What I want to do is store my SSL server keys on a smart card so that if
someone roots the box they can't have them - the worst they could do is
continue to use them for nefarious ends, but they'd have to use them in place.
I want to do this on FreeBSD.
To that end, I think I have most of the pieces necessary - I have a JCOP 41 72K
card, a reader, and have loaded the muscle applet onto the card.
One thing that concerns me is this:
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:/usr/lib/opensc-pkcs11.so>>
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL> rsa -engine pkcs11 -inform engine -in id_45 -text
engine "pkcs11" set.
PKCS#11 token PIN:
Modulus (1024 bit):
(blah blah blah)
Exponent: 65537 (0x10001)
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
(blah blah blah)
-----END RSA PRIVATE KEY-----
WTF? I thought the whole point was that you weren't supposed to be able to get
your mits on the private key! Being able to get the key out makes the whole
exercise moot - it's no better than unix filesystem permissions.
I did:
pkcs15-init -EC --no-so-pin
pkcs15-init --store-pin -auth-id 01 --label "user"
pkcs15-init --generate-key rsa/1024 --auth-id 01
and then ran the openssl commands above.
What am I doing wrong?
_______________________________________________
Muscle mailing list
Muscle@lists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
