using engine_pksc11.so and generating keys

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

using engine_pksc11.so and generating keys

Cornelius Kölbel
Hello List,

in all the examples, when generating a key pair and a certificate request on the token, it is done in two steps:
1. generating the private key using pkcs15-init
2. generating the request using openssl

There is this cool openssl-engine included in opensc, that makes it possible to load pkcs11-modules.

I must admit, I loaded a closed source pkcs11-module into openssl.

OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libetpkcs11.so

Is there any way to generate the private key using openssl and the engine? When I do genrsa -engine pkcs11 every output goes to the filesystem.

Regards
Cornelius





_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Nils Larsch
Cornelius Kölbel wrote:

> Hello List,
>
> in all the examples, when generating a key pair and a certificate
> request on the token, it is done in two steps:
> 1. generating the private key using pkcs15-init
> 2. generating the request using openssl
>
> There is this cool openssl-engine included in opensc, that makes it
> possible to load pkcs11-modules.
>
> I must admit, I loaded a closed source pkcs11-module into openssl.
>
> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so
> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
> MODULE_PATH:/usr/local/lib/libetpkcs11.so
>
> Is there any way to generate the private key using openssl and the
> engine? When I do genrsa -engine pkcs11 every output goes to the
> filesystem.

afaik that's currently not possible (and actually it's not
even a really good idea anyway as you cannot specify key
attributes with openssl at the moment).
You might try to use pkcs11-tool.

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Cornelius Kölbel
Hm, that's true.
I can not specify key attributes :(

OK, I managed to generate the keys by
pkcs11-tool --module /usr/local/lib/libetpkcs11.so -k -l

But how would I specify i.e. the key length this way?
I only get 768 bit keys but I'd like to get 1024 bit.
I couldn't make out anything from the manpage.

regards
Cornelius

Nils Larsch wrote:

> Cornelius Kölbel wrote:
>
>> Hello List,
>>
>> in all the examples, when generating a key pair and a certificate
>> request on the token, it is done in two steps:
>> 1. generating the private key using pkcs15-init
>> 2. generating the request using openssl
>>
>> There is this cool openssl-engine included in opensc, that makes it
>> possible to load pkcs11-modules.
>>
>> I must admit, I loaded a closed source pkcs11-module into openssl.
>>
>> OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
>> MODULE_PATH:/usr/local/lib/libetpkcs11.so
>>
>> Is there any way to generate the private key using openssl and the
>> engine? When I do genrsa -engine pkcs11 every output goes to the
>> filesystem.
>
>
> afaik that's currently not possible (and actually it's not
> even a really good idea anyway as you cannot specify key
> attributes with openssl at the moment).
> You might try to use pkcs11-tool.
>
> Cheers,
> Nils

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Nils Larsch
Cornelius Kölbel wrote:
> Hm, that's true.
> I can not specify key attributes :(
>
> OK, I managed to generate the keys by
> pkcs11-tool --module /usr/local/lib/libetpkcs11.so -k -l
>
> But how would I specify i.e. the key length this way?
> I only get 768 bit keys but I'd like to get 1024 bit.
> I couldn't make out anything from the manpage.

ops, looking at the code it looks like the key size is
fixed set to 768 ... no so good. So it looks like you
need to fix pkcs11-tool.c (perhaps you should create
a bug report at [1]). Sorry for that.

Cheers,
Nils

[1] http://www.opensc.org/opensc/newticket
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Andreas Jellinghaus-2
In reply to this post by Cornelius Kölbel
Hi Cornelius,

I guess in theory it would be possible.

But at the time the engines were written, opensc could
not generate keys via the pkcs#11 initerface - you had
to use the command line tool. These days you can do that
(but I didn't test it so far), so we could extend
the engine to pass key creation via pkcs#11, too.

At least if openssl supports that, I guess it does.
But as Nils already mentioned, you won't be able to pass
certain flags such as the usage bits, as a normal file
based key creation doesn't know about that.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Cornelius Kölbel
Hi Andreas,

as it is also possible to use modules with the pkcs11-tool, i managed to
create the keys.
I must admit, it seems to be more interesting to improve the pkcs11-tool
than to add key creating to the openssl-engine.

