Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Help wanted: how to get cert Subject/Issuer (Yubikey) #93

Open
netmiller opened this issue Jan 17, 2018 · 6 comments
Open

Help wanted: how to get cert Subject/Issuer (Yubikey) #93

netmiller opened this issue Jan 17, 2018 · 6 comments
Labels
help wanted

Comments

@netmiller
Copy link

I'm struggling with Yubikey 4 PIV slots, and trying to find specific slot Subject/Issuer value.

Trying something code like :

const graphene = require('graphene-pk11');

// pkcs11.load("./lib/libykcs11.dylib");
const mod = graphene.Module.load('./lib/libykcs11.dylib', 'test17');

mod.initialize();

const session = mod.getSlots(0).open();
session.login('776655');

const fetchedCerts = session.find({ class:graphene.ObjectClass.PUBLIC_KEY });
const cert = fetchedCerts.items(1).toType();    // get slot 9c/Digital Signature

// console.log(`======= certificate: `, cert)
console.log(`======= Object.getOwnPropertyNames(certificate): `, Object.getOwnPropertyNames(cert))
console.log(`======= certificate.lib: `, cert.lib)
console.log(`======= certificate.handle: `, cert.handle)
console.log(`======= certificate.handle.toString('hex'): `, cert.handle.toString('hex'))
console.log(`======= certificate.id.toString('hex'): `, cert.id.toString('hex'))
console.log(`======= certificate.label: `, cert.label)
console.log(`======= certificate.subject: `, cert.subject);
// console.log(`======= certificate.value: `, cert.value)

mod.finalize()

but I got :

► iMac@pkcs11$ node test17.js
======= Object.getOwnPropertyNames(certificate):  [ 'lib', 'handle', 'session' ]
======= certificate.lib:  PKCS11 {}
======= certificate.handle:  <Buffer 59 00 00 00 00 00 00 00>
======= certificate.handle.toString('hex'):  5900000000000000
======= certificate.id.toString('hex'):  02
======= certificate.label:  Public key for Digital Signature
/Users/esa/devel/nodejs/pkcs11/node_modules/graphene-pk11/build/object.js:59
        tmpl = this.lib.C_GetAttributeValue(this.session.handle, this.handle, tmpl);
                        ^

Error: CKR_ATTRIBUTE_TYPE_INVALID:18
    at Error (native) C_GetAttributeValue:436

Yubikey's own tool gets information:

► iMac@pkcs11$ yubico-piv-tool -a status
CHUID:	3019d4e739da739ced39ce739d836858210842108421384210c3f534103b75ffeac32529144aa56f3fbe31d518350832303330303130313e00fe00
CCC:	f015a000000116ff029742fba7ce8f92eebca1c15293b7f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
	Algorithm:	RSA2048
	Subject DN:	[email protected], OU=db1,db2,db3, O=vaka.fi
	Issuer DN:	[email protected], OU=db1,db2,db3, O=vaka.fi
	Fingerprint:	3727fe8ebb203427967fe7dcef154c86a6a304e2e19c2f72ab7624db56b650c2
	Not Before:	Dec  4 14:59:24 2017 GMT
	Not After:	Dec  8 14:59:24 2020 GMT
Slot 9c:
	Algorithm:	RSA2048
	Subject DN:	[email protected], OU=db1,db2,db3, O=vaka.fi
	Issuer DN:	[email protected], OU=db1,db2,db3, O=vaka.fi
	Fingerprint:	aeb931abcb2673850a75d532763806f3b5e5929a0cc9ad40871eda1f2202237b
	Not Before:	Dec  4 15:00:03 2017 GMT
	Not After:	Dec  8 15:00:03 2020 GMT
Slot 9d:
	Algorithm:	RSA2048
	Subject DN:	[email protected] , OU=db1,db2 O=vaka.fi , L=6946198
	Issuer DN:	[email protected] , OU=db1,db2 O=vaka.fi , L=6946198
	Fingerprint:	cedbf86b94c4bf212b1dec819fce8cc74089e27371c8adaba6e84c135ff56a4c
	Not Before:	Jan 16 17:44:02 2018 GMT
	Not After:	Jan 16 17:44:02 2020 GMT
PIN tries left:	3

and I'm trying to get Subject DN (or Issuer DN) string to show information for end user.

Is there a way to get it via PKCS#11 (graphene-pk11) ??? Any code sample or workaround?
@microshine
Copy link
Contributor

Yubico PKCS#11 doesn't support CKA_SUBJECT attribute
https://github.com/Yubico/yubico-piv-tool/blob/127227fe4c705db9173254c20eb3fcb5085d13c6/ykcs11/objects.c#L538

You can use pkijs to parse X509 certificate and get it's name

@netmiller
Copy link
Author

Thank you! That's what I suspected. I'll try with pkijs .

@microshine
Copy link
Contributor

microshine commented Jan 17, 2018
edited
Loading

One more example

Have you seen node-webcrypto-p11? It's based on graphene-pk11 and implements WebCrypto interface.

@netmiller
Copy link
Author

@microshine OK, I'll take a look 👍

@netmiller
Copy link
Author

@microshine I had some luck using node-webcrypto-p11, so I guess I can use it to get CKA_SUBJECT info to my app. Thank's for advise.

Can I use graphene and node-webcrypto-p11 simultaneously in my Electron app? Is there likely to be any side-effects with sessions etc ??

@microshine
Copy link
Contributor

microshine commented Jan 17, 2018
edited
Loading

Yes, you can.

Here is webcrypto-local application which supports multi PKCS#11 libraries.
Here you can see code how I use node-webcrypto-p11 and graphene-pk11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@netmiller @microshine