> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Boyd Ako > Sent: Wednesday, January 30, 2019 18:08 > Does anybody know how to use the smartcard to encrypt and decrypt files? This may depend somewhat on the type of smartcard. While PKCS#11 is a standard, there are all sorts of differences in implementations > I was able to encrypt a file using the cert on the smartcard. However, I couldn't decrypt it. > I think it's mainly because I don't know how to get the Private Key on the token to decrypt > it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a "sorry, reading > private keys not (yet) supported" message. You're Doing It Wrong. The point of hardware cryptographic devices is that *secrets stay on them*. You're not supposed to get private keys off the device, except for special and rare use cases such as cloning a device for redundancy. If you want to do this with OpenSSL, you need to use the OpenSSL PKCS#11 engine. In most OpenSSL builds I've seen, the PKCS#11 engine isn't linked into the openssl executable, so you use the "dynamic" engine to load it. And the PKCS#11 engine will need a suitable driver. This gets quite complicated, and I don't have time to dig up all my notes, and I've never tried your use case anyway. (I used HSMs for code signing.) But here's an example of using a NitroKey HSM to generate a CSR, using the openssl utility and PKCS#11 engine on Windows: C:\> openssl OpenSSL> engine -t dynamic -pre SO_PATH:\path\to\pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\path\to\opensc-pkcs11.dll (dynamic) Dynamic engine loading support [Success]: SO_PATH:\path\to\pkcs11.dll [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:\path\to\opensc-pkcs11.dll Loaded: (pkcs11) pkcs11 engine [ available ] OpenSSL> req -engine pkcs11 -new -key 0:10 -keyform engine -out csr.pem -text -days 1095 engine "pkcs11" set. No private keys found. Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): 6-digit PIN You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: you can change any of these or hit Enter for the defaults State or Province Name (full name) [XX]: Locality Name (eg, city) [Some City]: Organization Name (eg, company) [MyOrg]: Organizational Unit Name (eg, section) [Whatever]: Common Name (eg. YOUR name) [Me]: Email Address [foo@xxxxxxx]: OpenSSL> Here pkcs11.dll is the OpenSSL PKCS#11 engine in dynamic-load module form. If your OpenSSL installation doesn't have it, you'll have to build it. opensc-pkcs11.dll is the PKCS#11 driver from the OpenSC open-source smartcard interface project. OpenSC has a configuration file which needs to be set up to match your particular hardware. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
