rust-cryptoki icon indicating copy to clipboard operation
rust-cryptoki copied to clipboard

Published 20 hours ago verified publisher icon parallaxsecond

CKA_PUBLIC_KEY_INFO getting TypeInvalid

Open hcldan opened this issue 1 year ago • 8 comments

I hope you can give me a pointer. I'm using a smartcard that has some certs on it for smime.

I can use the ActivClient smartcard tool on windows to poke around at the details, and I've been using this library fairly successfully pointing to their driver so far... until this.

I can see when I inspect the certs in the ActivClient program that they have a SubjectKeyIdentifier image

When I try to get the attribute from any of the objects returned, it always says TypeInvalid... Is this a driver problem? Am I misunderstanding something here?

hcldan avatar May 18 '23 19:05 hcldan

hmm... the dll says it's for pkcs11 2.20... i guess that attribute isn't in that spec.

hcldan avatar May 18 '23 19:05 hcldan

I'm not sure if you can query these attributes directly. IIUC you need to first get the X.509 certificate object from the card (for example using this object class: https://docs.rs/cryptoki/latest/cryptoki/object/struct.ObjectClass.html#associatedconstant.CERTIFICATE) and then parse the X.509 cert to get the field you want (the last part is outside of this library's scope).

Does it answer your question or am I completely wrong? :sweat_smile:

wiktor-k avatar May 19 '23 09:05 wiktor-k

@wiktor-k That's interesting. I am going to try to go that route, as my options are rather limited.

FWIW, it looks like in pkcs11 2.40 those attributes are defined and should work. But I found the driver I have only supports pkcs11 2.20 (which does not define those attributes)

hcldan avatar May 19 '23 13:05 hcldan

~@wiktor-k I have the object_handle for the cert... how do I get the bytes?~ edit: nevermind, I found it.

hcldan avatar May 19 '23 14:05 hcldan

I think you used Attribute::Value right? (In general it's good to paste your solution for the next person that has the same problem :sweat_smile: )

wiktor-k avatar May 22 '23 06:05 wiktor-k

@wiktor-k Yes, I was actually hoping to wrap things up with my task and contribute a few examples.

Is that something that would be welcome? Is there a good place to put them?

hcldan avatar May 22 '23 14:05 hcldan

Yep, most certainly! I was just today casually browsing documentation and the lack of doctests saddens me 😔

I think adding examples to functions would be the best. Just in case you need inspiration see our "sister" repo: https://docs.rs/tss-esapi/latest/tss_esapi/struct.Context.html#method.ecdh_z_gen

You can file a PR and then we can iteratively improve what you have there 😊

wiktor-k avatar May 22 '23 15:05 wiktor-k

@wiktor-k Sent a pr. I'm not sure the doctests will work well seeing as you need a library to init the card.

hcldan avatar May 22 '23 17:05 hcldan