Re: How to: read a certificate from PIV smart card, encode some text with its public key?
Hi Douglas. I am quite late with the answer, sorry. :) Douglas E. Engert wrote: > > >> >> Some words to finish this topic: >> >> My goal was to encrypt/decrypt some data with the PIV card (i.e., only >> the >> card keeper may use the data). It can be done in the easier way: >> >> 1. PIV cards can have their Key Management Key destined to provide key >> establishment during transactions. >> 2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST >> SP800-73-3,part2). That is: >> 2.1. I create and store in code my own EC public key (openssl affords to >> create EC private keys and certificates with public keys included). >> 2.2. The card is authorized. >> 2.3. I call its 'General authentication' operation with KMK and this >> public >> key. > > Are you using any of the OpenSC code to talk to the card, or are you > using some other code to send the 'General authentication' command to the > card? > > If anyone is interested: https://github.com/dengert/OpenSC > under the ECDH branch has the code that can be applied to OpenSC-0.12.2 > to support PKCS#11 C_DeriveKey for the PIV card. There is also a > pkcs11-tool > > No, I do not use either openSSL (library) or openSC when operating with PIV card. SCardTransmit() is used to send commands to the card directly. It is not very intelligent, though. Best regards, Max Ushakov -- View this message in context: http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p33109713.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: How to: read a certificate from PIV smart card, encode some text with its public key?
On 12/13/2011 7:32 AM, Umaxik wrote: Many thanks, Douglas! You helped me to sort this problem out after I had spent a week or so. Good to hear. Some words to finish this topic: My goal was to encrypt/decrypt some data with the PIV card (i.e., only the card keeper may use the data). It can be done in the easier way: 1. PIV cards can have their Key Management Key destined to provide key establishment during transactions. 2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST SP800-73-3,part2). That is: 2.1. I create and store in code my own EC public key (openssl affords to create EC private keys and certificates with public keys included). 2.2. The card is authorized. 2.3. I call its 'General authentication' operation with KMK and this public key. Are you using any of the OpenSC code to talk to the card, or are you using some other code to send the 'General authentication' command to the card? If anyone is interested: https://github.com/dengert/OpenSC under the ECDH branch has the code that can be applied to OpenSC-0.12.2 to support PKCS#11 C_DeriveKey for the PIV card. There is also a pkcs11-tool 2.4. As a result, I have the secret code. This code is suitable for AES encryption. Therefore, I use openssl in order to create this public key and to operate with AES encryption. And you should only need to save the (ephemeral) public key, and destroy the private key, and the AES key. Best regards, Max Ushakov -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: How to: read a certificate from PIV smart card, encode some text with its public key?
Many thanks, Douglas! You helped me to sort this problem out after I had spent a week or so. Some words to finish this topic: My goal was to encrypt/decrypt some data with the PIV card (i.e., only the card keeper may use the data). It can be done in the easier way: 1. PIV cards can have their Key Management Key destined to provide key establishment during transactions. 2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST SP800-73-3,part2). That is: 2.1. I create and store in code my own EC public key (openssl affords to create EC private keys and certificates with public keys included). 2.2. The card is authorized. 2.3. I call its 'General authentication' operation with KMK and this public key. 2.4. As a result, I have the secret code. This code is suitable for AES encryption. Therefore, I use openssl in order to create this public key and to operate with AES encryption. Best regards, Max Ushakov -- View this message in context: http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p32966373.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: How to: read a certificate from PIV smart card, encode some text with its public key?
On 12/9/2011 4:28 AM, Umaxik wrote: Hi all, I am totally new to this topic and stuck with this simple issue. Please, provide me with any ideas / recommendations. The issue: 0. Windows 7. OpenSC is not available. The text is pretty short (<=48 symbols). Yes it is available, in the experimental minidriver.dll on Windows. See: https://www.opensc-project.org/opensc/wiki/UnitedStatesPIV https://www.opensc-project.org/opensc/wiki/DownloadRelease Use the x86 installer. The minidriver, login and Mozilla products are still 32 bit. Microsoft also has a built in PIV driver for Windows 7. I have not tried it to see what it can do with EC keys. But 2008 has EC support, so Windows 7 should too. To use the OpenSC minidriver will require some additional registry changes. Drop me a note if you want to try this. The other OpenSC *-tools and opensc-pkcs11.dll are in the package too. 1. I have a PIV card with its Key Management Key Certificate. At the moment, this certificate uses EC keys (other algorithms are allowed by NIST SP 800-73). OpenSC-0.12.1 supports ECDSA for signatures, and there is code developed to support ECDH for key derivation, that is in github, but not in the main line yet. The OpenSC engine-opensc also supports ECDSA, but is waiting on OpenSSL for the ECDSA_METHOD defination to be moved to a public header file: http://www.mail-archive.com/openssl-users@openssl.org/msg63508.html http://www.opensc-project.org/opensc/ticket/295 2. I can download KMK packed with BER-Tlv (there is a set of data with other parts). 3. The certificate itself can be successfully extracted with ASN1_get_object(). 4. I can create some 'certificate' in openssl: BIO* pMemoryBIO = BIO_new_mem_buf((void*)pData, lLength); if(!pMemoryBIO) { return -1; } X509* pCertificate = d2i_X509_bio(pMemoryBIO, NULL); if(!pCertificate) { return -1; } But... What should I use then? I can understand neigher how to use this pCertificate for packing the text nor if I do it totally wrong. Is it correct that OpenSSL can distinguish algorithms used by certificates (RSA, ECDH) by itself, so there is a magic way to encrypt something with any valid certificate provided? Does this call of d2i_X509_bio() create a correct certificate? Many thanks, Max Ushakov -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
How to: read a certificate from PIV smart card, encode some text with its public key?
Hi all, I am totally new to this topic and stuck with this simple issue. Please, provide me with any ideas / recommendations. The issue: 0. Windows 7. OpenSC is not available. The text is pretty short (<=48 symbols). 1. I have a PIV card with its Key Management Key Certificate. At the moment, this certificate uses EC keys (other algorithms are allowed by NIST SP 800-73). 2. I can download KMK packed with BER-Tlv (there is a set of data with other parts). 3. The certificate itself can be successfully extracted with ASN1_get_object(). 4. I can create some 'certificate' in openssl: BIO* pMemoryBIO = BIO_new_mem_buf((void*)pData, lLength); if(!pMemoryBIO) { return -1; } X509* pCertificate = d2i_X509_bio(pMemoryBIO, NULL); if(!pCertificate) { return -1; } But... What should I use then? I can understand neigher how to use this pCertificate for packing the text nor if I do it totally wrong. Is it correct that OpenSSL can distinguish algorithms used by certificates (RSA, ECDH) by itself, so there is a magic way to encrypt something with any valid certificate provided? Does this call of d2i_X509_bio() create a correct certificate? Many thanks, Max Ushakov -- View this message in context: http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p32941067.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org