Re: [Opensc-devel] piv-tool key generation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Douglas,
I may have mis-stated the question.  I have been able to generate the key
without a problem.  My issue is that processing the req on an uninitialized
card with no previous certs it seems that the openssl pkcs11 engine cannot
locate the private key corresponding to the public key previously
generated.  The output I see from the openssl command is:

openssl << EOT
 engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
      -pre ID:pkcs11 -pre NO_VCHECK:1 \
      -pre LIST_ADD:1 -pre LOAD  \
      -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
 version
 req $SSLEAY_CONFIG -engine pkcs11 -md5 -new  \
     -key slot_1-id_1 -keyform engine -out ./card3.piva.pem -text
EOT
OpenSSL> (dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: NO_VCHECK:1
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
     SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
          (input flags): STRING
     MODULE_PATH: Specifies the path to the pkcs11 module shared library
          (input flags): STRING
     PIN: Specifies the pin code
          (input flags): STRING
     VERBOSE: Print additional details
          (input flags): NO_INPUT
     QUIET: Remove additional details
          (input flags): NO_INPUT
     LOAD_CERT_CTRL: Get the certificate from card
          (input flags): [Internal]
     INIT_ARGS: Specifies additional initialization arguments to the pkcs11
module
          (input flags): STRING
OpenSSL> OpenSSL 1.0.1e 11 Feb 2013
OpenSSL> engine "pkcs11" set.
No keys found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139902858352296:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
unable to load Private Key
error in req

If I hand craft the cert and load it onto the card, then the pkcs11 engine
is able to see the keys, and cert and if I generate a new key and run the
openssl command again it succeeds.

My actual question now is: Is this openssl engine issue something that
strikes you as being related to OpenSC or merely that my card is not
exposing the private key properly until after the first initialization?

Thanks

Charles Bancroft
Software Engineer
Raytheon BBN Technologies

On Wed, May 15, 2013 at 3:35 PM, Douglas E. Engert <dee...@an...> wrote:

>
>
> On 5/15/2013 12:11 PM, Charlie Bancroft wrote:
> > Is there a better technique for generating the first certificate for
> either the 9A, 9C, 9D or 9E keys than the one described in the wiki?
>
> Not really.
>
> The PIV does not store a public key on the card in its own object.
> It only stores the  public key in a certificate.
>
> The OpenSC PIV driver emulates a public key object by reading the
> certificate
> and extracting the public key.
>
> So this is a chicken and egg dilema.
>
> The response to a keygen is the only time you will get the public key
> from the card. The CMS is then expected to save this public key and put it
> into
> certificate request.
>
> > The pkcs11 openssl engine does not see the private key that I
> > generated using piv-tool until after I set the certificate for the first
> time.
>
> To get around these problems, when no certificate is found on the card,
> the pkcs15-piv.c it will look for the environment variable that points at
> a file
> containing the public key. See the code in pkcs15-piv.c line 851
>   "* If we used the piv-tool to generate a key,"
> The variable is of form PIV_9A_KEY=some file name
> The 9A could be 9C, 9D, 9E.
>
> The PIV tool is setup to save the key when it is generated using the -o
> option.
>
> Also see card-piv.c line 661
>                       /* TODO: -DEE Could add key to cache so could use
> engine to generate key,
>                        * and sign req in single operation */
>
> > I had to fall back to manually crafting the cert with bouncycastle.
>
> The piv-tool -o option has the file name ending in the keyID
>    for example  -o cards/$1.9A   ($1 is a card number)
>
> In a genreq.sh one could then do:
>
>                 KEYID=9A
>                 PIV_9A_KEY=cards/$1.$KEYID
>                 export PIV_9A_KEY
>
> openssl << EOT
> engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so
> -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre
> MODULE_PATH:$MODULE
> version
> req $SSLEAY_CONFIG -engine pkcs11 -keyform engine -sha1 -new -key
> slot_1-id_$ID -out cards/$1.myreq.$KEYID.pem  -text
>
> EOT
>
> So the engine would call PKCS#11, and the code in pkjcs15-piv.c would
> find no certificarte, then read the name of the public key file
> form the env variable PIV_9A_KEY, and present it as a public key object
> as it it was on the card.
>
> > Once I sent down this generated cert the
> > pkcs15-tool was able to see the public key, private key and cert
> properly.  Any time after this point I can use the piv-tool to erase and
> reset the keys/certs without a problem.
> >
> > Could this just be a result of the cards implementation of PIV?  Or is
> this something related to OpenSC itself do you think?
>
> The NIST 800-73 specs. No public key object. The pubkey can only be read
> when
> the keypair is generated. (Some card vendors may have a way to read the
> pubkey, but it
> is not in the NIST 800-73.)  The Pubkey will reside in certificate after
> that.
> >
> > Charles Bancroft
> > Software Engineer
> > Raytheon BBN Technologies
> >
> >
> >
> ------------------------------------------------------------------------------
> > AlienVault Unified Security Management (USM) platform delivers complete
> > security visibility with the essential security capabilities. Easily and
> > efficiently configure, manage, and operate all of your security controls
> > from a single console and one unified framework. Download a free trial.
> > http://p.sf.net/sfu/alienvault_d2d
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@an...>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>
>
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] piv-tool key generation

OpenSC - tools and libraries for smart cards

Re: [Opensc-devel] piv-tool key generation