hi Alon,
On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote: > Hello, > > You can't. > pkcs11-helper targets developers who want to use smartcards without > overhead of the actual card management. > Well behaved smartcards should not allow export of private key. But it seems the pk12util can accomplish this task. https://developer.mozilla.org/en/NSS_reference/NSS_tools_:_pk12util > > Why do you need the private key anyway? My current code (based on openssl) is for grid computing usage. We use file-based EEC credential (cert.pem, key.pem) to generate a proxy certificate, and then use the proxy certificate to communicate with peer ends. Now we need to switch to pkcs11 to utilize pkcs11 for the storage of EEC credential, instead of the file-based storage, because pkcs11 provides more level of security. Why I need to retrieve private key is I need the X509 and private key for generating the proxy certificate. I see some piece of code here: http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.c&ct=rc&cd=1&q=SSL_CTX_use_pkcs11&exact_package=git://github.com/spokn/lib.git&l=606 /**********/ if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) { msg (M_WARN, "PKCS#11: Unable get rsa object"); goto cleanup; } if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL) { msg (M_WARN, "PKCS#11: Unable get certificate object"); goto cleanup; } if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) { msg (M_WARN, "PKCS#11: Cannot set private key for openssl"); goto cleanup; } if (!SSL_CTX_use_certificate (ssl_ctx, x509)) { msg (M_WARN, "PKCS#11: Cannot set certificate for openssl"); goto cleanup; } ******/ From the above code, I concluded that it is possible to retrieve the private key. Maybe this piece of code will not work. Thanks for your kind help. Best Regards, Weizhong Qiang > > Alon. > > On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang <weizhongqi...@gmail.com> > wrote: >> hi all, >> I tried to use pkcs11-helper api to retrieve X509 and private key from nss >> softtoken, wit the 1.09 version of pkcs11-helper. >> I can get X509 object, but the returned RSA object only includes public key, >> rather than private key. >> I paste the code as the following. >> Could anyone give me some hint about how to get private key? >> >> Thanks a lot, >> Weizhong Qiang >> >> >> >> pkcs11h_certificate_id_list_t issuers; >> pkcs11h_certificate_id_list_t certs; >> pkcs11h_certificate_id_t find = NULL; >> CK_RV rv = >> pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, >> PKCS11H_PROMPT_MASK_ALLOW_ALL, &issuers, &certs); >> if(rv != CKR_OK || certs == NULL) { >> PKCS11UtilLogger.msg(ERROR, "Cannot enumerate certificates: %s", >> pkcs11h_getMessage(rv)); >> return false; >> } >> PKCS11UtilLogger.msg(INFO, "Succeed to enumerate certificate"); >> >> int i = 0; >> for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert = >> cert->next) { >> std::string label=cert->certificate_id->displayName; >> i++; >> PKCS11UtilLogger.msg(INFO, "The name of the %d certficate is %s \n", i, >> label.c_str()); >> if(certname == label) { >> pkcs11h_certificate_duplicateCertificateId(&find, >> cert->certificate_id); >> //TODO: probably it is need to deal with the case that multiple >> certificate with the same name exists. >> break; >> } >> } >> >> pkcs11h_certificate_freeCertificateIdList(issuers); >> pkcs11h_certificate_freeCertificateIdList(certs); >> >> if(find == NULL) { >> PKCS11UtilLogger.msg(ERROR, "Could not find certificate with the name >> %s", certname.c_str()); >> return false; >> } >> >> pkcs11h_certificate_t certificate; >> rv = pkcs11h_certificate_create(find, NULL, >> PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate); >> if(rv != CKR_OK) { >> PKCS11UtilLogger.msg(ERROR, "Can not read certificate: %s", >> pkcs11h_getMessage(rv)); >> pkcs11h_certificate_freeCertificateId(find); >> return false; >> } >> pkcs11h_certificate_freeCertificateId(find); >> >> pkcs11h_openssl_session_t openssl_session = NULL; >> if((openssl_session = pkcs11h_openssl_createSession(certificate)) == >> NULL) { >> PKCS11UtilLogger.msg(ERROR, "Cannot initialize openssl session to >> retrieve X509 and RSA"); >> pkcs11h_certificate_freeCertificate(certificate); >> } >> certificate = NULL; // the certificate object will be released by >> openssl_session >> >> bool ret; >> X509* x509_local; >> RSA* rsa_local; >> x509_local = pkcs11h_openssl_session_getX509(openssl_session); >> if(!x509_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get X509 object"); >> ret = false; } >> rsa_local = pkcs11h_openssl_session_getRSA (openssl_session); >> if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get RSA object"); >> ret = false; } >> ret = true; >> >> PKCS11UtilLogger.msg(INFO, "Succeed to get X509 and RSA"); >> *x509 = x509_local; >> *rsa = rsa_local; >> pkcs11h_openssl_freeSession (openssl_session); >> return ret; >> >> >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
