Hi Anthony, I've tried myself to get it working with openssl and engine-pkcs11.
Apparently engine-pkcs11 only implements functions to read certificates and use keys for signing. There is no support to generate keys via openssl using the -newkey option. Because of that, you can not - within the same session - generate a key pair and sign the CSR with that private key. If the key already has a certificate, then it works because opensc extracts the public key object from the certificate. There are two options to fix this: a) Add support for key generation to engine-pkcs11 or b) Store newly generated public keys in the SmartCard-HSM between sessions Option a) seems difficult to me, as I don't know the openssl code well enough. Option b) scarifies a security principle of the SmartCard-HSM: No untrusted information path. Providing the plain public key in a (untrusted) PKCS#11 session is already a trade-off, but maybe we also need a way to make the unprotected public key available between sessions. In the meantime I would suggest to use XCA or the simple CA setup from the support scripts (demo/x509/issuecert.js"). Andreas Am 11.11.2012 23:50, schrieb Anthony Foiani: > Nikos -- > > Thanks for the quick reply! > > On Sun, Nov 11, 2012 at 12:42 PM, Nikos Mavrogiannopoulos > <n.mavrogiannopou...@gmail.com> wrote: > >> Your question was on openssl, > Apologies if it was off-topic; it got to the point where I couldn't > tell which component was complaining. > > Also, my initial goal is to use the token to authenticate data from an > embedded instrument; as such, I figured that was more in the opensc > world than openssl. > > (Eventually I'd like to use the token to provide that instrument with > a server-side HTTPS certificate as well, which would of course get me > back to openssl or similar tool. But that's further down the path.) > >> but just in case someone is interested. >> If you have any recent version of gnutls you could simply do that by >> using the PKCS #11 URLs of the objects. That is: >> >> certtool --generate-request --outfile req.pem --load-privkey >> "pkcs11:yyy" --load-pubkey "pkcs11:xxx" >> >> should generate a request from the objects based on a smart card. The >> pkcs11: URLs are obtained using the "p11tool --list-all --login" command. > Nice -- thank you for the pointer! > > Unfortunately, I don't think this can work with a keypair generated on > the CC-HSM. > > First, the public key is only available during the same session that > generates the pair; it disappears after the session disappears. One > can capture the public key at generation time using the instructions > provided by CardContact here: > > http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair > > This does work, but it leaves me with a public key in SPKI format, and > I'm too ignorant to figure out how to turn that into something that > OpenSSL can work with. > > Second, the private key is not extractable, so the certtool won't be > able to load it from the card. (Unless "--load-privkey" actually > means "use this privkey, but it's really just a reference to doing it > on the token itself.) > > So far as I know, what I would really like the openssl "req" tool to do is: > > 1. Read the public key from a given file on the regular OS filesystem > [somehow dealing with the SPKI->whatever format issue]; > > 2. Prompt me for the X.509 request parameters; > > 3. Construct the X.509 certificate request; > > 4. Sign that request on the CC-HSM token using the private key on the card; > > 5. Output the signed CSR onto the regular OS filesystem. > > But I have not yet figured out the correct incantation for that. > > Best regards, > Anthony Foiani > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