Regards
Cornelius


Andreas Jellinghaus wrote:

>Hi Cornelius,
>
>I guess in theory it would be possible.
>
>But at the time the engines were written, opensc could
>not generate keys via the pkcs#11 initerface - you had
>to use the command line tool. These days you can do that
>(but I didn't test it so far), so we could extend
>the engine to pass key creation via pkcs#11, too.
>
>At least if openssl supports that, I guess it does.
>But as Nils already mentioned, you won't be able to pass
>certain flags such as the usage bits, as a normal file
>based key creation doesn't know about that.
>
>Regards, Andreas
>  
>


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Nils Larsch
Cornelius Kölbel wrote:
> Hi Andreas,
>
> as it is also possible to use modules with the pkcs11-tool, i managed to
> create the keys.
> I must admit, it seems to be more interesting to improve the pkcs11-tool
> than to add key creating to the openssl-engine.

could you please test the attached patch

Cheers,
Nils

Index: src/tools/pkcs11-tool.c
===================================================================
--- src/tools/pkcs11-tool.c (Revision 2605)
+++ src/tools/pkcs11-tool.c (Arbeitskopie)
@@ -49,6 +49,7 @@
  OPT_INIT_TOKEN,
  OPT_INIT_PIN,
  OPT_ATTR_FROM,
+ OPT_KEY_TYPE
 };
 
 const struct option options[] = {
@@ -68,6 +69,7 @@
  { "init-pin", 0, 0, OPT_INIT_PIN },
  { "change-pin", 0, 0, 'c' },
  { "keypairgen", 0, 0, 'k' },
+ { "key-type", 1, 0, OPT_KEY_TYPE },
  { "write-object", 1, 0, 'w' },
  { "read-object", 0, 0, 'r' },
  { "application-id", 1, 0, OPT_APPLICATION_ID },
@@ -105,6 +107,7 @@
  "Initialize the User PIN (use with --pin)",
  "Change your User PIN",
  "Key pair generation",
+ "Specify the type and length of the key to create, for example rsa:1024",
  "Write an object (key, cert) to the card",
  "Get object's CKA_VALUE attribute (use with --type)",
  "Specify the application id of the data object (use with --type data)",
@@ -142,7 +145,8 @@
 static char * opt_object_label = NULL;
 static char * opt_pin = NULL;
 static char * opt_so_pin = NULL;
-static char * opt_application_id = NULL;
+static char * opt_application_id = NULL;
+static char * opt_key_type = NULL;
 
 static void *module = NULL;
 static CK_FUNCTION_LIST_PTR p11 = NULL;
@@ -202,7 +206,7 @@
  CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
 static void hash_data(CK_SLOT_ID, CK_SESSION_HANDLE);
 static int gen_keypair(CK_SLOT_ID, CK_SESSION_HANDLE,
- CK_OBJECT_HANDLE *, CK_OBJECT_HANDLE *);
+ CK_OBJECT_HANDLE *, CK_OBJECT_HANDLE *, const char *);
 static int write_object(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
 static int read_object(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
 static void set_id_attr(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
@@ -413,6 +417,9 @@
  do_init_pin = 1;
  action_count++;
  break ;
+ case OPT_KEY_TYPE:
+ opt_key_type = optarg;
+ break;
  default:
  print_usage_and_die();
  }
@@ -543,7 +550,7 @@
 
  if (do_gen_keypair) {
  CK_OBJECT_HANDLE hPublicKey, hPrivateKey;
- gen_keypair(opt_slot, session, &hPublicKey, &hPrivateKey);
+ gen_keypair(opt_slot, session, &hPublicKey, &hPrivateKey, opt_key_type);
  }
 
  if (do_write_object) {
@@ -997,7 +1004,7 @@
 
 int
 gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
- CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPrivateKey)
+ CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPrivateKey, const char *type)
 {
  CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
  CK_ULONG modulusBits = 768;
@@ -1026,6 +1033,22 @@
  int n_privkey_attr = 7;
  CK_RV rv;
 
