pkcs11-tool-lite - stripped down version of pkcs11-tool
Is it possible to have a stripped-down and slimmed version of
pkcs11-tool (or a similar, may be new) program which does just one
thing: read the contents of a data object (given by either
application-id or application-label) on a smartcard (enter PIN if the
data object was previously stored with --auth-id option) and display it
on the console? I do not need this new program (modified pkcs11-tool or
otherwise) to do anything else, i.e. sign data, store keys, do hashing
etc - just to read a specified data object, display that data on the
console and finish.
The reason I am asking for this is simple: I am currently designing a
module to be included in the initrd/initramfs which needs to read a data
object token from a smartcard and use this data to unlock/open root (/)
if I use the current pkcs11-tool/pkcs15-tool I need to have at least 5
other packages installed and satisfy another dozen or so other
dependencies (and have openct and possibly pcscd daemons running!),
which, to me, is a big overkill. Besides, initrd/initramfs run a very
limited kernel system and I am not sure I would be able to satisfy all
the dependencies in order to make it work, hence why I need a 'lite'
version of a tool which is designed to do just the reading and
displaying of the specified data object and that's it.
Re: [opensc-devel] pkcs11-tool-lite - stripped down version of pkcs11-tool
> you could use something like this:
> pkcs15-crypt --key 3b8d4e --input cipher.bin --decipher -R
> The only requirement is libpcsclite. Everything else could be turned
> off. Correct?
You've lost me!
I already have the data object stored on my smartcard and I need a
stripped-down pkcs11-tool/other program to just read its contents and do
nothing else. I do not want to use any crypt/decrypt/decipher etc
operations - just plain read (and login if the data object has been
stored with the private flag on). That's all.
I already use libpcsclite, but there are other dependencies on (mainly)
openct as well as the pcsc-lite libraries you mention (libdbus-1.so.3,
libhal.so.1 are two of those).
> If you don't want a running pcscd, you could try to get libpcsclite to
> access the usb stack directly. In other words, build a wrapper around
> libccid with an api compatible with libpcsclite. Not an easy task, I
I have two different tokens and both of them can't work without pcscd
daemon running (which itself depends on openct also running and so on...).
> Is it possible to have a stripped-down and slimmed version of
> pkcs11-tool (or a similar, may be new) program which does just one
> thing: read the contents of a data object (given by either
> application-id or application-label) on a smartcard (enter PIN if the
> data object was previously stored with --auth-id option) and display it
> on the console? I do not need this new program (modified pkcs11-tool or
> otherwise) to do anything else, i.e. sign data, store keys, do hashing
> etc - just to read a specified data object, display that data on the
> console and finish.
> Is this possible?
I didn't think it was physically possible to read the actual key out of
a token or smartcard, otherwise it would be easy to duplicate them.
instead, the smartcard has to participate in the key exchange signing
now, of course, I could be misunderstanding your requirements here.
Re: pkcs11-tool-lite - stripped down version of pkcs11-tool
> I didn't think it was physically possible to read the actual key out of
> a token or smartcard, otherwise it would be easy to duplicate them.
> instead, the smartcard has to participate in the key exchange signing
> now, of course, I could be misunderstanding your requirements here.
You are indeed. I want to read data object, not a private key.
Data objects, like certificates/public keys, can be read out of the
smartcard without any problem. Another advantage of data tokens is that
they can be either 'public', in which case no login to the smartcard is
necessary to retrieve the raw data, or, they could be marked as
'private', in which case in order to retrieve (read) the data token the
correct smartcard PIN has to be specified.
The current set of programs - pkcs11-tool, pkcs15-tool, pkcs15-init etc
- require a large number of (deep-level) dependencies to run. That, in
normal circumstances, is not a problem as these are easily
supplied/installed from the desktop machine on which these tools are
installed and run.
The problem is, that the system which runs initrd/initramfs is
'bare-bones' - very basic - so, I think, most of these dependencies
won't be easy to satisfy (I haven't yet been able to test 'forcing' the
above tools to work in such a restricted environment - will do that over
the weekend as this is my Plan B if everything else fails), hence my
initial post to see if the source code of the above tools can be
(easily) modified/stripped to allow me to just run the 'read' function
with the hope that I won't need so many dependencies in order to run it.
There is another possibility that there might be another tool which just
does 'read' from a smartcard, but I do not know if that is the case.