On 8/23/2012 5:21 AM, j.witvl...@mindef.nl wrote: > See below... > > -----Original Message----- > From: Douglas E. Engert [mailto:deeng...@anl.gov] > Sent: Wednesday, August 22, 2012 6:27 PM > To: Witvliet, J, CDC/IV/DCOPS/I&S/HIN > Cc: opensc-devel@lists.opensc-project.org > Subject: Re: [opensc-devel] encrypt / decrypt > > [SNIP] > >> -----Original Message----- >> >> No, the aspect of using a symmetric key didn't slip my mind. >> That very well when encrypting large amount of data... >> But when the symmetric key is large (compared to the data), then the >> overhead does not justify the means. (I think) >> And you have to transfer the encrypted key as well as the encrypted data. >> > > How short are these messages? > > Using PKCS#11 CKM_RSA_X_509, the size of the message must be less then the > size of > the modulus and if using some padded version between 11 bytes less and maybe > half > the size of the modulus. > > Using RSA directly of a previously sent message will produce the same > encrypted > output which could be subject examination or re-play. > > Smime and CMS avoid many of these security issues and others. > -----Original Message----- > > > Ok Douglas, > > Regarding sizes, they vary between 32B and 1KB. > > Had a look at openssl smime.. > Encryption seems no problem: > OpenSSL> smime -encrypt -in /root/data.txt -out /root/data.enc hwit-43.pem > > > But (returning to the original subject) how to specify the private key on the > card? > OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre > ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre > MODULE_PATH:/usr/lib/libaetpkss.so.3.0 > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/libaetpkss.so.3.0 > Loaded: (pkcs11) pkcs11 engine > OpenSSL> > > OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine > pkcs11 -keyform ENGINE > error in smime > No recipient certificate or key specified > [Understandable...] > > > OpenSSL> smime -decrypt -in /root/data.enc -out /root/data.dec -engine > pkcs11 -keyform ENGINE -inkey 43 > engine "pkcs11" set. > Invalid slot number: 0 > PKCS11_get_private_key returned NULL > cannot load signing key file from engine 2771:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load signing key file > error in smime > > while pkcs11-tool -O ... shows > ... > Private Key Object; RSA > label: Vertrouwelijkheid > ID: 43 > Usage: decrypt, unwrap > ... > > Even though I specified to use the pkcs-engine, it still seems to look for a > file for the key. > Same if I specify: "-inkey id_43"
This sounds like a slot issue, and you may need to try -inkey slot_1-id_43 You may also want to try using the OpenSC pkcs11-spy to print out the PKCS#11 calls, since you are using your own /usr/lib/libaetpkss.so.3.0 and it may be handling the slot differently the opensc-pkccs11.so does. Something like : OPENSC_PATH=/usr/lib MODULE=$OPENSC_PATH/pkcs11-spy.so PKCS11SPY=/usr/lib/libaetpkss.so.3.0 export PKCS11SPY PKCS11SPY_OUTPUT=/tmp/pkcs11.spy.log export PKCS11SPY_OUTPUT openssl << EOT engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$MODULE smime -decrypt -in /root/data.enc -out /root/data.dec -engine pkcs11 -keyform ENGINE -inkey slot_1-id_43 EOT > > Hans > > > ______________________________________________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt > u verzocht dat aan de afzender te melden en het bericht te verwijderen. De > Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die > verband houdt met risico's verbonden aan het elektronisch verzenden van > berichten. > > This message may contain information that is not intended for you. If you are > not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel