Dear Anthony, I have to admit, that I never tried this with openssl engine. I will give it a shot tomorrow.
As for the internally generated CSR: This is actually a CSR using the format defined in TR-03110 Part 3, chapter C.2 [1]. This format can be used directly in PKIs for Extended Access Control, which are commonly used to protect access to biometric data on passports. To use this format for X.509 PKIs, the RA would need to understand the CSR format and extract the public key. In the current version of OpenSC, the CSR is not exposed at the interface, as PKCS#11 does not provide a mechanism to handle device generated certificate signing requests. In a later version we will try to make the CSR available as a session based data object. The suggested way in the meantime is to generate the key pair, extract the public key and generate a CSR externally, signing it with the private key on the device. Andreas [1] https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03110/TR-03110_v2.1_P3pdf.pdf Am 11.11.2012 03:24, schrieb Anthony Foiani: > Greetings. > > I'm working with a CardContact HSM, and would like to generate a > keypair on the token, then get a certificate based on that key. > > I'm using CardContact's branch of OpenSC > (https://github.com/CardContact/OpenSC rev a4c3d4ec2436) and openssl > 1.0.1c; I'm currently experimenting on an up-to-date Fedora 17 x86-64 > box, but am hoping to deploy portions of this toolchain onto an > embedded platform (linux ppc32). > > Just in case, I updated to the latest releases of libp11 (0.2.8) and > engine_pkcs11 (0.1.8). > > I can successfully generate the keypair and extract the public key at > the same time: > > $ d=/usr/local/opensc > $ tool="$d/bin/pkcs11-tool --module $d/lib/opensc-pkcs11.so" > > $ $tool --login --pin 648219 \ > --keypairgen --key-type rsa:2048 --id 10 \ > --read-object --id 10 --type pubkey --output-file pub.spki > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: Private Key > ID: 10 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: Private Key > ID: 10 > Usage: encrypt, verify, wrap > > $ ls -al pub.spki > -rw-rw-r--. 1 tony tony 270 Nov 9 22:20 pub.spki > > $ hexdump -C pub.spki > 00000000 30 82 01 0a 02 82 01 01 00 95 42 87 7a 04 82 ab > |0.........B.z...| > 00000010 89 7f b2 07 9f 25 e3 c2 47 e7 0a 53 2e 8c a9 0b > |.....%..G..S....| > ... > 000000f0 71 a7 17 18 f6 69 99 eb 5d d1 cb 18 33 60 29 c0 > |q....i..]...3`).| > 00000100 c5 22 28 5b 31 7d 3e 6d 99 02 03 01 00 01 |."([1}>m......| > > However, I haven't managed to find the right incantation to force > openssl to use the (available) public key, but to sign with the > private key on the token. I think I finally got the engine configured > correctly: > > openssl_conf = openssl_def > > [openssl_def] > engines = engine_section > > [engine_section] > pkcs11 = pkcs11_section > > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /usr/local/lib/engines/engine_pkcs11.so > MODULE_PATH = /usr/local/lib/opensc-pkcs11.so > init = 0 > > But when I try to do the signing operation, it looks like openssl is > trying to read the private key off the token, instead of asking the > token to sign on the token: > > LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib/engines \ > /usr/local/bin/openssl req -verbose \ > -config ./token.conf -engine pkcs11 \ > -key slot_1-id_10 -keyform engine -out foo.req > Using configuration from ./token.conf > engine "pkcs11" set. > PKCS#11 token PIN: 648219 > > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140416681797312:error:80028012:PKCS11 > library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140416681797312:error:26096080:engine > routines:ENGINE_load_private_key:failed loading private > key:eng_pkey.c:126: > unable to load Private Key > > On the wiki for the HSM > (http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair), > there is a curious phrase: > > The SmartCard-HSM does not permanently store public keys, but > generates the required PKCS#11 public key object from > certificates stored on the device. As newly generated key pairs > don't have a certificate initially, the public key is extracted > from the card generated certificate signing request instead and > made available for the duration of the session. To save the > generated public key in Subject Public Key Information format > as per RF3280 use the following command > > If I'm reading that correctly, then it seems that the HSM is creating > a CSR internally -- but I don't see any way to retrieve that CSR (let > alone specify the typical certificate properties like email address, > DN, CN, etc.) > > There's the "moz-test" flag to the pkcs11-tool, which invokes > test_kpgen_certwrite; this seems very close to what I'm trying to do > -- but it's not exposed very clearly through the options (if at all). > > For the moment, I guess I'll just generate keys, CSRs, and certs in > software, and use the HSM just for storage. I would love to figure > out what I'm doing wrong, though. > > Best regards, > Anthony Foiani -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
