Hi Anthony,
I've tried myself to get it working with openssl and engine-pkcs11.
Apparently engine-pkcs11 only implements functions to read certificates
and use keys for signing. There is no support to generate keys via
openssl using the -newkey option.
Because of that, you can not - within the same session - generate a key
pair and sign the CSR with that private key. If the key already has a
certificate, then it works because opensc extracts the public key object
from the certificate.
There are two options to fix this:
a) Add support for key generation to engine-pkcs11 or
b) Store newly generated public keys in the SmartCard-HSM between sessions
Option a) seems difficult to me, as I don't know the openssl code well
enough. Option b) scarifies a security principle of the SmartCard-HSM:
No untrusted information path.
Providing the plain public key in a (untrusted) PKCS#11 session is
already a trade-off, but maybe we also need a way to make the
unprotected public key available between sessions.
In the meantime I would suggest to use XCA or the simple CA setup from
the support scripts (demo/x509/issuecert.js).
Andreas
Am 11.11.2012 23:50, schrieb Anthony Foiani:
Nikos --
Thanks for the quick reply!
On Sun, Nov 11, 2012 at 12:42 PM, Nikos Mavrogiannopoulos
n.mavrogiannopou...@gmail.com wrote:
Your question was on openssl,
Apologies if it was off-topic; it got to the point where I couldn't
tell which component was complaining.
Also, my initial goal is to use the token to authenticate data from an
embedded instrument; as such, I figured that was more in the opensc
world than openssl.
(Eventually I'd like to use the token to provide that instrument with
a server-side HTTPS certificate as well, which would of course get me
back to openssl or similar tool. But that's further down the path.)
but just in case someone is interested.
If you have any recent version of gnutls you could simply do that by
using the PKCS #11 URLs of the objects. That is:
certtool --generate-request --outfile req.pem --load-privkey
pkcs11:yyy --load-pubkey pkcs11:xxx
should generate a request from the objects based on a smart card. The
pkcs11: URLs are obtained using the p11tool --list-all --login command.
Nice -- thank you for the pointer!
Unfortunately, I don't think this can work with a keypair generated on
the CC-HSM.
First, the public key is only available during the same session that
generates the pair; it disappears after the session disappears. One
can capture the public key at generation time using the instructions
provided by CardContact here:
http://www.opensc-project.org/opensc/wiki/SmartCardHsm#Generatekeypair
This does work, but it leaves me with a public key in SPKI format, and
I'm too ignorant to figure out how to turn that into something that
OpenSSL can work with.
Second, the private key is not extractable, so the certtool won't be
able to load it from the card. (Unless --load-privkey actually
means use this privkey, but it's really just a reference to doing it
on the token itself.)
So far as I know, what I would really like the openssl req tool to do is:
1. Read the public key from a given file on the regular OS filesystem
[somehow dealing with the SPKI-whatever format issue];
2. Prompt me for the X.509 request parameters;
3. Construct the X.509 certificate request;
4. Sign that request on the CC-HSM token using the private key on the card;
5. Output the signed CSR onto the regular OS filesystem.
But I have not yet figured out the correct incantation for that.
Best regards,
Anthony Foiani
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
-CardContact Software System Consulting
|.## ##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'## ##'| Phone +49 571 56149
-http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel