2011/4/13 Douglas E. Engert <deeng...@anl.gov> > > > On 4/13/2011 2:03 PM, Martin Paljak wrote: > > Hello, > > On Apr 13, 2011, at 20:44 , Felipe Blauth wrote: > > > >> Hello to all, > >> > >> Simple question: > >> Is it possible, using openssl, to unwrap a key wraped inside a Smart > Card with C_Wrap function? > > Its not that simple. > Is the key to be unwrapped on the card, or do you have the wrapped key of > the card > and it has to be unwrapped a private key on the card? > > I just wanted to make a simple protocol to import a private key to a card in a secure way (the aplication runs in a secure container): I was thinking about 2 ways:
1) The card generates a key pair 2) The card exports the public key generated in 1 to the aplication( I think this can be done with C_GetAttributeValue and openssl) 3) The aplication generates another key pair and wraps it's private with the public it got from the card (this part I don't know if it is possible). 4) The card unwraps, with private key generated in 1, and obtain the private key generated by the aplication. or 1) The aplication generates a key pair 2) The card import the public key generated by the aplication 3) The card generates a secret key (i.e, DES3) 4) The card wraps the secret key with the public key obtained from the aplication. 5) The aplication unwraps the secret key with the private key generated in 1. 6) The application now wraps its private key with the secret key. 7) The card unwraps aplication's private key with the secret key. > > The format of C_Wrap is described in PKCS#11 specification. Yes, you > could use OpenSSL but note that OpenSC does not support C_Wrap (or unwrap) > > > > If the wrapped key was wrapped by an RSA public key, the Mozilla NSS for > example > can fall back to using C_Decrypt in place of C_Unwrap. The data returned is > the bits of the key, and not a PKCS#11 session object. > > This could be related to: > > http://www.opensc-project.org/opensc/ticket/325 > > > > > > > > > Martin > > _______________________________________________ > > opensc-devel mailing list > > opensc-devel@lists.opensc-project.org > > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > > > > > -- > > Douglas E. Engert <deeng...@anl.gov> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > -- Felipe
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
