Key format of pkcs11-tool --read-object --type pubkey

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Key format of pkcs11-tool --read-object --type pubkey

Johannes Rath

 

Hi all,

 

I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:

 

pkcs15-tool --read-public-key keyid -o publickey.pem

openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt

 

But when I use pkcs11-tool the exported key is kind of weird. I am using:

pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key

 

I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.

 

Any ideas?

 

Thanks in advance

 

Johannes

 

 


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key format of pkcs11-tool --read-object --type pubkey

Douglas E Engert
What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:

> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key format of pkcs11-tool --read-object --type pubkey

Douglas E Engert
In reply to this post by Johannes Rath
Another option if you can not use a newer versions of pkcs11-tool.
If the card has a matching certificate, use pkcs11-tool to read certificate,
then use:
openssl rsautl -certin

On 3/24/2016 10:57 AM, Johannes Rath wrote:

> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key format of pkcs11-tool --read-object --type pubkey

Johannes Rath
In reply to this post by Douglas E Engert
I am using OpenSC 0.15.0, but on Windows ;)

Looks that version still uses the old format.

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.15.0 [Microsoft 1600]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
ckey_45_2.key
Using slot 1 with a present token (0x1)

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
mp
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F

  265:d=1  hl=2 l=   3 prim: INTEGER           :010001


-----Original Message-----
From: Douglas E Engert [mailto:[hidden email]]
Sent: Donnerstag, 24. März 2016 19:05
To: [hidden email]
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:

> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key format of pkcs11-tool --read-object --type pubkey

Johannes Rath
The latest build definitely looks better:

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.16.0rc1 [Microsoft 1800]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey.der -dump
    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING
      0000 - 00 30 82 01 0a 02 82 01-01 00 99 c9 eb 66 11 84   .0...........f..
      0010 - 89 08 a0 22 9d 1d cf 94-44 b8 e3 99 6c f9 7c c7   ..."....D...l.|.
      0020 - a7 bb 52 d5 1b 3d 57 01-20 9d ec 96 99 7f ab 14   ..R..=W. .......
      0030 - c0 18 06 07 89 9f d0 fa-5e 75 f1 2a 97 49 5b 44   ........^u.*.I[D
      0040 - bb 34 96 1e a0 af 11 79-20 2c 82 61 71 c3 cd 98   .4.....y ,.aq...
      0050 - 75 1e e1 6a dd 3e f2 e9-34 c5 66 cf 10 3d 3d f4   u..j.>..4.f..==.
      0060 - 60 a6 19 07 46 f6 b4 10-a2 5a 5f d7 40 b9 18 2d   `...F....Z_.@..-
      0070 - 9b 06 c2 18 0d 28 25 6c-ed d7 c9 92 5b d5 3a 36   .....(%l....[.:6
      0080 - 84 58 8a b6 7c 8c 1c d1-cd a2 7a 7f cf 87 c0 23   .X..|.....z....#
      0090 - 8c fe 84 39 1f 13 23 86-b6 d1 f7 5a 1e e6 b2 8f   ...9..#....Z....
      00a0 - 70 27 cb 60 f9 be 41 b4-d2 30 18 87 15 19 bd 42   p'.`..A..0.....B
      00b0 - 28 22 77 8c 2e 0c 2d 7d-91 dc 27 bc 15 5a 4f 1b   ("w...-}..'..ZO.
      00c0 - de 66 96 37 f7 10 4a 94-3c 8a ef e0 fe 33 2e f9   .f.7..J.<....3..
      00d0 - fe 3e 0a 1b 64 5d dc 54-a4 19 33 38 82 7e cb b4   .>..d].T..38.~..
      00e0 - af f7 82 65 71 75 d3 b5-1c b2 a3 f1 81 6f 74 3a   ...equ.......ot:
      00f0 - bb 0a 9d 56 d8 ea 4b 3c-e4 02 01 ae cc 95 90 ac   ...V..K<........
      0100 - 60 4d 69 9e ef 79 7c 55-bc 87 02 03 01 00 01      `Mi..y|U.......

-----Original Message-----
From: Johannes Rath [mailto:[hidden email]]
Sent: Dienstag, 29. März 2016 09:08
To: '[hidden email]'
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

I am using OpenSC 0.15.0, but on Windows ;)

Looks that version still uses the old format.

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.15.0 [Microsoft 1600]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
ckey_45_2.key
Using slot 1 with a present token (0x1)

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
mp
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F

  265:d=1  hl=2 l=   3 prim: INTEGER           :010001


-----Original Message-----
From: Douglas E Engert [mailto:[hidden email]]
Sent: Donnerstag, 24. März 2016 19:05
To: [hidden email]
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:

> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Key format of pkcs11-tool --read-object --type pubkey

Douglas E Engert
The term public key is ambiguous.

When there was only RSA, it was simple, modulus and exponent.
With EC there are the point and the parameters or namedcurve.
Other algorithms have different parameters too.
Then to tell them apart you need key type.

PKCS#11 presents the key type and the caller can request the attributes based in the key type.

pkcs11-tool was meant to be a test tools and until EC was added pkcs11-tool
only worked with RSA.

OpenSSL may have evolved over the years, some apps may assume the type,
but later apps tend to take a EVP_KEY which includes a key type.

The SPKI from a certificate is the ASN.1 encoding for a EVP_KEY.


Have you tried reading the certificate? The rsautl says it can use a certificate in place of
a public key.


On 3/29/2016 2:33 AM, Johannes Rath wrote:

> The latest build definitely looks better:
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.16.0rc1 [Microsoft 1800]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey.der -dump
>      0:d=0  hl=4 l= 290 cons: SEQUENCE
>      4:d=1  hl=2 l=  13 cons: SEQUENCE
>      6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>     17:d=2  hl=2 l=   0 prim: NULL
>     19:d=1  hl=4 l= 271 prim: BIT STRING
>        0000 - 00 30 82 01 0a 02 82 01-01 00 99 c9 eb 66 11 84   .0...........f..
>        0010 - 89 08 a0 22 9d 1d cf 94-44 b8 e3 99 6c f9 7c c7   ..."....D...l.|.
>        0020 - a7 bb 52 d5 1b 3d 57 01-20 9d ec 96 99 7f ab 14   ..R..=W. .......
>        0030 - c0 18 06 07 89 9f d0 fa-5e 75 f1 2a 97 49 5b 44   ........^u.*.I[D
>        0040 - bb 34 96 1e a0 af 11 79-20 2c 82 61 71 c3 cd 98   .4.....y ,.aq...
>        0050 - 75 1e e1 6a dd 3e f2 e9-34 c5 66 cf 10 3d 3d f4   u..j.>..4.f..==.
>        0060 - 60 a6 19 07 46 f6 b4 10-a2 5a 5f d7 40 b9 18 2d   `...F....Z_.@..-
>        0070 - 9b 06 c2 18 0d 28 25 6c-ed d7 c9 92 5b d5 3a 36   .....(%l....[.:6
>        0080 - 84 58 8a b6 7c 8c 1c d1-cd a2 7a 7f cf 87 c0 23   .X..|.....z....#
>        0090 - 8c fe 84 39 1f 13 23 86-b6 d1 f7 5a 1e e6 b2 8f   ...9..#....Z....
>        00a0 - 70 27 cb 60 f9 be 41 b4-d2 30 18 87 15 19 bd 42   p'.`..A..0.....B
>        00b0 - 28 22 77 8c 2e 0c 2d 7d-91 dc 27 bc 15 5a 4f 1b   ("w...-}..'..ZO.
>        00c0 - de 66 96 37 f7 10 4a 94-3c 8a ef e0 fe 33 2e f9   .f.7..J.<....3..
>        00d0 - fe 3e 0a 1b 64 5d dc 54-a4 19 33 38 82 7e cb b4   .>..d].T..38.~..
>        00e0 - af f7 82 65 71 75 d3 b5-1c b2 a3 f1 81 6f 74 3a   ...equ.......ot:
>        00f0 - bb 0a 9d 56 d8 ea 4b 3c-e4 02 01 ae cc 95 90 ac   ...V..K<........
>        0100 - 60 4d 69 9e ef 79 7c 55-bc 87 02 03 01 00 01      `Mi..y|U.......
>
> -----Original Message-----
> From: Johannes Rath [mailto:[hidden email]]
> Sent: Dienstag, 29. März 2016 09:08
> To: '[hidden email]'
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> I am using OpenSC 0.15.0, but on Windows ;)
>
> Looks that version still uses the old format.
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.15.0 [Microsoft 1600]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
> ckey_45_2.key
> Using slot 1 with a present token (0x1)
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
> mp
>      0:d=0  hl=4 l= 266 cons: SEQUENCE
>      4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
> 2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
> 11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
> BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
> F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
> 2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
> 2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F
>
>    265:d=1  hl=2 l=   3 prim: INTEGER           :010001
>
>
> -----Original Message-----
> From: Douglas E Engert [mailto:[hidden email]]
> Sent: Donnerstag, 24. März 2016 19:05
> To: [hidden email]
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> What version of OpenSC are you using?
>
> 0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.
>
> openssl asn1parse -i -inform DER -in publickey.key
>       0:d=0  hl=4 l= 266 cons: SEQUENCE
>       4:d=1  hl=4 l= 257 prim:  INTEGER
> :D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
>     265:d=1  hl=2 l=   3 prim:  INTEGER           :010001
>
> later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:
>
> pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
> openssl asn1parse -i -inform DER -in publickey.der -dump
>       0:d=0  hl=4 l= 290 cons: SEQUENCE
>       4:d=1  hl=2 l=  13 cons:  SEQUENCE
>       6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
>      17:d=2  hl=2 l=   0 prim:   NULL
>      19:d=1  hl=4 l= 271 prim:  BIT STRING
>         0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
>         0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
>         0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
>         0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
>         0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
>         0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
>         0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
>         0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
>         0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
>         0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
>         00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
>         00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
>         00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
>         00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
>         00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
>         00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
>         0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......
>
>
> On 3/24/2016 10:57 AM, Johannes Rath wrote:
>> Hi all,
>>
>> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>>
>> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>>
>> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>>
>> //
>>
>> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>>
>> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>>
>> //
>>
>> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>>
>> Any ideas?
>>
>> Thanks in advance
>>
>> Johannes
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel