-
Notifications
You must be signed in to change notification settings - Fork 133
-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show smartcard token's labels and certs' key usage #101
Comments
I see #61 was closed. I agree that it isn't required to prevent the user from using inappropriate certs based on usage, but I would suggest making this information available so users can manually select the correct one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please consider exposing the label such as "Certificate For Digital Signature" and the key usage ("Digital Signature" and "Non Repudiation"). My PIV token has multiple certificates on it, one of which for the purpose of making signatures. One certificate has the usage of "Key Encipherment" and is inappropriate to use for any signing operations. I cannot currently distinguish between my certificates using the output of
smimesign --list-keys
.It may also make sense to filter out any keys that do not have the "Digital Signature" key usage. (This isn't enough alone, 3 of my 4 keys have this usage.) This setting could be optional.
Add a
Usages:
section to the--list-keys
output. This information is available in the.KeyUsage
.ExtKeyUsage
properties of theident.Certificate()
.Add the "label" of each certificate on the token to the output. This information is not available in the certificate itself, it will need to be added to the platform specific
certstore
code. On macOS it is available in thelabl
attribute of the identity (test with the command line comand:security export-smartcard -t identities
).As a workaround, I'm currently using
pkcs11-tool
to list the certificates with labels, then matching it's certificate serial to the output ofsmimesign --list-keys
:The text was updated successfully, but these errors were encountered: