Menu
▾
▴
Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
|
From: Douglas E E. <dee...@gm...> - 2016-03-29 12:02:05
|
The term public key is ambiguous.
When there was only RSA, it was simple, modulus and exponent.
With EC there are the point and the parameters or namedcurve.
Other algorithms have different parameters too.
Then to tell them apart you need key type.
PKCS#11 presents the key type and the caller can request the attributes based in the key type.
pkcs11-tool was meant to be a test tools and until EC was added pkcs11-tool
only worked with RSA.
OpenSSL may have evolved over the years, some apps may assume the type,
but later apps tend to take a EVP_KEY which includes a key type.
The SPKI from a certificate is the ASN.1 encoding for a EVP_KEY.
Have you tried reading the certificate? The rsautl says it can use a certificate in place of
a public key.
On 3/29/2016 2:33 AM, Johannes Rath wrote:
> The latest build definitely looks better:
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.16.0rc1 [Microsoft 1800]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey.der -dump
> 0:d=0 hl=4 l= 290 cons: SEQUENCE
> 4:d=1 hl=2 l= 13 cons: SEQUENCE
> 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
> 17:d=2 hl=2 l= 0 prim: NULL
> 19:d=1 hl=4 l= 271 prim: BIT STRING
> 0000 - 00 30 82 01 0a 02 82 01-01 00 99 c9 eb 66 11 84 .0...........f..
> 0010 - 89 08 a0 22 9d 1d cf 94-44 b8 e3 99 6c f9 7c c7 ..."....D...l.|.
> 0020 - a7 bb 52 d5 1b 3d 57 01-20 9d ec 96 99 7f ab 14 ..R..=W. .......
> 0030 - c0 18 06 07 89 9f d0 fa-5e 75 f1 2a 97 49 5b 44 ........^u.*.I[D
> 0040 - bb 34 96 1e a0 af 11 79-20 2c 82 61 71 c3 cd 98 .4.....y ,.aq...
> 0050 - 75 1e e1 6a dd 3e f2 e9-34 c5 66 cf 10 3d 3d f4 u..j.>..4.f..==.
> 0060 - 60 a6 19 07 46 f6 b4 10-a2 5a 5f d7 40 b9 18 2d `...F....Z_.@..-
> 0070 - 9b 06 c2 18 0d 28 25 6c-ed d7 c9 92 5b d5 3a 36 .....(%l....[.:6
> 0080 - 84 58 8a b6 7c 8c 1c d1-cd a2 7a 7f cf 87 c0 23 .X..|.....z....#
> 0090 - 8c fe 84 39 1f 13 23 86-b6 d1 f7 5a 1e e6 b2 8f ...9..#....Z....
> 00a0 - 70 27 cb 60 f9 be 41 b4-d2 30 18 87 15 19 bd 42 p'.`..A..0.....B
> 00b0 - 28 22 77 8c 2e 0c 2d 7d-91 dc 27 bc 15 5a 4f 1b ("w...-}..'..ZO.
> 00c0 - de 66 96 37 f7 10 4a 94-3c 8a ef e0 fe 33 2e f9 .f.7..J.<....3..
> 00d0 - fe 3e 0a 1b 64 5d dc 54-a4 19 33 38 82 7e cb b4 .>..d].T..38.~..
> 00e0 - af f7 82 65 71 75 d3 b5-1c b2 a3 f1 81 6f 74 3a ...equ.......ot:
> 00f0 - bb 0a 9d 56 d8 ea 4b 3c-e4 02 01 ae cc 95 90 ac ...V..K<........
> 0100 - 60 4d 69 9e ef 79 7c 55-bc 87 02 03 01 00 01 `Mi..y|U.......
>
> -----Original Message-----
> From: Johannes Rath [mailto:joh...@sw...]
> Sent: Dienstag, 29. März 2016 09:08
> To: 'ope...@li...'
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> I am using OpenSC 0.15.0, but on Windows ;)
>
> Looks that version still uses the old format.
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.15.0 [Microsoft 1600]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
> ckey_45_2.key
> Using slot 1 with a present token (0x1)
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
> mp
> 0:d=0 hl=4 l= 266 cons: SEQUENCE
> 4:d=1 hl=4 l= 257 prim: INTEGER :989FE2E678F264B80772816B3BCC064B
> 2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
> 11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
> BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
> F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
> 2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
> 2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F
>
> 265:d=1 hl=2 l= 3 prim: INTEGER :010001
>
>
> -----Original Message-----
> From: Douglas E Engert [mailto:dee...@gm...]
> Sent: Donnerstag, 24. März 2016 19:05
> To: ope...@li...
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> What version of OpenSC are you using?
>
> 0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.
>
> openssl asn1parse -i -inform DER -in publickey.key
> 0:d=0 hl=4 l= 266 cons: SEQUENCE
> 4:d=1 hl=4 l= 257 prim: INTEGER
> :D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
> 265:d=1 hl=2 l= 3 prim: INTEGER :010001
>
> later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:
>
> pkcs11-tool --read-object --type pubkey --id 01 -o publickey.der
> openssl asn1parse -i -inform DER -in publickey.der -dump
> 0:d=0 hl=4 l= 290 cons: SEQUENCE
> 4:d=1 hl=2 l= 13 cons: SEQUENCE
> 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption
> 17:d=2 hl=2 l= 0 prim: NULL
> 19:d=1 hl=4 l= 271 prim: BIT STRING
> 0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91 .0..............
> 0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09 4..m....f..D..f.
> 0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1 ...O#.G.n3B.....
> 0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe l#.0nc.4.W....A.
> 0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4 .....49.....x...
> 0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83 K...k.....s..G..
> 0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c .........o.v....
> 0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4 _. ......=F.....
> 0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19 .=.lj..yD....c..
> 0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a .:.].......l....
> 00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65 .B&>.r.........e
> 00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b 0..M\..4....fo..
> 00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6 ?.<}C=|B7F....s.
> 00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf U....8.w......N.
> 00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20 _$~.._.P..(....
> 00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f .;...?.Y.E..."+_
> 0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01 kj..&..a.......
>
>
> On 3/24/2016 10:57 AM, Johannes Rath wrote:
>> Hi all,
>>
>> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>>
>> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>>
>> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt -out ciphertext.txt/
>>
>> //
>>
>> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>>
>> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>>
>> //
>>
>> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>>
>> Any ideas?
>>
>> Thanks in advance
>>
>> Johannes
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
--
Douglas E. Engert <DEE...@gm...>
|
