Menu
▾
▴
Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues
|
From: Ronny S. <Ron...@to...> - 2013-06-13 10:25:51
|
Hi Andreas, > I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)? Best regards, Ronny -----Original Message----- From: Andreas Schwier [mailto:and...@ca...] Sent: Mittwoch, 12. Juni 2013 21:53 To: ope...@li... Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues Hi Ronny, On 06/12/2013 06:27 PM, Ronny Schütz wrote: > Hi all, > > thanks a lot for all your replies. > >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. > > Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported > >> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. > > Ok, then we most likely need to drop ECC anyway and use RSA instead. I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Dienstag, 11. Juni 2013 16:25 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 > keypair creation issues > > Dear Ronny, > > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). > > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Kind regards, > > Andreas > > > [1] https://devnet.cardcontact.de/issues/3 > [2] > https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc > 230541072c60afb > > On 06/11/2013 03:02 PM, Ronny Schütz wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: >> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98 >> 7 >> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> --------------------------------------------------------------------- >> - >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel |
