Changing the subject name: Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api? As this the discusion has changed...
On 11/11/2011 9:22 AM, weizhong qiang wrote: > Hi Douglas, > > Thanks a lot for your kind help. > > On Nov 10, 2011, at 5:12 PM, Douglas E. Engert wrote: >> >> NSS and OpenSSL are both top level APIs for crypto. NSS can call PKCS#11 >> easily. OpenSSL can call PKCS#11 via the engine_pkcs11. So either could >> be used if the original EEC and its key are on a smartcard and used to sign >> a proxy certificate. i.e. you never get the key off the card. > > OK, I see. Since my current code is based on OpenSSL, maybe I should choose > openssl with engine_pkcs11 enabled. You also had said you wanted to use NSS's softoken. The NSS softoken is part of NSS, and is a PKCS#11 implementation, but not used much as a standalone PKCS#11 module, but rather internally from NSS. % pkcs11-tool --module ./libsoftokn3.so -L error: PKCS11 function C_Initialize failed: rv = CKR_ARGUMENTS_BAD (0x7) This fails because OpenSC pass in a NULL CK_C_INITIALIZE_ARGS. (Maybe OpenSC should add this feature?) https://developer.mozilla.org/en/PKCS11_Module_Specs lists what the softoken C_Initialize(CK_C_INITIALIZE_ARGS) is expecting and nss-3.12.10/mozilla/security/nss/lib/softoken/pkcs11.c appears to require CKF_OS_LOCKING_OK and the pReserved field to be a CK_CHAR_PTR *LibraryParameters. See comments on nss-3.12.10/mozilla/security/nss/lib/util/pkcs11t.h about the pReserved filed. So you could continue to use OpenSSL, or look at writing a NSS based grid-proxy-init. The trick would be to get the Grid libs call NSS API to generate a proxy keys and cert requests, and have and NSS sign the requests thus creating the proxy certificate. NSS can call "Security Devices" which are PKCS#11 modules, including OpenSC's, so this would also work nicely with smart cards, and the P12 could be used to export and import proxies do use with existing OpenSSL code. Or you could use the OpenSSL engine code. > >> >> The proxy certificate and key can be created by either, but both will store >> the proxy key in different formats. NSS wants to store in a database. >> The question is how to export/import the proxy certificate between >> applications that that use the other: NSS vs OpenSSL. As Alan pointed out >> pk12 may be the way to transfer the proxy cert and key between the two. >> >> But the security concerns still comes down to protecting the proxy key >> without requiring user intervention when using the proxy. I am not sure >> if NSS gives you any more security. > > > Thanks and Best Regards, > > Weizhong Qiang > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
