-----Original Message----- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of j.witvl...@mindef.nl Sent: Wednesday, August 22, 2012 5:51 PM To: deeng...@anl.gov; opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] encrypt / decrypt
-----Original Message----- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas E. Engert Sent: Wednesday, August 22, 2012 5:12 PM To: opensc-devel@lists.opensc-project.org Subject: Re: [opensc-devel] encrypt / decrypt On 8/22/2012 9:50 AM, j.witvl...@mindef.nl wrote: > Hi all, > > I've been trying to make more use of our smartcards, but I think I am missing > the point some how. > What I would like to do is: > a) encrypt some data, by means of one of my private keys on my smartcard > someone else should be able to decrypt it with the public key on my > certificate. > > b) let someone else encrypt some data, by means of my public key on my > certificate. > I should be able to decrypt it with one of my private keys on my smartcard. > > I speak in plural about keys/certificates, cause we have different pairs for > authentication/non-repodiation/etc > > So first I load the engine: > OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:/usr/lib/libaetpkss.so.3.0 > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0 > Loaded: (pkcs11) pkcs11 engine > OpenSSL> > > And next I try to encrypt something: > OpenSSL> > OpenSSL> enc -base64 -in /root/data.txt -out file.txt.enc -engine pkcs11 > engine "pkcs11" set. > OpenSSL> > > OpenSSL> enc -d -aes-256-cbc -a -in file.txt.enc -engine pkcs11 > engine "pkcs11" set. > enter aes-256-cbc decryption password: > error in enc > OpenSSL> > > > I presume, I'll have to specify which private-key (and PIN), although "-k 41" > or "-k 43" does not work either, neither does "-key id_43" > Am I missing something, or is this just not possible? Yes you are missing something. Because asymmetric key encryption like RSA is slow and the amount of data that can be encrypted is limited, what is usually done is to encrypt the data in a symmetric key, like AES, then encrypt the AES key using the RSA public key. the encrypted data and the encrypted key are then sent, and the process is reversed using the RSA private key. This packaging of the message is usually done with something like smime or CMS Openssl can do both. (CMS in newer versions only) -----Original Message----- Or actually, if you mean that I took the wrong tool from the gigantic openssl-toolbox... When looking at openssl-manpage I see... `openssl smime -sign -in text.plain -text -out text.encr -signer mycert.pem -inkey mykey.pem -certfile mycerts.pemĀ“ So how should I point to the keys and crt on the smartcard? Hw ______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
