On 01/08/2014 07:02 AM, Werner Koch wrote: > On Tue, 7 Jan 2014 15:32, h...@guardianproject.info said: > >> OpenPGP card as a PKCS11 keystore. It seems that things are close: Java can >> use NSS as a provider of PKCS11. I guess the question is whether opensc is >> making a PKCS#11 interface to the OpenPGP card, that's the bit that I don't > > Scute also provides an pkcs#11 interface to NSS. Thus you should be > able to use it also with Java.
I haven't tried scute, but it seems that opensc v0.13 provides a PKCS#11 interface to the OpenPGP card. I am able to get keytool to report the certificate in key position #3, but the question I have now is that given that key #3 is for authentication, is there some restriction in the OpenPGP card that would prevent the certificate/key combo in position #3 from being used for signing? I did read about using opensc with an OpenPGP card to provide S/MIME services. What I read there is that in order to use the certificate/key combo in position #3 for decrypting emails, the key in position #2 (decryption) must match the key in position number #3. Is there a similar restriction for signing? I forget if I mentioned this, but the grand goal is to have a single hardware security module that can sign the Android APK using jarsigner, then make a OpenPGP signature on the APK, then optionally provide authentication for scp'ing the resulting files to the release server. .hc -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
