export-smartcard -t identities).

As a workaround, I'm currently using pkcs11-tool to list the certificates with labels, then matching it's certificate serial to the output of smimesign --list-keys:

$ pkcs11-tool --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Certificate for PIV Authentication
  subject:    [REDACTED]
  ID:         01
Certificate Object; type = X.509 cert
  label:      Certificate for Digital Signature
  subject:    [REDACTED]
  ID:         02
Certificate Object; type = X.509 cert
  label:      Certificate for Key Management
  subject:    [REDACTED]
  ID:         03
Certificate Object; type = X.509 cert
  label:      Certificate for Card Authentication
  subject:    [REDACTED]
  ID:         04
# Pick a key's ID based on it's label. Then get it's serial:
$ pkcs11-tool --read-object --type cert --id 02 | openssl x509 -inform DER  -noout -serial
Using slot 0 with a present token (0x0)
serial=12345678
# Match the desired serial to an smimesign key ID:
$ smimesign --list-keys
@bburky
Copy link
Author

bburky commented Jan 28, 2022

I see #61 was closed. I agree that it isn't required to prevent the user from using inappropriate certs based on usage, but I would suggest making this information available so users can manually select the correct one.

@googetlostearth
Copy link

[email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bburky @googetlostearth