opensc has a test suite that does very similar things - create a key, take some content, hash it, sign the hash, verify it. or take some content, and encrypt/decrypt it, verify the result is ok. check that code, most of it will be very similar to what you have, except for the smart card specific parts.
http://www.opensc-project.org/opensc/browser/OpenSC/src/tests/regression/init0009 Regards, Andreas 2012/12/4 Markus Wernig <liste...@wernig.net>: > Hi all > > I have a rather basic question on which libraries/APIs to use for > implementing the following in eg. a C or Java program. > The basic idea is: > init: > - create 256bit key for AES-256 > - create RSA keypair on token (no x.509) > - encrypt aes-key with pubkey of rsa-pair, delete cleartext version > loop: > - when needed, decrypt aes-key with private rsa key, load to memory > - perform symmetric en-/decryption with key in memory > > Mainly the question is: Since the cryptographic functions on the token > (which could also be a network HSM) appear to be carried out by the > pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all? > > Thanks in advance for any pointer. > > Here's the shellcode that should be "translated" into a compiled program: > > echo "Generate AES Key" > secret=`head -c64 /dev/urandom` > openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key > echo "Generate keypair on pkcs#15 storage" > pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY > pkcs15-tool --read-public-key 45 -o rsa.pub > echo "Encrypt AES Key" > openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c > echo "Remove AES Key" > for i in `seq 0 7` > do > size=`stat aes.key | grep Size | awk {'print $2'}` > head -c $size /dev/urandom > aes.key > sync > sync > sleep 1 > done > rm aes.key > sync > echo "Decrypt AES Key to memory (depending on shell)" > eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "` > echo "Encrypt data" > openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt > -aes256 > echo "Decrypt data" > openssl enc -d -K $key -iv $iv -in data.file.crypt -out > data.file.decrypt -aes256 > echo "Clear memory" > unset key iv salt > > kind regards & thanks > > Markus > > PS: The above shellcode is based on > http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
