Take a look at: http://www.metacentrum.cz/en/about/devel/pkcs11.html and https://lists.strongswan.org/pipermail/users/2007-July/001900.html
the basic idea is that you don't extract a private key, but you ask the nss softtoken to sign a request for you. HTH, JJK weizhong qiang wrote: > hi Alon, > > > On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote: > >> Hello, >> >> You can't. >> pkcs11-helper targets developers who want to use smartcards without >> overhead of the actual card management. >> Well behaved smartcards should not allow export of private key. > > But it seems the pk12util can accomplish this task. > https://developer.mozilla.org/en/NSS_reference/NSS_tools_:_pk12util > >> >> Why do you need the private key anyway? > > My current code (based on openssl) is for grid computing usage. We use > file-based EEC credential (cert.pem, key.pem) to generate a proxy > certificate, and then use the proxy certificate to communicate with > peer ends. > Now we need to switch to pkcs11 to utilize pkcs11 for the storage of > EEC credential, instead of the file-based storage, because pkcs11 > provides more level of security. > > Why I need to retrieve private key is I need the X509 and private key > for generating the proxy certificate. > > I see some piece of code here: > http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.c&ct=rc&cd=1&q=SSL_CTX_use_pkcs11&exact_package=git://github.com/spokn/lib.git&l=606 > > <http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.c&ct=rc&cd=1&q=SSL_CTX_use_pkcs11&exact_package=git://github.com/spokn/lib.git&l=606> > > /**********/ > if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) { > msg (M_WARN, "PKCS#11: Unable get rsa object"); > goto cleanup; > } > > if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == > NULL) { > msg (M_WARN, "PKCS#11: Unable get certificate object"); > goto cleanup; > } > > if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) { > msg (M_WARN, "PKCS#11: Cannot set private key for openssl"); > goto cleanup; > } > > if (!SSL_CTX_use_certificate (ssl_ctx, x509)) { > msg (M_WARN, "PKCS#11: Cannot set certificate for openssl"); > goto cleanup; > } > ******/ > From the above code, I concluded that it is possible to retrieve the > private key. Maybe this piece of code will not work. > Thanks for your kind help. > Best Regards, > Weizhong Qiang > > >> >> Alon. >> >> On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang >> <weizhongqi...@gmail.com <mailto:weizhongqi...@gmail.com>> wrote: >>> hi all, >>> I tried to use pkcs11-helper api to retrieve X509 and private key >>> from nss softtoken, wit the 1.09 version of pkcs11-helper. >>> I can get X509 object, but the returned RSA object only includes >>> public key, rather than private key. >>> I paste the code as the following. >>> Could anyone give me some hint about how to get private key? >>> >>> Thanks a lot, >>> Weizhong Qiang >>> >>> >>> >>> pkcs11h_certificate_id_list_t issuers; >>> pkcs11h_certificate_id_list_t certs; >>> pkcs11h_certificate_id_t find = NULL; >>> CK_RV rv = >>> pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, >>> PKCS11H_PROMPT_MASK_ALLOW_ALL, &issuers, &certs); >>> if(rv != CKR_OK || certs == NULL) { >>> PKCS11UtilLogger.msg(ERROR, "Cannot enumerate certificates: >>> %s", pkcs11h_getMessage(rv)); >>> return false; >>> } >>> PKCS11UtilLogger.msg(INFO, "Succeed to enumerate certificate"); >>> >>> int i = 0; >>> for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; >>> cert = cert->next) { >>> std::string label=cert->certificate_id->displayName; >>> i++; >>> PKCS11UtilLogger.msg(INFO, "The name of the %d certficate is %s >>> \n", i, label.c_str()); >>> if(certname == label) { >>> pkcs11h_certificate_duplicateCertificateId(&find, >>> cert->certificate_id); >>> //TODO: probably it is need to deal with the case that >>> multiple certificate with the same name exists. >>> break; >>> } >>> } >>> >>> pkcs11h_certificate_freeCertificateIdList(issuers); >>> pkcs11h_certificate_freeCertificateIdList(certs); >>> >>> if(find == NULL) { >>> PKCS11UtilLogger.msg(ERROR, "Could not find certificate with >>> the name %s", certname.c_str()); >>> return false; >>> } >>> >>> pkcs11h_certificate_t certificate; >>> rv = pkcs11h_certificate_create(find, NULL, >>> PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, >>> &certificate); >>> if(rv != CKR_OK) { >>> PKCS11UtilLogger.msg(ERROR, "Can not read certificate: %s", >>> pkcs11h_getMessage(rv)); >>> pkcs11h_certificate_freeCertificateId(find); >>> return false; >>> } >>> pkcs11h_certificate_freeCertificateId(find); >>> >>> pkcs11h_openssl_session_t openssl_session = NULL; >>> if((openssl_session = pkcs11h_openssl_createSession(certificate)) >>> == NULL) { >>> PKCS11UtilLogger.msg(ERROR, "Cannot initialize openssl session >>> to retrieve X509 and RSA"); >>> pkcs11h_certificate_freeCertificate(certificate); >>> } >>> certificate = NULL; // the certificate object will be released by >>> openssl_session >>> >>> bool ret; >>> X509* x509_local; >>> RSA* rsa_local; >>> x509_local = pkcs11h_openssl_session_getX509(openssl_session); >>> if(!x509_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get X509 >>> object"); ret = false; } >>> rsa_local = pkcs11h_openssl_session_getRSA (openssl_session); >>> if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get RSA >>> object"); ret = false; } >>> ret = true; >>> >>> PKCS11UtilLogger.msg(INFO, "Succeed to get X509 and RSA"); >>> *x509 = x509_local; >>> *rsa = rsa_local; >>> pkcs11h_openssl_freeSession (openssl_session); >>> return ret; >>> >>> >>> _______________________________________________ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> <mailto:opensc-devel@lists.opensc-project.org> >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>> > > ------------------------------------------------------------------------ > > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
