Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

Hello Andreas,

thanks for the clarification and the pull request.

OpenSC does not provide public key operations?
So you telling me, that running C_EncryptInit/C_Encrypt will not work
a.k.a raise a NotImplemented Exception?

Kind regards
Cornelius

Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier:
> Dear Cornelius,
> 
> I can confirm that this is a bug.
> 
> A patch is available on Github [1].
> 
> The reason why this wasn't spotted before is, that the flag does not
> really have any relevance, as OpenSC does not provide for public key
> operations anyway. So the only use case for the public key object is to
> extract the public key value, i.e. to place that in a certificate.
> 
> Andreas
> 
> [1] https://github.com/OpenSC/OpenSC/pull/734
> 
> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
> > Hi Andreas,
> > 
> > I compile 0.15 and used it the below way. It still looks the same.
> > (Maybe I didn't use it correctly)
> > 
> > But it still looks the same. When I list all objects, the public key
> > (12) does not have the key-usage "encrypt".
> > 
> > Kind regards
> > Cornelius
> > 
> > /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
> > --keypairgen --key-type rsa:2048 --id 12
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Key pair generated:
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         12
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         12
> >   Usage:      encrypt, verify, wrap
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
> > --module /usr/local/lib/opensc-pkcs11.so -l -O
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      none
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         12
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         12
> >   Usage:      none
> > 
> > 
> > 
> > 
> > Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
> >> Dear Cornelius,
> >>
> >> get a newer version ;-)
> >>
> >> 0.13 was the first version to support the SmartCard-HSM and a lot has
> >> happened since then.
> >>
> >> Andreas
> >>
> >> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> >>> Hi,
> >>>
> >>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> >>> It comes with 0.13.0-3ubuntu4.1.
> >>>
> >>> So you may simply tell me to get a newer version ;-)
> >>>
> >>> Now, when I generate a key pair everything looks fine.
> >>> The key usage of the pubkey is marked as _encrypt_.
> >>>
> >>> But when I run -l -O the public key has no attributes!
> >>>
> >>>
> >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>> (git)-[pkcs11] % pkcs11-tool
> >>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> >>> --key-type rsa:2048 --id
> >>> 11                                                    
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Key pair generated:
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      encrypt, verify, wrap
> >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>> (git)-[pkcs11] % pkcs11-tool
> >>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      none
> >>>
> >>> Also when I look at the object all key usage attribs are set to false:
> >>>
> >>> [CKA_ALWAYS_SENSITIVE: True
> >>> CKA_CLASS: CKO_PUBLIC_KEY
> >>> CKA_DECRYPT: False
> >>> CKA_DERIVE: False
> >>> CKA_ENCRYPT: False
> >>> CKA_EXTRACTABLE: (0L,)
> >>> CKA_ID: (17L,)
> >>> CKA_KEY_GEN_MECHANISM: -1
> >>> CKA_KEY_TYPE: CKK_RSA
> >>> CKA_LABEL: Private Key
> >>> CKA_LOCAL: True
> >>> CKA_MODIFIABLE: False
> >>>
> >>> When I try to encrypt with the key handle on key x11 i get
> >>> CKR_FUNCTION_NOT_SUPPORTED.
> >>>
> >>> So it looks like the attributes of the pubkey are not persisted.
> >>>
> >>> Am I missing something?
> >>>
> >>> Thanks a lot and kind regards
> >>> Cornelius
> >>>
> >>>  
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> Find and fix application performance issues faster with Applications Manager
> >>> Applications Manager provides deep performance insights into multiple tiers of
> >>> your business applications. It resolves application problems quickly and
> >>> reduces your MTTR. Get your free trial!
> >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Opensc-devel mailing list
> >>> Ope...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>>
> >>
> >>
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications Manager
> > Applications Manager provides deep performance insights into multiple tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > 
> > 
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 
> 
> 

-- 
Cornelius Kölbel
cor...@ne...
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel