Menu
▾
▴
Re: [Opensc-devel] piv-tool key generation
|
From: Douglas E. E. <dee...@an...> - 2013-05-15 19:36:00
|
On 5/15/2013 12:11 PM, Charlie Bancroft wrote:
> Is there a better technique for generating the first certificate for either the 9A, 9C, 9D or 9E keys than the one described in the wiki?
Not really.
The PIV does not store a public key on the card in its own object.
It only stores the public key in a certificate.
The OpenSC PIV driver emulates a public key object by reading the certificate
and extracting the public key.
So this is a chicken and egg dilema.
The response to a keygen is the only time you will get the public key
from the card. The CMS is then expected to save this public key and put it into
certificate request.
> The pkcs11 openssl engine does not see the private key that I
> generated using piv-tool until after I set the certificate for the first time.
To get around these problems, when no certificate is found on the card,
the pkcs15-piv.c it will look for the environment variable that points at a file
containing the public key. See the code in pkcs15-piv.c line 851
"* If we used the piv-tool to generate a key,"
The variable is of form PIV_9A_KEY=some file name
The 9A could be 9C, 9D, 9E.
The PIV tool is setup to save the key when it is generated using the -o option.
Also see card-piv.c line 661
/* TODO: -DEE Could add key to cache so could use engine to generate key,
* and sign req in single operation */
> I had to fall back to manually crafting the cert with bouncycastle.
The piv-tool -o option has the file name ending in the keyID
for example -o cards/$1.9A ($1 is a card number)
In a genreq.sh one could then do:
KEYID=9A
PIV_9A_KEY=cards/$1.$KEYID
export PIV_9A_KEY
openssl << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$MODULE
version
req $SSLEAY_CONFIG -engine pkcs11 -keyform engine -sha1 -new -key slot_1-id_$ID -out cards/$1.myreq.$KEYID.pem -text
EOT
So the engine would call PKCS#11, and the code in pkjcs15-piv.c would
find no certificarte, then read the name of the public key file
form the env variable PIV_9A_KEY, and present it as a public key object
as it it was on the card.
> Once I sent down this generated cert the
> pkcs15-tool was able to see the public key, private key and cert properly. Any time after this point I can use the piv-tool to erase and reset the keys/certs without a problem.
>
> Could this just be a result of the cards implementation of PIV? Or is this something related to OpenSC itself do you think?
The NIST 800-73 specs. No public key object. The pubkey can only be read when
the keypair is generated. (Some card vendors may have a way to read the pubkey, but it
is not in the NIST 800-73.) The Pubkey will reside in certificate after that.
>
> Charles Bancroft
> Software Engineer
> Raytheon BBN Technologies
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@an...>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
|
