Re: [Opensc-devel] missing key usage of pubkey

[Andreas S. <and...@ca...>]

Dear Cornelius,

I can confirm that this is a bug.

A patch is available on Github [1].

The reason why this wasn't spotted before is, that the flag does not
really have any relevance, as OpenSC does not provide for public key
operations anyway. So the only use case for the public key object is to
extract the public key value, i.e. to place that in a certificate.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/734

On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
> Hi Andreas,
> 
> I compile 0.15 and used it the below way. It still looks the same.
> (Maybe I didn't use it correctly)
> 
> But it still looks the same. When I list all objects, the public key
> (12) does not have the key-usage "encrypt".
> 
> Kind regards
> Cornelius
> 
> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
> --keypairgen --key-type rsa:2048 --id 12
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Key pair generated:
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         12
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         12
>   Usage:      encrypt, verify, wrap
> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
> --module /usr/local/lib/opensc-pkcs11.so -l -O
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         11
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         11
>   Usage:      none
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         12
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         12
>   Usage:      none
> 
> 
> 
> 
> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
>> Dear Cornelius,
>>
>> get a newer version ;-)
>>
>> 0.13 was the first version to support the SmartCard-HSM and a lot has
>> happened since then.
>>
>> Andreas
>>
>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
>>> Hi,
>>>
>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
>>> It comes with 0.13.0-3ubuntu4.1.
>>>
>>> So you may simply tell me to get a newer version ;-)
>>>
>>> Now, when I generate a key pair everything looks fine.
>>> The key usage of the pubkey is marked as _encrypt_.
>>>
>>> But when I run -l -O the public key has no attributes!
>>>
>>>
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % pkcs11-tool
>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
>>> --key-type rsa:2048 --id
>>> 11                                                    
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Key pair generated:
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      encrypt, verify, wrap
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % pkcs11-tool
>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      none
>>>
>>> Also when I look at the object all key usage attribs are set to false:
>>>
>>> [CKA_ALWAYS_SENSITIVE: True
>>> CKA_CLASS: CKO_PUBLIC_KEY
>>> CKA_DECRYPT: False
>>> CKA_DERIVE: False
>>> CKA_ENCRYPT: False
>>> CKA_EXTRACTABLE: (0L,)
>>> CKA_ID: (17L,)
>>> CKA_KEY_GEN_MECHANISM: -1
>>> CKA_KEY_TYPE: CKK_RSA
>>> CKA_LABEL: Private Key
>>> CKA_LOCAL: True
>>> CKA_MODIFIABLE: False
>>>
>>> When I try to encrypt with the key handle on key x11 i get
>>> CKR_FUNCTION_NOT_SUPPORTED.
>>>
>>> So it looks like the attributes of the pubkey are not persisted.
>>>
>>> Am I missing something?
>>>
>>> Thanks a lot and kind regards
>>> Cornelius
>>>
>>>  
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Find and fix application performance issues faster with Applications Manager
>>> Applications Manager provides deep performance insights into multiple tiers of
>>> your business applications. It resolves application problems quickly and
>>> reduces your MTTR. Get your free trial!
>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier