Re: [Opensc-devel] piv-tool key generation

[Charlie B. <cha...@gm...>]

Hrmm,
I generated the key with the -o option and I am definitely getting properly
formed public key responses from the card, but I think I may be setting the
wrong env variable.
Let me try again with the PIV_9*_KEY variable set.  I was using
the PIV_9A06_KEY as described in the wiki, and it looks like that
information may be incorrect.  I will let you know how it works.  If it
doesn't work as expected, I will follow up with logging information for you
as well.

Thanks again for the help

Charles Bancroft
Software Engineer
Raytheon BBN Technologies


On Thu, May 16, 2013 at 10:00 AM, Douglas E. Engert <dee...@an...>wrote:

>
>
> On 5/15/2013 3:36 PM, Charlie Bancroft wrote:
>
>> Hi Douglas,
>> I may have mis-stated the question.  I have been able to generate the key
>> without a problem.  My issue is that processing the req on an uninitialized
>> card with no previous certs it seems that the
>> openssl pkcs11 engine cannot locate the private key corresponding to the
>> public key previously generated.  The output I see from the openssl command
>> is:
>>
>>
> Did you add the -o  option to piv-tool when you generated a keypair?
>
> Did you set and export the PIV_9*_KEY to point at the output file
> created bu piv-tool before you ran the command below?
> (* can be A, C, D, E)
>
>
> The reason I ask what you describe would mean your did not set the
> PIV_9*_KEY
> env variable. See comments in pkcs15-piv.c line 810 and 839.
>
> What would really help is to turn on OpenSC debugging.
> In opensc.conf set:
>   debug = 7;
>   debug_file = /tmp/opensc-debug.log;
>
> NOTE: sensitive data such as PINs, will be in the log...
> So only send snipits of the log.
>
> Of interest would be starting with the pkcs15-piv.c:634  ""PIV-II adding
> objects..."
>
> Looking for pkcs15-piv.c:727  "No cert found,i="
>      :815 "PIV-II adding pub keys...",
>      :848 "No cert for this pub key i=
>      :859 "DEE look for env"
>
> and other pkcs15-piv.c log entries after this.
>
>
>
>  openssl << EOT
>>   engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/**engine_pkcs11.so \
>>        -pre ID:pkcs11 -pre NO_VCHECK:1 \
>>        -pre LIST_ADD:1 -pre LOAD  \
>>        -pre MODULE_PATH:/usr/lib/opensc-**pkcs11.so
>>   version
>>   req $SSLEAY_CONFIG -engine pkcs11 -md5 -new  \
>>       -key slot_1-id_1 -keyform engine -out ./card3.piva.pem -text
>> EOT
>> OpenSSL> (dynamic) Dynamic engine loading support
>> [Success]: SO_PATH:/usr/lib/engines/**engine_pkcs11.so
>> [Success]: ID:pkcs11
>> [Success]: NO_VCHECK:1
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:/usr/lib/opensc-**pkcs11.so
>> Loaded: (pkcs11) pkcs11 engine
>>       SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
>>            (input flags): STRING
>>       MODULE_PATH: Specifies the path to the pkcs11 module shared library
>>            (input flags): STRING
>>       PIN: Specifies the pin code
>>            (input flags): STRING
>>       VERBOSE: Print additional details
>>            (input flags): NO_INPUT
>>       QUIET: Remove additional details
>>            (input flags): NO_INPUT
>>       LOAD_CERT_CTRL: Get the certificate from card
>>            (input flags): [Internal]
>>       INIT_ARGS: Specifies additional initialization arguments to the
>> pkcs11 module
>>            (input flags): STRING
>> OpenSSL> OpenSSL 1.0.1e 11 Feb 2013
>> OpenSSL> engine "pkcs11" set.
>> No keys found.
>> PKCS11_get_private_key returned NULL
>> cannot load Private Key from engine
>> 139902858352296:error:**26096080:engine routines:ENGINE_load_private_**key:failed
>> loading private key:eng_pkey.c:126:
>> unable to load Private Key
>> error in req
>>
>> If I hand craft the cert and load it onto the card, then the pkcs11
>> engine is able to see the keys, and cert and if I generate a new key and
>> run the openssl command again it succeeds.
>>
>> My actual question now is: Is this openssl engine issue something that
>> strikes you as being related to OpenSC or merely that my card is not
>> exposing the private key properly until after the first
>> initialization?
>>
>> Thanks
>>
>> Charles Bancroft
>> Software Engineer
>> Raytheon BBN Technologies
>>
>>
>> On Wed, May 15, 2013 at 3:35 PM, Douglas E. Engert <dee...@an...<mailto:
>> dee...@an...>> wrote:
>>
>>
>>
>>     On 5/15/2013 12:11 PM, Charlie Bancroft wrote:
>>      > Is there a better technique for generating the first certificate
>> for either the 9A, 9C, 9D or 9E keys than the one described in the wiki?
>>
>>     Not really.
>>
>>     The PIV does not store a public key on the card in its own object.
>>     It only stores the  public key in a certificate.
>>
>>     The OpenSC PIV driver emulates a public key object by reading the
>> certificate
>>     and extracting the public key.
>>
>>     So this is a chicken and egg dilema.
>>
>>     The response to a keygen is the only time you will get the public key
