smimesign icon indicating copy to clipboard operation
smimesign copied to clipboard

Published 20 hours ago verified publisher icon github

Show smartcard token's labels and certs' key usage

Open bburky opened this issue 3 years ago • 2 comments

Please consider exposing the label such as "Certificate For Digital Signature" and the key usage ("Digital Signature" and "Non Repudiation"). My PIV token has multiple certificates on it, one of which for the purpose of making signatures. One certificate has the usage of "Key Encipherment" and is inappropriate to use for any signing operations. I cannot currently distinguish between my certificates using the output of smimesign --list-keys.

It may also make sense to filter out any keys that do not have the "Digital Signature" key usage. (This isn't enough alone, 3 of my 4 keys have this usage.) This setting could be optional.

  1. Add a Usages: section to the --list-keys output. This information is available in the .KeyUsage .ExtKeyUsage properties of the ident.Certificate().

  2. Add the "label" of each certificate on the token to the output. This information is not available in the certificate itself, it will need to be added to the platform specific certstore code. On macOS it is available in the labl attribute of the identity (test with the command line comand:security export-smartcard -t identities).

As a workaround, I'm currently using pkcs11-tool to list the certificates with labels, then matching it's certificate serial to the output of smimesign --list-keys:

$ pkcs11-tool --list-objects --type cert
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      Certificate for PIV Authentication
  subject:    [REDACTED]
  ID:         01
Certificate Object; type = X.509 cert
  label:      Certificate for Digital Signature
  subject:    [REDACTED]
  ID:         02
Certificate Object; type = X.509 cert
  label:      Certificate for Key Management
  subject:    [REDACTED]
  ID:         03
Certificate Object; type = X.509 cert
  label:      Certificate for Card Authentication
  subject:    [REDACTED]
  ID:         04
# Pick a key's ID based on it's label. Then get it's serial:
$ pkcs11-tool --read-object --type cert --id 02 | openssl x509 -inform DER  -noout -serial
Using slot 0 with a present token (0x0)
serial=12345678
# Match the desired serial to an smimesign key ID:
$ smimesign --list-keys

bburky avatar Jan 28 '22 20:01 bburky

I see #61 was closed. I agree that it isn't required to prevent the user from using inappropriate certs based on usage, but I would suggest making this information available so users can manually select the correct one.

bburky avatar Jan 28 '22 20:01 bburky

[email protected]

googetlostearth avatar Jan 29 '22 11:01 googetlostearth