On 4/14/2011 5:52 AM, Martin Paljak wrote: > > On Apr 13, 2011, at 23:44 , Douglas E. Engert wrote: > >> >> >> On 4/13/2011 2:03 PM, Martin Paljak wrote: >>> Hello, >>> On Apr 13, 2011, at 20:44 , Felipe Blauth wrote: >>> >>>> Hello to all, >>>> >>>> Simple question: >>>> Is it possible, using openssl, to unwrap a key wraped inside a Smart Card >>>> with C_Wrap function? >> >> Its not that simple. >> Is the key to be unwrapped on the card, or do you have the wrapped key of >> the card >> and it has to be unwrapped a private key on the card? >> >>> The format of C_Wrap is described in PKCS#11 specification. Yes, you could >>> use OpenSSL but note that OpenSC does not support C_Wrap (or unwrap) >>> >> >> If the wrapped key was wrapped by an RSA public key, the Mozilla NSS for >> example >> can fall back to using C_Decrypt in place of C_Unwrap. The data returned is >> the bits of the key, and not a PKCS#11 session object.' > > But that's the expected behavior. As OpenSC is supposed to be a gateway for > *in-hardware* operations, if the outcome from the card is plaintext key > material, the application should use the plaintext key for whatever it deems > necessary. That's why Wrap/Unwrap is not implemented. >
C_DeriveKey has the same issue, they both return a key object. > If the Unwrap resulted in a native object (meaning the key would not leave > the hardware) C_Unwrap could (and should) be used (and first implemented) > I had started looking at these issues as EC keys can not encrypt, but they can derive. For a un-wrapped non-native key the card returns the key to the card driver and the driver needs to make the key available as a PKCS#11 key object with CK_TOKEN=false, i.e. a "session object". Since OpenSC is not supporting software crypto, the only operation on this session key object would be to get the CKA_VALUE and CKA_VALUE_LEN, so some external application could extract it. I have started mods so the PIV card could be used with C_DeriveKey, using CKM_ECDH1_COFACTOR_DERIVE, with CKD_NULL. I have part of this, but have been side tracked with other projects. The implementations of a pkcs15-skey.c to add all the supporting routines, would be the next step. > Unfortunately there's no standard for this that I know of. I think its there in PKCS#11 and PKCS#15 with CK_TOKEN=false. > > > Martin > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel