I’ve compiled and have played with libsc-hsm-pkcs11.so.
When i try to list-object:
pkcs11-tool --module /usr/local/lib/libsc-hsm-pkcs11.so --login --pin XYZXYZ -O
I can see:
Using slot 0 with a present token (0x1)
Certificate Object; type = unknown cert type
label: C.DevAut
Certificate Object; type = unknown cert type
label: C.DICA
I can download it, but I cannot parse it as certificate with openssl.
But inside I can see OID:
1.3.6.1.4.1.24991.3.1.1
{iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) 24991}
0.4.0.127.0.7.2.2.2.2.3
{itu-t(0) identified-organization(4) etsi(0) reserved(127) etsi-identified-organization(0) bsi-de(7) protocols(2) smartcards(2) 2 2 3}
With Smart Card Shell I don’t see those certs.
C.DevAut is the Device Authentication certificate used for P2P authentication and key attestation.
C.DICA is the Device Issuer Certification Authority’s certificate that was used to produce the HSM.
There is also a C.SRCA for the Scheme Root Certification Authority that certifies production facilities. The C.SRCA is placed as trust-anchor in applications (e.g. in OpenSC.
All certificates are Card Verifiable Certificates as defined in BSI TR-03110.
In the Smart Card Shell the certificates are displayed in the shell window:
SmartCard-HSM Version 3.4 on JCOP 3 Free memory 50604 byte
Issuer : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDICC0400001 CED=22. Oktober 2015 CXD=21. Oktober 2023
Device : CVC id-SC-HSM Device CAR=DEDICC0400001 CHR=DECC040100200000 CED=19. August 2020 CXD=21. Oktober 2023
Can I delete C.DevAut or C.DICA?
What negative impact (if any) should I expect?
If deleted, can I restore or recover those certs? (e.g. during HSM2 initialization)?
Is any tool to display in details BSI TR-03110 certs? Something like openssl x509 -in cert.pem -text ?
