On 4/6/2011 8:16 AM, Viktor TARASOV wrote:
Hello Douglas, Do you know if the card PIV-II from Oberthur (PIV 2.3.2) supports the elliptic curves ?
Yes. The card based on the ID-ONE V7 with PIV Applet Version 2.3.2. I have some of their demo cards with preloaded RSA and EC certs/keys and some blank cards. I can generate EC keys and load EC certs onto these cards. NIST 800-73-3 calls for the support of two EC curves NID_X9_62_prime256v1 NID_secp384r1
Can it be used with the actual OpenSC PKCS#11 ?
ECDSA is in OpenSC 0.12.0. http://www.opensc-project.org/opensc/ticket/295 See attached test script to use pkcs11-tool to sign a file, and test signature with OpenSSL. ECDH has not been added yet, as the PKCS#11 gets complicated because a derived symmetric key needs to be returned in a PKCS#11 session object that would require all the support routines to handle this. I have started on adding this code, but have gotten side tracked with other projects. with OpenSC minidriver ? I never added any extra code to the mini driver, as I had no applications that would use EC. It work with Thunderbird, Mods to thunderbird are required. (This e-mail is being signed by a test card with EC DSA) I can dig up any mods or test scripts if you are interested.
Kind wishes, Viktor.
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
#!/bin/sh -x
#
# test of card is producing a valid signature
# by having OpenSSL verify the results.
#
# Assume card 9C is EC 384, and the card has a cert
#
# Note that an ECDSA signature can change each time.
F=$1
if [ "X$F" = "X" ] ; then
echo filename missing
exit 1
fi
PATH=/opt/smartcard/bin:$PATH
# On Solaris with one reader, its slot 1
# On Ubuntu with Cherry KB, Cherry is slot 1, Gemplus is slot 5
# pkcs11-tool does not put out message for pin-pad
OPTS="--slot 1 --module /opt/smartcard/lib/opensc-pkcs11.so"
#OPTS="--slot 5 --module /opt/smartcard/lib/opensc-pkcs11.so"
# Hash data using OpenSSL:
openssl dgst -sha256 -binary -out /tmp/$F.sha256.binary < $F
# use card to sign the hash:
pkcs11-tool $OPTS -l -s -m ECDSA -i /tmp/$F.sha256.binary \
-o /tmp/$F.sha256.signature
# get cert off card
pkcs11-tool $OPTS -r -d 2 -y cert -o /tmp/cert.9C.der
# get pubkey out of cert
openssl x509 -pubkey -in /tmp/cert.9C.der -inform DER \
-noout > /tmp/pubkey.9C.pem
# use OpenSSL to verify the signature against the pubkey
# The Ubuntu OpenSSL 0.9.8 version does not verify ECDSA
# Need to use 1.0.0
PATH=/afs/anl.gov/appl/OpenSSL-1.0.0a/d-i386_linux/bin:$PATH
openssl dgst -verify /tmp/pubkey.9C.pem \
-signature /tmp/$F.sha256.signature \
-sha256 < $F
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
