Re: Smartcard cert used for encrypt\decrypt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Boyd Ako
> Sent: Wednesday, January 30, 2019 18:08

> Does anybody know how to use the smartcard to encrypt and decrypt files?

This may depend somewhat on the type of smartcard. While PKCS#11 is a standard, there are all sorts of differences in implementations

> I was able to encrypt a file using the cert on the smartcard. However, I couldn't decrypt it.
> I think it's mainly because I don't know how to get the Private Key on the token to decrypt
> it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a "sorry, reading
> private keys not (yet) supported" message.

You're Doing It Wrong.

The point of hardware cryptographic devices is that *secrets stay on them*. You're not supposed to get private keys off the device, except for special and rare use cases such as cloning a device for redundancy.

If you want to do this with OpenSSL, you need to use the OpenSSL PKCS#11 engine. In most OpenSSL builds I've seen, the PKCS#11 engine isn't linked into the openssl executable, so you use the "dynamic" engine to load it. And the PKCS#11 engine will need a suitable driver.

This gets quite complicated, and I don't have time to dig up all my notes, and I've never tried your use case anyway. (I used HSMs for code signing.) But here's an example of using a NitroKey HSM to generate a CSR, using the openssl utility and PKCS#11 engine on Windows:

C:\> openssl
OpenSSL> engine -t dynamic -pre SO_PATH:\path\to\pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\path\to\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:\path\to\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:\path\to\opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key 0:10 -keyform engine -out csr.pem -text -days 1095
engine "pkcs11" set.
No private keys found.
Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): 6-digit PIN
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: you can change any of these or hit Enter for the defaults
State or Province Name (full name) [XX]:
Locality Name (eg, city) [Some City]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [Whatever]:
Common Name (eg. YOUR name) [Me]:
Email Address [foo@xxxxxxx]:
OpenSSL>

Here pkcs11.dll is the OpenSSL PKCS#11 engine in dynamic-load module form. If your OpenSSL installation doesn't have it, you'll have to build it. opensc-pkcs11.dll is the PKCS#11 driver from the OpenSC open-source smartcard interface project. OpenSC has a configuration file which needs to be set up to match your particular hardware.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux