Where Is The Trust Chain? [python] Asn1crypto And Pkcs11 Aladdin Usb Etoken

I have this code working fine. I am signing with an USB eToken. But after copying and pasting the PEM output of this code in the https://lapo.it/asn1js/ the trust chain is not show

Solution 1:

You have constructed and signed one individual X.509 certificate and then output it in PEM format. A chain of trust is multiple certificates, commonly provided as a list of PEM-encoded certificates starting from the leaf.

Thus you need to output the signing certificate as well. In X.509 there are two pieces of information: your public certificate (including public key) signed by the issuer and the private key you have used on your token.

PKCS#11 devices can store X.509 certificates so there's a good chance the signed X.509 object for this certificate is on your token and you can retrieve it with Session.get_objects.

# Retrieve first certificate object from the HSMcert = next(session.get_objects({Attribute.CLASS: ObjectClass.CERTIFICATE}))
# Retrieve the DER-encoded value of the certificateder_bytes = cert[Attribute.VALUE]
# Convert to PEM encodingpem_bytes = pem.armor('CERTIFICATE', der_bytes)

This example is from Exporting Certificates.

If you have multiple certificates on your token you can include additional search parameters including the certificate type, issuer, etc. The docs contain more information on the parameters for certificate objects. The PKCS#11 spec contains further information still.

Alternatively, if you have the X.509 certificate in some other form you can simply append it. It does not need to be stored in the HSM.