How to sign using certificates on a smartcard, and verify using the root ca used to create this certificate ?

[nipil]

What is not working as expected?

I am trying out Notation, and everything is working great using test certificates.

Now i want to switch to a smartcard (or any similar harware).

Are smartcard (or other protocols for hardware based key/cert holders) supported by Notation ?

• if not

  • is it planned in any roadmap?
  • if yes, when could i hope to use it ?

• if yes, could you point to some documentation on

  • how to use a smartcard/token with notation ?
  • how and where to import the ca chain which issued the certs on the smartcard ?

Thanks in avance for your help.

What did you expect to happen?

I want to switch to using a smart card (usb dongle with certificates on it) to sign container images.

How can we reproduce it?

I did not find how hardware based certificates in Notation

Describe your environment

My smartcard is working great for browser and vpn authentication, on a windows OS.

What is the version of your Notation CLI or Notation Library?

1.3.2

[FeynmanZhou]

Hi @nipil , thanks for your request. I think signing using certs on smartcard is not supported in Notation. Can you clarify more on the smartcard? This may need to develop a new plugin to support. You can also extend it by developing your own plugin.

[nipil]

Can you clarify more on the smartcard?

The device i have is a USB token i plug into my windows machine
I can automatically use it for browser-based identification using client-certificate from it
And to authenticate when using vpn using a client certificate on it.

It appears under the device manager

• USBCCID Smartcard Reader (WUDF)
• class "SmartCardReader"
• service WUDFRd

The loaded drivers linked to this device are :

• scfilter.sys
• wudfusbcciddriver.dll
• winusb.sys
• wudfrd.sys

Not that it matters i guess, but :

• vendor id 0x0529
• product id is 0x0620
• revision 1

Device driver page : https://support.globalsign.com/ssl/ssl-certificates-installation/safenet-drivers

[nipil]

Under linux (debian 12) it presents itself in dmesg as :

[2649590.910292] usb 1-2: new full-speed USB device number 16 using xhci_hcd
[2649591.060176] usb 1-2: New USB device found, idVendor=0529, idProduct=0620, bcdDevice= 0.01
[2649591.060190] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[2649591.060197] usb 1-2: Product: Token JC
[2649591.060202] usb 1-2: Manufacturer: SafeNet

And in lsusb gives the following

Bus 001 Device 016: ID 0529:0620 Aladdin Knowledge Systems Token JC

Additionnal information about this device and linux drivers : https://cyrille.giquello.fr/informatique/safenet_etoken_5110

PS: i do not use this token under linux, and i do not intend to : i just provide this information for completeness.