search

AF-VCD / Mrs-SMIME

MIT License
11 stars 7 forks source link

Any library which supports S/MIME (digitally signing using private key present on CACPIV card) on linux env #6

Open skrati opened 1 year ago

skrati commented 1 year ago

Hi,

I am new to Smart Card Programming, We are using CAC/PIV card for authentication on MFP. Can someone please suggest which library can be used for S/MIME operation on MFP. Private key from card cannot be taken out , so there should be some interface which digitally sign (S/MIME) the email using private key inside the card.

I know below openssl command can be used for signing:

openssl smime -sign -in encrypted_email.txt -out signed_email.txt -signer sender_cert.pem -inkey sender_key.pem

But we cannot take private key out of card. So looking for thirdparty lib which can support this.

I am not able to find anything on internet. Tried reading about openSC and 90meter lib but no such information is given.

Thank you

ckhordiasma commented 1 year ago

What does MFP stand for?

On Wed, Sep 6, 2023 at 19:07 skrati @.***> wrote:

Hi,

I am new to Smart Card Programming, We are using CAC/PIV card for authentication on MFP. Can someone please suggest which library can be used for S/MIME operation on MFP. Private key from card cannot be taken out , so there should be some interface which digitally sign (S/MIME) the email using private key inside the card.

I know below openssl command can be used for signing:

openssl smime -sign -in encrypted_email.txt -out signed_email.txt -signer sender_cert.pem -inkey sender_key.pem

But we cannot take private key out of card. So looking for thirdparty lib which can support this.

I am not able to find anything on internet. Tried reading about openSC and 90meter lib but no such information is given.

Thank you

— Reply to this email directly, view it on GitHub https://github.com/AF-VCD/Mrs-SMIME/issues/6, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB53AMTO6IZJ7Z7DOLONEETXZFJAXANCNFSM6AAAAAA4OJ2V2Y . You are receiving this because you are subscribed to this thread.Message ID: @.***>

skrati commented 1 year ago

Multi Functional Printers Sorry missed to mentioned that

ckhordiasma commented 1 year ago

It’s going to be very printer specific, do you have some kind of remote ssh access into the printer or something? What printer and what OS?

On Wed, Sep 6, 2023 at 19:10 skrati @.***> wrote:

Multi Functional Printers Sorry missed to mentioned that

— Reply to this email directly, view it on GitHub https://github.com/AF-VCD/Mrs-SMIME/issues/6#issuecomment-1709484579, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB53AMXZTVPYUDA43D32SMDXZFJNRANCNFSM6AAAAAA4OJ2V2Y . You are receiving this because you commented.Message ID: @.***>

skrati commented 1 year ago

We do have remote ssh access into the printer and linux is OS. Actually we have already implemented CAC/PIV card reader functionality using 90meter(middleware) and PKCS#11 module. Now we want to implement for SMIME. And on internet its written PKCS#11 provide support for smart card but nothing is written about SMIME functionality.

ckhordiasma commented 1 year ago

OpenSSL also has S/MIME encrypt and decrypt functionality, and you can combine that with a pkcs11 module. I have a write-up I did a while back that goes over what I did to get it work on Ubuntu. https://xoid.net/2019/07/22/smartcard-with-opensc-and-openssl.html

skrati commented 1 year ago

Thank you for sharing the information. I read it and wanted to ask - That since there are multiple certificates in card, and for signing if we want to use only digital signature certificate how we will get to know that certificate id ? In your link its mentioned --- "Luckily, the smartcard only had three keys, and after some guesswork, I determined that I needed to use the 3rd key. This is what I put into the -inkey parameter."

ckhordiasma commented 1 year ago

Yeah I think you can use the pkcs11-tool command line tool to output all the certificates on the smart card, and then use sed/grep/awk to help you figure out which one you should be using. Sorry don’t know the specifics though.

On Wed, Sep 6, 2023 at 22:11 skrati @.***> wrote:

Thank you for sharing the information. I read it and wanted to ask - That since there are multiple certificates in card, and for signing if we want to use only digital signature certificate how we will get to know that certificate id ? In your link its mentioned --- "Luckily, the smartcard only had three keys, and after some guesswork, I determined that I needed to use the 3rd key. This is what I put into the -inkey parameter."

— Reply to this email directly, view it on GitHub https://github.com/AF-VCD/Mrs-SMIME/issues/6#issuecomment-1709677566, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB53AMVF4LDETHGPLSDIAATXZF6TZANCNFSM6AAAAAA4OJ2V2Y . You are receiving this because you commented.Message ID: @.***>