Skip to content

Gemalto IDPrime 940 no longer lists private key after renewal #3201

New issue
New issue
Closed
Closed
Gemalto IDPrime 940 no longer lists private key after renewal#3201
@ignisf

Description

@ignisf
ignisf
opened on Jul 13, 2024

Problem Description

I am using a qualified e-signature by Borica's B-Trust service https://www.b-trust.bg/en/electronic-signatures/qualified-certificates . Initially the smart card and the e-signature worked flawlessly with opensc and without any proprietary pkcs11 libraries. The certificate on the card expired and I went through the issuer's online renewal process. After the renewal the token is not usable with OpenSC but only with the proprietary pkcs11 module shipped with Borica's helper software. The private key is listed neither by pkcs11-tool nor pkcs15-tool. It is only visible by using a proprietary IDPrime pkcs11 shared library.

Proposed Resolution

N/A

My assumption is that the employees at the office use a different software to provision the smart cards which sets them up in a compatible with OpenSC manner. The at-home renewal process though goes through a proprietary IDPrime pkcs11 module which results in an unusable with opensc card.

Steps to reproduce

TBD, as this might be reproducible by using the proprietary libIDPrimePKCS11.so library to renew a certificate. However, currently the steps to repro are:

  1. Acquire a qualified certificate from https://www.b-trust.bg/en/electronic-signatures/qualified-certificates
  2. Request a renewal upon approach of expiration date via https://store.borica.bg/en/qualified-signature-renewal.
  3. Renew via https://store.borica.bg/en/qualified-signature-renewal which calls out a proprietary java-based signing helper software https://www.b-trust.bg/attachments/BtrustPrivateFile/24/docs/B-TrustBISS.tar . This ships and uses an old version of libIDPrimePKCS11.so.
  4. Observe that OpenSC no longer sees the private key on the card.

Logs

https://gist.github.com/ignisf/2d537ab82585bc9a2d505b42e6246fbc
https://gist.github.com/ignisf/888e1ee109c388d533e8cb1d5fe7d539

With proprietary IDPrime PKCS11 module:
https://gist.github.com/ignisf/b2347f19e12650dfbd58d86a2d9680fb

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions