search

Nitrokey / nitrokey-start-firmware

A mirror of Gnuk's 1.0.x and 1.2.x branches.
56 stars 15 forks source link

Cannot import x509 certificate #10

Open szszszsz opened 6 years ago

szszszsz commented 6 years ago

Importing x509 certificate results in an error. It is mentioned, that GNUK accepts certificate only in binary format, but it is not specified which one. DER format was not working. Perhaps the test file itself was invalid - to check.

Example conversion command using openssl x509:

openssl x509 -in input.der -inform DER -out output.pem -outform PEM

Firmware: RTM.6 / GNUK 1.2.10 (latest GNUK). Source: https://support.nitrokey.com/t/failed-to-write-x509-cert-to-nitrokey-start/1127

jans23 commented 6 years ago

For the OpenPGP Card, a X.509 certificate is just a blob and you could store any type of data instead. I guess it is the same for Gnuk. The most common root cause is that the certificate is too large for the available space.

szszszsz commented 6 years ago

I see. Tested sizes were from 1600 to 2300 bytes. Perhaps smaller would do.

alex-nitrokey commented 6 years ago

btw: related to this OpenSC issue

alex-nitrokey commented 6 years ago

How did you test the import? OpenSC seems to work again now. Please see the OpenSC issue.

szszszsz commented 5 years ago

To retest

alex-nitrokey commented 5 years ago

What exactly? Importing certs is working fine in OpenSC now. The gnuk_put_binary script seems to be broken.

szszszsz commented 5 years ago

I mean to reproduce the original issue from the forum, as far as possible. If you have confirmed it works earlier, then it could be closed.

szszszsz commented 5 years ago

Is it the same story, as with https://support.nitrokey.com/t/unable-to-store-signed-certificate-on-nitrokey-start/971 ?

alex-nitrokey commented 5 years ago

It is indeed still not working for GnuPG. But I have no idea if it ever did in the first place. As far as I know the firmware of the start is a bit special regarding the import of certs, thus the import script (that is currently broken) and special handling in OpenSC for Gnuk (which works fine for OpenSC 0.19).

I think this is not an issue of the firmware. Therefore, I would close this issue here. We could ask on gnuk-users to make sure that this is not fixable in GnuPG. As NIIBE is a maintainer of GnuPG I would be surprised if he would not have thought about implementing it if feasible.