>>     from the card. The CMS is then expected to save this public key and
>> put it into
>>     certificate request.
>>
>>      > The pkcs11 openssl engine does not see the private key that I
>>      > generated using piv-tool until after I set the certificate for the
>> first time.
>>
>>     To get around these problems, when no certificate is found on the
>> card,
>>     the pkcs15-piv.c it will look for the environment variable that
>> points at a file
>>     containing the public key. See the code in pkcs15-piv.c line 851
>>        "* If we used the piv-tool to generate a key,"
>>     The variable is of form PIV_9A_KEY=some file name
>>     The 9A could be 9C, 9D, 9E.
>>
>>     The PIV tool is setup to save the key when it is generated using the
>> -o option.
>>
>>     Also see card-piv.c line 661
>>                            /* TODO: -DEE Could add key to cache so could
>> use engine to generate key,
>>                             * and sign req in single operation */
>>
>>      > I had to fall back to manually crafting the cert with bouncycastle.
>>
>>     The piv-tool -o option has the file name ending in the keyID
>>         for example  -o cards/$1.9A   ($1 is a card number)
>>
>>     In a genreq.sh one could then do:
>>
>>                      KEYID=9A
>>                      PIV_9A_KEY=cards/$1.$KEYID
>>                      export PIV_9A_KEY
>>
>>     openssl << EOT
>>     engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/**engines/engine_pkcs11.so
>> -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre
>> MODULE_PATH:$MODULE
>>     version
>>     req $SSLEAY_CONFIG -engine pkcs11 -keyform engine -sha1 -new -key
>> slot_1-id_$ID -out cards/$1.myreq.$KEYID.pem  -text
>>
>>     EOT
>>
>>     So the engine would call PKCS#11, and the code in pkjcs15-piv.c would
>>     find no certificarte, then read the name of the public key file
>>     form the env variable PIV_9A_KEY, and present it as a public key
>> object
>>     as it it was on the card.
>>
>>      > Once I sent down this generated cert the
>>      > pkcs15-tool was able to see the public key, private key and cert
>> properly.  Any time after this point I can use the piv-tool to erase and
>> reset the keys/certs without a problem.
>>      >
>>      > Could this just be a result of the cards implementation of PIV?
>>  Or is this something related to OpenSC itself do you think?
>>
>>     The NIST 800-73 specs. No public key object. The pubkey can only be
>> read when
>>     the keypair is generated. (Some card vendors may have a way to read
>> the pubkey, but it
>>     is not in the NIST 800-73.)  The Pubkey will reside in certificate
>> after that.
>>      >
>>      > Charles Bancroft
>>      > Software Engineer
>>      > Raytheon BBN Technologies
>>      >
>>      >
>>      > ------------------------------**------------------------------**
>> ------------------
>>      > AlienVault Unified Security Management (USM) platform delivers
>> complete
>>      > security visibility with the essential security capabilities.
>> Easily and
>>      > efficiently configure, manage, and operate all of your security
>> controls
>>      > from a single console and one unified framework. Download a free
>> trial.
>>      > http://p.sf.net/sfu/**alienvault_d2d<http://p.sf.net/sfu/alienvault_d2d>
>>      >
>>      >
>>      >
>>      > ______________________________**_________________
>>      > Opensc-devel mailing list
>>      > Opensc-devel@lists.**sourceforge.net<Ope...@li...><mailto:
>> Opensc-devel@lists.**sourceforge.net <Ope...@li...>
>> >
>>      > https://lists.sourceforge.net/**lists/listinfo/opensc-devel<https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>>      >
>>
>>     --
>>
>>        Douglas E. Engert  <DEE...@an... <mailto:DEE...@an...>>
>>
>>        Argonne National Laboratory
>>        9700 South Cass Avenue
>>        Argonne, Illinois  60439
>>     (630) 252-5444 <tel:%28630%29%20252-5444>
>>
>>
>>     ------------------------------**------------------------------**
>> ------------------
>>     AlienVault Unified Security Management (USM) platform delivers
>> complete
>>     security visibility with the essential security capabilities. Easily
>> and
>>     efficiently configure, manage, and operate all of your security
>> controls
>>     from a single console and one unified framework. Download a free
>> trial.
>>     http://p.sf.net/sfu/**alienvault_d2d<http://p.sf.net/sfu/alienvault_d2d>
>>     ______________________________**_________________
>>     Opensc-devel mailing list
>>     Opensc-devel@lists.**sourceforge.net<Ope...@li...><mailto:
>> Opensc-devel@lists.**sourceforge.net <Ope...@li...>
>> >
>>     https://lists.sourceforge.net/**lists/listinfo/opensc-devel<https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>>
>>
>>
> --
>
>  Douglas E. Engert  <DEE...@an...>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>