read cert from smart card

Mithat Bozkurt mithatbozkurt at gmail.com
Thu Feb 25 04:45:07 PST 2016 

pkcs11-tool run successfully.

mithat at adige:~$ openssl x509 -inform DER -in nescert.der -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 65032255735509265 (0xe70a7df60eb111)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TR, L=Gebze - Kocaeli, O=T\xC3\xBCrkiye Bilimsel ve
Teknolojik Ara\xC5\x9Ft\xC4\xB1rma Kurumu - T\xC3\x9CB\xC4\xB0TAK,
OU=B\xC4\xB0LGEM, CN=Kamu Elektronik Sertifika Hizmet
Sa\xC4\x9Flay\xC4\xB1c\xC4\xB1s\xC4\xB1 - S\xC3\xBCr\xC3\xBCm 5
        Validity
            Not Before: Jun 25 14:01:22 2014 GMT
            Not After : Jun 16 14:44:33 2017 GMT
        Subject: C=TR/serialNumber=62917107586, CN=M\xC4\xB0THAT BOZKURT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:8b:c2:0c:79:2c:72:ff:63:29:1a:d0:46:36:20:
                    6f:17:db:6e:b2:55:8d:4c:7e:4b:2c:4a:cc:99:5f:
                    53:a0:c2:60:8b:1a:c9:24:bc:97:72:af:bd:56:e9:
                    eb:79:68:7f:dc:45:6b:45:8f:a4:34:f5:fa:f5:2a:
                    40:10:d9:7e:7f:a1:b0:74:ef:6a:a8:e7:9c:0a:e7:
                    f3:21:24:1d:33:30:b3:e6:37:ae:51:8e:b4:bc:b1:
                    43:8e:ce:44:72:a7:c8:ad:be:3a:89:66:97:c1:0b:
                    34:76:f3:2d:88:fc:8c:5f:b3:f2:8e:7e:a0:34:95:
                    29:4f:96:e3:8d:02:26:00:18:8c:ab:c5:a7:80:a3:
                    5a:cd:7a:fa:41:ce:e3:9c:32:34:31:cc:f5:b0:d8:
                    25:54:97:7e:1d:57:68:79:43:48:a9:76:34:ac:09:
                    95:bd:38:99:53:c6:de:78:63:99:ac:4c:42:e5:1f:
                    f8:52:52:08:5e:14:e3:fc:74:d8:d1:a1:69:5e:d4:
                    33:25:92:fa:10:36:5f:d6:bc:2f:0a:61:5d:88:0a:
                    0c:73:6b:c7:18:d7:ca:0f:8b:b2:89:35:37:dd:be:
                    4a:a6:02:95:4a:8d:28:42:2e:4e:00:1a:7a:21:b7:
                    26:22:ef:c5:c6:8f:bc:a0:ea:2c:3e:54:aa:d0:57:
                    b8:05
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:

keyid:BB:75:CF:AC:66:56:08:88:3C:5E:B1:77:5C:25:38:07:6C:C6:EA:C0

            X509v3 Subject Key Identifier:
                F8:24:FF:DB:CE:2B:AD:B7:73:8C:8F:77:82:2D:2F:CA:CC:B7:AD:A4
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Certificate Policies:
                Policy: 2.16.792.1.2.1.1.5.7.1.1
                  CPS: http://www.kamusm.gov.tr/BilgiDeposu/KSM_NES_SUE
                  User Notice:
                    Explicit Text:

            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://depo.kamusm.gov.tr/nes/NESIL.v5.crl

            Authority Information Access:
                CA Issuers - URI:http://depo.kamusm.gov.tr/nes/neshs.v5.crt
                OCSP - URI:http://ocsp5.kamusm.gov.tr/

            qcStatements:
                0z0......F..0n..`...=...N..._Bu sertifika, 5070
say..l.. Elektronik ..mza Kanununa g..re nitelikli elektronik
sertifikad..r.
    Signature Algorithm: sha256WithRSAEncryption
         b2:48:c4:20:2f:22:11:16:4a:e9:fa:51:9b:4c:5e:b1:a1:05:
         fa:dc:c9:7a:fa:75:bf:f7:06:0f:9b:e7:33:39:06:48:a3:3d:
         fe:92:f5:e1:49:e8:fb:6d:cc:08:1b:64:06:52:f0:95:1e:54:
         cb:db:4c:30:e6:5f:1b:b7:dd:bd:7c:ef:cc:35:f7:d3:10:b3:
         c8:37:8c:22:77:0e:bc:c8:20:15:f8:35:b2:57:d1:1c:89:08:
         dd:2a:63:bc:c8:da:7d:fa:1b:3c:4d:9e:3c:16:95:88:37:fa:
         3f:27:e8:8a:8f:b2:97:a7:82:2f:10:02:ab:64:3f:c1:54:1a:
         d1:c8:76:36:1d:a4:7e:15:b9:7f:ab:bf:bd:74:af:ec:19:4a:
         73:f1:24:4d:06:6f:7a:b5:48:bf:10:65:30:ce:48:42:8f:82:
         af:7e:a2:02:ee:b4:33:60:77:f6:4b:a9:f4:e0:f6:e5:ae:ba:
         4b:4b:ed:a5:7f:1f:45:cd:e2:4c:92:7a:52:16:97:df:66:e1:
         94:b2:57:19:a5:94:de:38:d0:b5:e7:3d:fe:85:c1:ad:90:b0:
         83:b0:9f:4d:de:17:07:52:80:96:11:34:60:e5:f3:17:92:5e:
         33:a1:50:cf:a1:a0:74:58:86:a4:bb:40:a6:81:8a:ba:38:17:
         3b:fd:36:11



2016-02-25 14:00 GMT+02:00 David Woodhouse <dwmw2 at infradead.org>:
> On Thu, 2016-02-25 at 13:39 +0200, Mithat Bozkurt wrote:
>>
>> BTW I am getting e-mail with subject is " Your message to p11-glue
>> awaits moderator approval" from p11-glue.
>
> It might be one of those horrid lists which require you to subscribe
> before you post to it.
>
> Or maybe it just hates you for top-posting. :)
>
>> Do I remove the p11-glue from recipients or remain same?
>
> Let's drop it. I think the interesting part for now is in p11tool
> (which is part of GnuTLS and hence Nikos' problem) rather than p11-kit
> itself.
>
> Try extracting your cert with OpenSC's pkcs11-tool instead:
>
>   pkcs11-tool -module /usr/lib/libakisp11.so -l -a 62917107586NES0 -y cert -r -o nescert.der
>   openssl x509 -inform DER -in nescert.der -noout -text
>
>
> When that doesn't work, install the pkcs11-spy module (which on Fedora
> would be /usr/lib64/pkcs11/pkcs11-spy.so). Then:
>
>  export PKCS11SPY=/usr/lib/libakisp11.so
>
> and repeat the p11tool/pkcs11-tool invocations to extract the cert, but
> using pkcs11-spy.so as the provider instead of (directly) using the
> akis module. Show the full output of those commands.
>
> --
> dwmw2
>

More information about the openconnect-devel mailing list