opensc has a test suite that does very similar things - create a key,
take some content, hash it, sign the hash, verify it.
or take some content, and encrypt/decrypt it, verify the result is ok.
check that code, most of it will be very similar to
what you have, except for the smart card specific parts.

http://www.opensc-project.org/opensc/browser/OpenSC/src/tests/regression/init0009

Regards, Andreas

2012/12/4 Markus Wernig <liste...@wernig.net>:
> Hi all
>
> I have a rather basic question on which libraries/APIs to use for
> implementing the following in eg. a C or Java program.
> The basic idea is:
> init:
> - create 256bit key for AES-256
> - create RSA keypair on token (no x.509)
> - encrypt aes-key with pubkey of rsa-pair, delete cleartext version
> loop:
> - when needed, decrypt aes-key with private rsa key, load to memory
> - perform symmetric en-/decryption with key in memory
>
> Mainly the question is: Since the cryptographic functions on the token
> (which could also be a network HSM) appear to be carried out by the
> pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all?
>
> Thanks in advance for any pointer.
>
> Here's the shellcode that should be "translated" into a compiled program:
>
> echo "Generate AES Key"
> secret=`head -c64 /dev/urandom`
> openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key
> echo "Generate keypair on pkcs#15 storage"
> pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY
> pkcs15-tool --read-public-key 45 -o rsa.pub
> echo "Encrypt AES Key"
> openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c
> echo "Remove AES Key"
> for i in `seq 0 7`
> do
> size=`stat aes.key | grep Size | awk {'print $2'}`
> head -c $size /dev/urandom > aes.key
> sync
> sync
> sleep 1
> done
> rm aes.key
> sync
> echo "Decrypt AES Key to memory (depending on shell)"
> eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "`
> echo "Encrypt data"
> openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt
> -aes256
> echo "Decrypt data"
> openssl enc -d -K $key -iv $iv -in data.file.crypt -out
> data.file.decrypt -aes256
> echo "Clear memory"
> unset key iv salt
>
> kind regards & thanks
>
> Markus
>
> PS: The above shellcode is based on
> http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to