+ if (type != NULL) {
+ if (strncmp(type, "RSA:", strlen("RSA:")) == 0 ||
+    strncmp(type, "rsa:", strlen("rsa:")) == 0) {
+ CK_ULONG    key_length;
+ const char *size = type + strlen("RSA:");
+
+ if (size == NULL)
+ fatal("Unknown key type %s", type);
+ key_length = (unsigned long)atol(size);
+ if (key_length != 0)
+ modulusBits = key_length;
+ } else {
+ fatal("Unknown key type %s", type);
+ }
+ }
+
  if (opt_object_label != NULL) {
  FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_LABEL,
  opt_object_label, strlen(opt_object_label));
@@ -2977,7 +3000,7 @@
 
  printf("\n*** Generating a 1024 bit RSA key pair ***\n");
 
- if (!gen_keypair(slot, session, &pub_key, &priv_key))
+ if (!gen_keypair(slot, session, &pub_key, &priv_key, opt_key_type))
  return;
 
  tmp = getID(session, priv_key, (CK_ULONG *) &opt_object_id_len);

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Cornelius Kölbel
Hello Nils,

I checked out the latest opensc, applied the patch and compiled it on my
FC4.

It looks good! It works for different key sizes.

Kind regards
Cornelius

--snip--
[root@schnuck trunk]# src/tools/pkcs11-tool --module
/usr/local/lib/libetpkcs11.so -k --key-type rsa:1024 -l --id 45 --label NEW
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
  label:      NEW
  ID:         45
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
  label:      NEW
  ID:         45
  Usage:      encrypt, verify, wrap
[root@schnuck trunk]# src/tools/pkcs11-tool --module
/usr/local/lib/libetpkcs11.so -k --key-type rsa:768 -l --id 46 --label NEW
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
  label:      NEW
  ID:         46
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 768 bits
  label:      NEW
  ID:         46
  Usage:      encrypt, verify, wrap
[root@schnuck trunk]# src/tools/pkcs11-tool --module
/usr/local/lib/libetpkcs11.so -k --key-type rsa:512 -l --id 47 --label NEW
Please enter User PIN:
Key pair generated:
Private Key Object; RSA
  label:      NEW
  ID:         47
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 512 bits
  label:      NEW
  ID:         47
  Usage:      encrypt, verify, wrap

--snip--



Nils Larsch wrote:

