graphene
graphene copied to clipboard
PeculiarVentures
Help wanted: how to get cert Subject/Issuer (Yubikey)
I'm struggling with Yubikey 4 PIV slots, and trying to find specific slot Subject/Issuer value.
Trying something code like :
const graphene = require('graphene-pk11');
// pkcs11.load("./lib/libykcs11.dylib");
const mod = graphene.Module.load('./lib/libykcs11.dylib', 'test17');
mod.initialize();
const session = mod.getSlots(0).open();
session.login('776655');
const fetchedCerts = session.find({ class:graphene.ObjectClass.PUBLIC_KEY });
const cert = fetchedCerts.items(1).toType(); // get slot 9c/Digital Signature
// console.log(`======= certificate: `, cert)
console.log(`======= Object.getOwnPropertyNames(certificate): `, Object.getOwnPropertyNames(cert))
console.log(`======= certificate.lib: `, cert.lib)
console.log(`======= certificate.handle: `, cert.handle)
console.log(`======= certificate.handle.toString('hex'): `, cert.handle.toString('hex'))
console.log(`======= certificate.id.toString('hex'): `, cert.id.toString('hex'))
console.log(`======= certificate.label: `, cert.label)
console.log(`======= certificate.subject: `, cert.subject);
// console.log(`======= certificate.value: `, cert.value)
mod.finalize()
but I got :
► iMac@pkcs11$ node test17.js
======= Object.getOwnPropertyNames(certificate): [ 'lib', 'handle', 'session' ]
======= certificate.lib: PKCS11 {}
======= certificate.handle: <Buffer 59 00 00 00 00 00 00 00>
======= certificate.handle.toString('hex'): 5900000000000000
======= certificate.id.toString('hex'): 02
======= certificate.label: Public key for Digital Signature
/Users/esa/devel/nodejs/pkcs11/node_modules/graphene-pk11/build/object.js:59
tmpl = this.lib.C_GetAttributeValue(this.session.handle, this.handle, tmpl);
^
Error: CKR_ATTRIBUTE_TYPE_INVALID:18
at Error (native) C_GetAttributeValue:436
Yubikey's own tool gets information:
► iMac@pkcs11$ yubico-piv-tool -a status
CHUID: 3019d4e739da739ced39ce739d836858210842108421384210c3f534103b75ffeac32529144aa56f3fbe31d518350832303330303130313e00fe00
CCC: f015a000000116ff029742fba7ce8f92eebca1c15293b7f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
Algorithm: RSA2048
Subject DN: [email protected], OU=db1,db2,db3, O=vaka.fi
Issuer DN: [email protected], OU=db1,db2,db3, O=vaka.fi
Fingerprint: 3727fe8ebb203427967fe7dcef154c86a6a304e2e19c2f72ab7624db56b650c2
Not Before: Dec 4 14:59:24 2017 GMT
Not After: Dec 8 14:59:24 2020 GMT
Slot 9c:
Algorithm: RSA2048
Subject DN: [email protected], OU=db1,db2,db3, O=vaka.fi
Issuer DN: [email protected], OU=db1,db2,db3, O=vaka.fi
Fingerprint: aeb931abcb2673850a75d532763806f3b5e5929a0cc9ad40871eda1f2202237b
Not Before: Dec 4 15:00:03 2017 GMT
Not After: Dec 8 15:00:03 2020 GMT
Slot 9d:
Algorithm: RSA2048
Subject DN: [email protected] , OU=db1,db2 O=vaka.fi , L=6946198
Issuer DN: [email protected] , OU=db1,db2 O=vaka.fi , L=6946198
Fingerprint: cedbf86b94c4bf212b1dec819fce8cc74089e27371c8adaba6e84c135ff56a4c
Not Before: Jan 16 17:44:02 2018 GMT
Not After: Jan 16 17:44:02 2020 GMT
PIN tries left: 3
and I'm trying to get Subject DN (or Issuer DN) string to show information for end user.
Is there a way to get it via PKCS#11 (graphene-pk11) ??? Any code sample or workaround?
Yubico PKCS#11 doesn't support CKA_SUBJECT attribute
https://github.com/Yubico/yubico-piv-tool/blob/127227fe4c705db9173254c20eb3fcb5085d13c6/ykcs11/objects.c#L538
You can use pkijs to parse X509 certificate and get it's name
@microshine I had some luck using node-webcrypto-p11, so I guess I can use it to get CKA_SUBJECT info to my app. Thank's for advise.
Can I use graphene and node-webcrypto-p11 simultaneously in my Electron app? Is there likely to be any side-effects with sessions etc ??