[probably a bug] ECDSA (NIST P-384)/SHA384-signed certificates are not recognized on Windows 10 #42
Description
Description of the problem: If the HSM token hosts both RSA and ECDSA certificates (the latter based on NIST P-384 curve and signed by SHA-384), only the RSA-based ones are detected by Windows.
Note: It is not clear what causes the problem. Consider this issue primarily as a request for comment.
Expected result: ECDSA certificates to be accessible as Windows Digital IDs
Is reproducible: Yes, always (three fresh Windows 10 Pro and one Windows 10 Enterprise installations are currently being examined)
Environment: Freshly installed Windows 10 Pro/Enterprise with all security updates applied; OpenSC 0.24, shm-middleware-x64-2.12, SHA-384 and SHA-512 support is added to the Registry.
Other symptoms: Mozilla Firefox and Thunderbird are capable of displaying all certificates installed in the token (both RSA and ECDSA-based) and operating with them, provided the correct PKCS#11 module is configured with the NSS (either sc-hsm-pkcs11.dll or opensc-pkcs11.dll). Google Chrome, Brave, and Microsoft Edge can operate only with the RSA-based certificates hosted by the token. Adobe Acrobat can operate with the RSA-based certificates natively (no custom PKCS#11 provider is configured). If PKCS#11 provider is loaded in Adobe Acrobat (either sc-hsm-pkcs11.dll or opensc-pkcs11.dll), the ECDSA-based certificates become visible in the list with DigitalIDs, but due to the limitation of Adobe Acrobat and its well-know lack of cryptography support, those ECDSA certificates cannot be used for signing through any PKCS#11 provider (correct me if I am wrong). FoxitReader cannot utilize ECDSA certificates at all (regardless of the provider).
Logs and tests: (see the attached file - output generated by The Microsoft Smart Card Resource Manager) It misses to show two ECDSA-based certificates installed inside the token and shows information only about the RSA-based certificates stored there.
log_windows_ecdsa_sha384_issues.log