> Cornelius Kölbel wrote:
>
>> Hi Andreas,
>>
>> as it is also possible to use modules with the pkcs11-tool, i managed
>> to create the keys.
>> I must admit, it seems to be more interesting to improve the
>> pkcs11-tool than to add key creating to the openssl-engine.
>
>
> could you please test the attached patch
>
> Cheers,
> Nils
>
>------------------------------------------------------------------------
>
>Index: src/tools/pkcs11-tool.c
>===================================================================
>--- src/tools/pkcs11-tool.c (Revision 2605)
>+++ src/tools/pkcs11-tool.c (Arbeitskopie)
>@@ -49,6 +49,7 @@
> OPT_INIT_TOKEN,
> OPT_INIT_PIN,
> OPT_ATTR_FROM,
>+ OPT_KEY_TYPE
> };
>
> const struct option options[] = {
>@@ -68,6 +69,7 @@
> { "init-pin", 0, 0, OPT_INIT_PIN },
> { "change-pin", 0, 0, 'c' },
> { "keypairgen", 0, 0, 'k' },
>+ { "key-type", 1, 0, OPT_KEY_TYPE },
> { "write-object", 1, 0, 'w' },
> { "read-object", 0, 0, 'r' },
> { "application-id", 1, 0, OPT_APPLICATION_ID },
>@@ -105,6 +107,7 @@
> "Initialize the User PIN (use with --pin)",
> "Change your User PIN",
> "Key pair generation",
>+ "Specify the type and length of the key to create, for example rsa:1024",
> "Write an object (key, cert) to the card",
> "Get object's CKA_VALUE attribute (use with --type)",
> "Specify the application id of the data object (use with --type data)",
>@@ -142,7 +145,8 @@
> static char * opt_object_label = NULL;
> static char * opt_pin = NULL;
> static char * opt_so_pin = NULL;
>-static char * opt_application_id = NULL;
>+static char * opt_application_id = NULL;
>+static char * opt_key_type = NULL;
>
> static void *module = NULL;
> static CK_FUNCTION_LIST_PTR p11 = NULL;
>@@ -202,7 +206,7 @@
> CK_SESSION_HANDLE, CK_OBJECT_HANDLE);
> static void hash_data(CK_SLOT_ID, CK_SESSION_HANDLE);
> static int gen_keypair(CK_SLOT_ID, CK_SESSION_HANDLE,
>- CK_OBJECT_HANDLE *, CK_OBJECT_HANDLE *);
>+ CK_OBJECT_HANDLE *, CK_OBJECT_HANDLE *, const char *);
> static int write_object(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
> static int read_object(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
> static void set_id_attr(CK_SLOT_ID slot, CK_SESSION_HANDLE session);
>@@ -413,6 +417,9 @@
> do_init_pin = 1;
> action_count++;
> break ;
>+ case OPT_KEY_TYPE:
>+ opt_key_type = optarg;
>+ break;
> default:
> print_usage_and_die();
> }
>@@ -543,7 +550,7 @@
>
> if (do_gen_keypair) {
> CK_OBJECT_HANDLE hPublicKey, hPrivateKey;
>- gen_keypair(opt_slot, session, &hPublicKey, &hPrivateKey);
>+ gen_keypair(opt_slot, session, &hPublicKey, &hPrivateKey, opt_key_type);
> }
>
> if (do_write_object) {
>@@ -997,7 +1004,7 @@
>
> int
> gen_keypair(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
>- CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPrivateKey)
>+ CK_OBJECT_HANDLE *hPublicKey, CK_OBJECT_HANDLE *hPrivateKey, const char *type)
> {
> CK_MECHANISM mechanism = {CKM_RSA_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
> CK_ULONG modulusBits = 768;
>@@ -1026,6 +1033,22 @@
> int n_privkey_attr = 7;
> CK_RV rv;
>
>+ if (type != NULL) {
>+ if (strncmp(type, "RSA:", strlen("RSA:")) == 0 ||
>+    strncmp(type, "rsa:", strlen("rsa:")) == 0) {
>+ CK_ULONG    key_length;
>+ const char *size = type + strlen("RSA:");
>+
>+ if (size == NULL)
>+ fatal("Unknown key type %s", type);
>+ key_length = (unsigned long)atol(size);
>+ if (key_length != 0)
>+ modulusBits = key_length;
>+ } else {
>+ fatal("Unknown key type %s", type);
>+ }
>+ }
>+
> if (opt_object_label != NULL) {
> FILL_ATTR(publicKeyTemplate[n_pubkey_attr], CKA_LABEL,
> opt_object_label, strlen(opt_object_label));
>@@ -2977,7 +3000,7 @@
>
> printf("\n*** Generating a 1024 bit RSA key pair ***\n");
>
>- if (!gen_keypair(slot, session, &pub_key, &priv_key))
>+ if (!gen_keypair(slot, session, &pub_key, &priv_key, opt_key_type))
> return;
>
> tmp = getID(session, priv_key, (CK_ULONG *) &opt_object_id_len);
>  
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Nils Larsch
Cornelius Kölbel wrote:
> Hello Nils,
>
> I checked out the latest opensc, applied the patch and compiled it on my
> FC4.
>
> It looks good! It works for different key sizes.

thanks for testing. Any objections from the other developers against
committing this patch in the trunk ?

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: using engine_pksc11.so and generating keys

Nils Larsch
Nils Larsch wrote:

> Cornelius Kölbel wrote:
>
>> Hello Nils,
>>
>> I checked out the latest opensc, applied the patch and compiled it on
>> my FC4.
>>
>> It looks good! It works for different key sizes.
>
>
> thanks for testing. Any objections from the other developers against
> committing this patch in the trunk ?

ok committed.

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user