Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues

[Douglas E. E. <dee...@an...>]

If you are willing to do some development, back in 2011
I had mods to openssl, engine-pkcs11 and libp11 to support
ECDSA signatures. See this last message in the thread:

http://www.mail-archive.com/ope...@li.../msg08848.html

(Felipe Blauth got the mods working)

I have attached the updated mods, but I have not used them in some time.
As noted in the mods there is an outstanding OpenSSL bug.

+#if defined(BUILD_WITH_EC) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA)
+/* OpenSSL has ECDSA_METHOD  defined in internal header file ecs_locl.h
+ * For now:
+ * CPPFLAGS="-DBUILD_WITH_EC -I/path.to.openssl-1.0.0a/crypto/ecdh"
+ * See OpenSSL bug report #2459 02/23/2011
+ * When this is fixed, the BUILD_WITH_EC test can be removed
+ *
+ * TODO ECDH_METHOD is in ech_locl.h too!
+ */


On 6/13/2013 5:25 AM, Ronny Schütz wrote:
> Hi Andreas,
>
>> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.
>
> That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)?
>
> Best regards,
> Ronny
>
> -----Original Message-----
> From: Andreas Schwier [mailto:and...@ca...]
> Sent: Mittwoch, 12. Juni 2013 21:53
> To: ope...@li...
> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues
>
> Hi Ronny,
>
> On 06/12/2013 06:27 PM, Ronny Schütz wrote:
>> Hi all,
>>
>> thanks a lot for all your replies.
>>
>>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>>
>> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue.
>>
>>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device.
>>
>> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either.
> The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported
>>
>>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA.
>>
>> Ok, then we most likely need to drop ECC anyway and use RSA instead.
> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM.
>>
>> Best regards,
>> Ronny
>>
>> -----Original Message-----
>> From: Andreas Schwier [mailto:and...@ca...]
>> Sent: Dienstag, 11. Juni 2013 16:25
>> To: ope...@li...
>> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048
>> keypair creation issues
>>
>> Dear Ronny,
>>
>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]).
>>
>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ?
>>
>> Kind regards,
>>
>> Andreas
>>
>>
>> [1] https://devnet.cardcontact.de/issues/3
>> [2]
>> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc
>> 230541072c60afb
>>
>> On 06/11/2013 03:02 PM, Ronny Schütz wrote:
>>> Hi,
>>>
>>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04.
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots
>>> Available slots:
>>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot
>>>    (empty)
>>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00
>>>    token label        : SmartCard-HSM (UserPIN)
>>>    token manufacturer : www.CardContact.de
>>>    token model        : PKCS#15 emulated
>>>    token flags        : rng, login required, PIN initialized, token initialized
>>>    hardware version   : 24.13
>>>    firmware version   : 1.1
>>>    serial num         : DECC0100157
>>>
>>> When creating the EC keypair, I get an error concerning the public key:
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1
>>> with a present token (0x1) Key pair generated:
>>> Private Key Object; EC
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      decrypt, sign, unwrap
>>> Public Key Object; EC EC_POINT 264 bits
>>>   EC_POINT:
>>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98
>>> 7
>>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c
>>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv =
>>> CKR_ATTRIBUTE_TYPE_INVALID (0x12)
>>>
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      encrypt, verify, wrap
>>>
>>> And the public key isn't listed either
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>>> --pin 725570 --list-objects Private Key Object; EC
>>>    label:      ca
>>>    ID:         60
>>>    Usage:      decrypt, sign, unwrap
>>>
>>> Now OpenSSL / req cannot find the private key for whatever reason.
>>>
>>> $ openssl
>>> OpenSSL> version
>>> OpenSSL 1.0.1 14 Mar 2012
>>> OpenSSL> engine -t dynamic -pre
>>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>>> OpenSSL> -pre
>>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>>> (dynamic) Dynamic engine loading support
>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>>> [Success]: VERBOSE
>>> Loaded: (pkcs11) pkcs11 engine
>>> initializing engine
>>>       [ available ]
>>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 1 for key: 60
>>> Found 2 slots
>>> [18446744073709551615] Virtual hotplug slot       no tok
>>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>>> SmartCard-HSM (UserPIN) Found 0 certificate:
>>> PKCS#11 token PIN:
>>> No keys found.
>>> PKCS11_get_private_key returned NULL
>>> cannot load Private Key from engine
>>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>>> unable to load Private Key
>>> error in req
>>> OpenSSL>
>>>
>>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well.
>>>
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570
>>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1
>>> with a present token (0x1) Key pair generated:
>>> Private Key Object; RSA
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      encrypt, verify, wrap
>>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login
>>> --pin 725570 --list-objects Private Key Object; RSA
>>>    label:      ca-rsa
>>>    ID:         70
>>>    Usage:      decrypt, sign, unwrap
>>> $ openssl
>>> OpenSSL> engine -t dynamic -pre
>>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11
>>> OpenSSL> -pre
>>> OpenSSL> LIST_ADD:1 -pre LOAD -pre
>>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE
>>> (dynamic) Dynamic engine loading support
>>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
>>> [Success]: ID:pkcs11
>>> [Success]: LIST_ADD:1
>>> [Success]: LOAD
>>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so
>>> [Success]: VERBOSE
>>> Loaded: (pkcs11) pkcs11 engine
>>> initializing engine
>>>       [ available ]
>>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA"
>>> initializing engine
>>> engine "pkcs11" set.
>>> Looking in slot 1 for key: 70
>>> Found 2 slots
>>> [18446744073709551615] Virtual hotplug slot       no tok
>>> [1] SCM SCR 355 [CCID Interfa  login             (SmartCard-HSM (UserPIN))
>>> Found slot:  SCM SCR 355 [CCID Interface] 00 00 Found token:
>>> SmartCard-HSM (UserPIN) Found 0 certificate:
>>> PKCS#11 token PIN:
>>> Found 1 key:
>>>     1 P  ca-rsa
>>> PKCS11_get_private_key returned NULL
>>> cannot load Private Key from engine
>>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53:
>>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
>>> unable to load Private Key
>>> error in req
>>> OpenSSL>
>>>
>>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token?
>>>
>>> Thanks & Best regards,
>>> Ronny
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -------- This SF.net email is sponsored by Windows:
>>>
>>> Build for Windows Store.
>>>
>>> http://p.sf.net/sfu/windows-dev2dev
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ----------------------------------------------------------------------
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>> ----------------------------------------------------------------------
>> -------- This SF.net email is sponsored by Windows:
>>
>> Build for Windows Store.
>>
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> .
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444