encrypt / decrypt

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

encrypt / decrypt

J.Witvliet
Hi all,

I've been trying to make more use of our smartcards, but I think I am missing the point some how.
What I would like to do is:
a) encrypt some data, by means of one of my private keys on my smartcard
someone else should be able to decrypt it with the public key on my certificate.

b) let someone else encrypt some data, by means of my public key on my certificate.
I should be able to decrypt it with one of my private keys on my smartcard.

I speak in plural about keys/certificates, cause we have different pairs for authentication/non-repodiation/etc

So first I load the engine:
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
Loaded: (pkcs11) pkcs11 engine
OpenSSL>

And next I try to encrypt something:
OpenSSL>
OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11
engine "pkcs11" set.
OpenSSL>

OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11
engine "pkcs11" set.
enter aes-256-cbc decryption password:
error in enc
OpenSSL>


I presume, I'll have to specify which private-key (and PIN), although "-k 41" or "-k 43" does not work either, neither does "-key id_43"
Am I missing something, or is this just not possible?

Hans


______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

Douglas E. Engert


On 8/22/2012 9:50 AM, [hidden email] wrote:

> Hi all,
>
> I've been trying to make more use of our smartcards, but I think I am missing the point some how.
> What I would like to do is:
> a) encrypt some data, by means of one of my private keys on my smartcard
> someone else should be able to decrypt it with the public key on my certificate.
>
> b) let someone else encrypt some data, by means of my public key on my certificate.
> I should be able to decrypt it with one of my private keys on my smartcard.
>
> I speak in plural about keys/certificates, cause we have different pairs for authentication/non-repodiation/etc
>
> So first I load the engine:
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL>
>
> And next I try to encrypt something:
> OpenSSL>
> OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> OpenSSL>
>
> OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> enter aes-256-cbc decryption password:
> error in enc
> OpenSSL>
>
>
> I presume, I'll have to specify which private-key (and PIN), although "-k 41" or "-k 43" does not work either, neither does "-key id_43"
> Am I missing something, or is this just not possible?

Yes you are missing something. Because asymmetric key encryption like RSA is
slow and the amount of data that can be encrypted is limited, what is usually
done is to encrypt the data in a symmetric key, like AES, then encrypt the AES
key using the RSA public key. the encrypted data and the encrypted key are then
sent, and the process is reversed using the RSA private key.

This packaging of the message is usually done with something like smime or CMS
Openssl can do both. (CMS in newer versions only)

>
> Hans
>
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

J.Witvliet
In reply to this post by J.Witvliet
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Douglas E. Engert
Sent: Wednesday, August 22, 2012 5:12 PM
To: [hidden email]
Subject: Re: [opensc-devel] encrypt / decrypt



On 8/22/2012 9:50 AM, [hidden email] wrote:

> Hi all,
>
> I've been trying to make more use of our smartcards, but I think I am missing the point some how.
> What I would like to do is:
> a) encrypt some data, by means of one of my private keys on my smartcard
> someone else should be able to decrypt it with the public key on my certificate.
>
> b) let someone else encrypt some data, by means of my public key on my certificate.
> I should be able to decrypt it with one of my private keys on my smartcard.
>
> I speak in plural about keys/certificates, cause we have different pairs for authentication/non-repodiation/etc
>
> So first I load the engine:
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL>
>
> And next I try to encrypt something:
> OpenSSL>
> OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> OpenSSL>
>
> OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> enter aes-256-cbc decryption password:
> error in enc
> OpenSSL>
>
>
> I presume, I'll have to specify which private-key (and PIN), although "-k 41" or "-k 43" does not work either, neither does "-key id_43"
> Am I missing something, or is this just not possible?

Yes you are missing something. Because asymmetric key encryption like RSA is
slow and the amount of data that can be encrypted is limited, what is usually
done is to encrypt the data in a symmetric key, like AES, then encrypt the AES
key using the RSA public key. the encrypted data and the encrypted key are then
sent, and the process is reversed using the RSA private key.

This packaging of the message is usually done with something like smime or CMS
Openssl can do both. (CMS in newer versions only)
-----Original Message-----

No, the aspect of using a symmetric key didn't slip my mind.
That very well when encrypting large amount of data...
But when the symmetric key is large (compared to the data), then the overhead does not justify the means. (I think)
And you have to transfer the encrypted key as well as the encrypted data.

Hw

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

J.Witvliet
In reply to this post by J.Witvliet
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Wednesday, August 22, 2012 5:51 PM
To: [hidden email]; [hidden email]
Subject: Re: [opensc-devel] encrypt / decrypt

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Douglas E. Engert
Sent: Wednesday, August 22, 2012 5:12 PM
To: [hidden email]
Subject: Re: [opensc-devel] encrypt / decrypt



On 8/22/2012 9:50 AM, [hidden email] wrote:

> Hi all,
>
> I've been trying to make more use of our smartcards, but I think I am missing the point some how.
> What I would like to do is:
> a) encrypt some data, by means of one of my private keys on my smartcard
> someone else should be able to decrypt it with the public key on my certificate.
>
> b) let someone else encrypt some data, by means of my public key on my certificate.
> I should be able to decrypt it with one of my private keys on my smartcard.
>
> I speak in plural about keys/certificates, cause we have different pairs for authentication/non-repodiation/etc
>
> So first I load the engine:
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL>
>
> And next I try to encrypt something:
> OpenSSL>
> OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> OpenSSL>
>
> OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11
> engine "pkcs11" set.
> enter aes-256-cbc decryption password:
> error in enc
> OpenSSL>
>
>
> I presume, I'll have to specify which private-key (and PIN), although "-k 41" or "-k 43" does not work either, neither does "-key id_43"
> Am I missing something, or is this just not possible?

Yes you are missing something. Because asymmetric key encryption like RSA is
slow and the amount of data that can be encrypted is limited, what is usually
done is to encrypt the data in a symmetric key, like AES, then encrypt the AES
key using the RSA public key. the encrypted data and the encrypted key are then
sent, and the process is reversed using the RSA private key.

This packaging of the message is usually done with something like smime or CMS
Openssl can do both. (CMS in newer versions only)
-----Original Message-----

Or actually, if you mean that I took the wrong tool from the gigantic openssl-toolbox...
When looking at openssl-manpage I see...
 `openssl smime -sign -in text.plain -text -out text.encr -signer mycert.pem -inkey mykey.pem -certfile mycerts.pemĀ“
So how should I point to the keys and crt on the smartcard?

Hw


______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

Douglas E. Engert
In reply to this post by J.Witvliet


On 8/22/2012 10:51 AM, [hidden email] wrote:

> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Douglas E. Engert
> Sent: Wednesday, August 22, 2012 5:12 PM
> To: [hidden email]
> Subject: Re: [opensc-devel] encrypt / decrypt
>
>
>
> On 8/22/2012 9:50 AM, [hidden email] wrote:
>> Hi all,
>>
>> I've been trying to make more use of our smartcards, but I think I am missing the point some how.
>> What I would like to do is:
>> a) encrypt some data, by means of one of my private keys on my smartcard
>> someone else should be able to decrypt it with the public key on my certificate.
>>
>> b) let someone else encrypt some data, by means of my public key on my certificate.
>> I should be able to decrypt it with one of my private keys on my smartcard.
>>
>> I speak in plural about keys/certificates, cause we have different pairs for authentication/non-repodiation/etc
>>
>> So first I load the engine:
>> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
>> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
>> Loaded: (pkcs11) pkcs11 engine
>> OpenSSL>
>>
>> And next I try to encrypt something:
>> OpenSSL>
>> OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11
>> engine "pkcs11" set.
>> OpenSSL>
>>

openssl enc only works with symmetric keys. You could write
your own program to use openssl to use RSA.


>> OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11
>> engine "pkcs11" set.
>> enter aes-256-cbc decryption password:
>> error in enc
>> OpenSSL>
>>
>>
>> I presume, I'll have to specify which private-key (and PIN), although "-k 41" or "-k 43" does not work either, neither does "-key id_43"
>> Am I missing something, or is this just not possible?
>
> Yes you are missing something. Because asymmetric key encryption like RSA is
> slow and the amount of data that can be encrypted is limited, what is usually
> done is to encrypt the data in a symmetric key, like AES, then encrypt the AES
> key using the RSA public key. the encrypted data and the encrypted key are then
> sent, and the process is reversed using the RSA private key.
>
> This packaging of the message is usually done with something like smime or CMS
> Openssl can do both. (CMS in newer versions only)
> -----Original Message-----
>
> No, the aspect of using a symmetric key didn't slip my mind.
> That very well when encrypting large amount of data...
> But when the symmetric key is large (compared to the data), then the overhead does not justify the means. (I think)
> And you have to transfer the encrypted key as well as the encrypted data.
>

How short are these messages?

Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the size of
the modulus and if using some padded version between 11 bytes less and maybe half
the size of the modulus.

Using RSA directly of a previously sent message will produce the same encrypted
output which could be subject examination or re-play.

Smime and CMS avoid many of these security issues and others.

> Hw
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

J.Witvliet
In reply to this post by J.Witvliet
See below...

-----Original Message-----
From: Douglas E. Engert [mailto:[hidden email]]
Sent: Wednesday, August 22, 2012 6:27 PM
To: Witvliet, J, CDC/IV/DCOPS/I&S/HIN
Cc: [hidden email]
Subject: Re: [opensc-devel] encrypt / decrypt

[SNIP]

> -----Original Message-----
>
> No, the aspect of using a symmetric key didn't slip my mind.
> That very well when encrypting large amount of data...
> But when the symmetric key is large (compared to the data), then the overhead does not justify the means. (I think)
> And you have to transfer the encrypted key as well as the encrypted data.
>

How short are these messages?

Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the size of
the modulus and if using some padded version between 11 bytes less and maybe half
the size of the modulus.

Using RSA directly of a previously sent message will produce the same encrypted
output which could be subject examination or re-play.

Smime and CMS avoid many of these security issues and others.
-----Original Message-----


Ok Douglas,

Regarding sizes, they vary between 32B and 1KB.

Had a look at openssl smime..
Encryption seems no problem:
OpenSSL> smime -encrypt -in /root/data.txt -out  /root/data.enc  hwit-43.pem


But (returning to the original subject) how to specify the private key on the card?
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
Loaded: (pkcs11) pkcs11 engine
OpenSSL>

OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine  pkcs11 -keyform  ENGINE
error in smime
No recipient certificate or key specified
[Understandable...]


OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine  pkcs11 -keyform  ENGINE -inkey 43
engine "pkcs11" set.
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load signing key file from engine 2771:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load signing key file
error in smime

while  pkcs11-tool -O ... shows
...
Private Key Object; RSA
  label:      Vertrouwelijkheid
  ID:         43
  Usage:      decrypt, unwrap
...

Even though I specified to use the pkcs-engine, it still seems to look for a file for the key.
Same if I specify: "-inkey id_43"

Hans


______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: encrypt / decrypt

Douglas E. Engert


On 8/23/2012 5:21 AM, [hidden email] wrote:

> See below...
>
> -----Original Message-----
> From: Douglas E. Engert [mailto:[hidden email]]
> Sent: Wednesday, August 22, 2012 6:27 PM
> To: Witvliet, J, CDC/IV/DCOPS/I&S/HIN
> Cc: [hidden email]
> Subject: Re: [opensc-devel] encrypt / decrypt
>
> [SNIP]
>
>> -----Original Message-----
>>
>> No, the aspect of using a symmetric key didn't slip my mind.
>> That very well when encrypting large amount of data...
>> But when the symmetric key is large (compared to the data), then the overhead does not justify the means. (I think)
>> And you have to transfer the encrypted key as well as the encrypted data.
>>
>
> How short are these messages?
>
> Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the size of
> the modulus and if using some padded version between 11 bytes less and maybe half
> the size of the modulus.
>
> Using RSA directly of a previously sent message will produce the same encrypted
> output which could be subject examination or re-play.
>
> Smime and CMS avoid many of these security issues and others.
> -----Original Message-----
>
>
> Ok Douglas,
>
> Regarding sizes, they vary between 32B and 1KB.
>
> Had a look at openssl smime..
> Encryption seems no problem:
> OpenSSL> smime -encrypt -in /root/data.txt -out  /root/data.enc  hwit-43.pem
>
>
> But (returning to the original subject) how to specify the private key on the card?
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> (dynamic) Dynamic engine loading support
> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
> [Success]: ID:pkcs11
> [Success]: LIST_ADD:1
> [Success]: LOAD
> [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0
> Loaded: (pkcs11) pkcs11 engine
> OpenSSL>
>
> OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine  pkcs11 -keyform  ENGINE
> error in smime
> No recipient certificate or key specified
> [Understandable...]
>
>
> OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine  pkcs11 -keyform  ENGINE -inkey 43
> engine "pkcs11" set.
> Invalid slot number: 0
> PKCS11_get_private_key returned NULL
> cannot load signing key file from engine 2771:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
> unable to load signing key file
> error in smime
>
> while  pkcs11-tool -O ... shows
> ...
> Private Key Object; RSA
>    label:      Vertrouwelijkheid
>    ID:         43
>    Usage:      decrypt, unwrap
> ...
>
> Even though I specified to use the pkcs-engine, it still seems to look for a file for the key.
> Same if I specify: "-inkey id_43"


This sounds like a slot issue, and you may need to try -inkey slot_1-id_43

You may also want to try using the OpenSC pkcs11-spy to print out the PKCS#11 calls,
since you are using your own /usr/lib/libaetpkss.so.3.0 and it may be handling the slot
differently the opensc-pkccs11.so does.

Something like :

OPENSC_PATH=/usr/lib

MODULE=$OPENSC_PATH/pkcs11-spy.so
PKCS11SPY=/usr/lib/libaetpkss.so.3.0
export PKCS11SPY
PKCS11SPY_OUTPUT=/tmp/pkcs11.spy.log
export PKCS11SPY_OUTPUT


openssl << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:$MODULE

smime -decrypt -in /root/data.enc -out /root/data.dec -engine  pkcs11 -keyform  ENGINE -inkey slot_1-id_43

EOT






>
> Hans
>
>
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel