Re: [Opensc-devel] missing key usage of pubkey

[Andreas S. <and...@ca...>]

Hi Cornelius,

yes, that is what I'm saying: No support for public key operations in
OpenSC. The reason is, that OpenSC is a PKCS#11 Interface to access
private keys on a hardware device, it's not a fully-fledged crypto
library. Typically public key operations don't require the token and are
performed using a software crypto library. There are very few
applications where public and private key operations are performed on
the same system (e.g. Local disk encrypting).

Andreas



On 04/16/2016 02:22 PM, Cornelius Kölbel wrote:
> Hello Andreas,
> 
> thanks for the clarification and the pull request.
> 
> OpenSC does not provide public key operations?
> So you telling me, that running C_EncryptInit/C_Encrypt will not work
> a.k.a raise a NotImplemented Exception?
> 
> Kind regards
> Cornelius
> 
> Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier:
>> Dear Cornelius,
>>
>> I can confirm that this is a bug.
>>
>> A patch is available on Github [1].
>>
>> The reason why this wasn't spotted before is, that the flag does not
>> really have any relevance, as OpenSC does not provide for public key
>> operations anyway. So the only use case for the public key object is to
>> extract the public key value, i.e. to place that in a certificate.
>>
>> Andreas
>>
>> [1] https://github.com/OpenSC/OpenSC/pull/734
>>
>> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
>>> Hi Andreas,
>>>
>>> I compile 0.15 and used it the below way. It still looks the same.
>>> (Maybe I didn't use it correctly)
>>>
>>> But it still looks the same. When I list all objects, the public key
>>> (12) does not have the key-usage "encrypt".
>>>
>>> Kind regards
>>> Cornelius
>>>
>>> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
>>> --keypairgen --key-type rsa:2048 --id 12
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Key pair generated:
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      encrypt, verify, wrap
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
>>> --module /usr/local/lib/opensc-pkcs11.so -l -O
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      none
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      none
>>>
>>>
>>>
>>>
>>> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
>>>> Dear Cornelius,
>>>>
>>>> get a newer version ;-)
>>>>
>>>> 0.13 was the first version to support the SmartCard-HSM and a lot has
>>>> happened since then.
>>>>
>>>> Andreas
>>>>
>>>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
>>>>> Hi,
>>>>>
>>>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
>>>>> It comes with 0.13.0-3ubuntu4.1.
>>>>>
>>>>> So you may simply tell me to get a newer version ;-)
>>>>>
>>>>> Now, when I generate a key pair everything looks fine.
>>>>> The key usage of the pubkey is marked as _encrypt_.
>>>>>
>>>>> But when I run -l -O the public key has no attributes!
>>>>>
>>>>>
>>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>>>> (git)-[pkcs11] % pkcs11-tool
>>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
>>>>> --key-type rsa:2048 --id
>>>>> 11                                                    
>>>>> Using slot 1 with a present token (0x1)
>>>>> Logging in to "SmartCard-HSM (UserPIN)".
>>>>> Please enter User PIN: 
>>>>> Key pair generated:
>>>>> Private Key Object; RSA 
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      decrypt, sign, unwrap
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      encrypt, verify, wrap
>>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>>>> (git)-[pkcs11] % pkcs11-tool
>>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
>>>>> Using slot 1 with a present token (0x1)
>>>>> Logging in to "SmartCard-HSM (UserPIN)".
>>>>> Please enter User PIN: 
>>>>> Private Key Object; RSA 
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      decrypt, sign, unwrap
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      none
>>>>>
>>>>> Also when I look at the object all key usage attribs are set to false:
>>>>>
>>>>> [CKA_ALWAYS_SENSITIVE: True
>>>>> CKA_CLASS: CKO_PUBLIC_KEY
>>>>> CKA_DECRYPT: False
>>>>> CKA_DERIVE: False
>>>>> CKA_ENCRYPT: False
>>>>> CKA_EXTRACTABLE: (0L,)
>>>>> CKA_ID: (17L,)
>>>>> CKA_KEY_GEN_MECHANISM: -1
>>>>> CKA_KEY_TYPE: CKK_RSA
>>>>> CKA_LABEL: Private Key
>>>>> CKA_LOCAL: True
>>>>> CKA_MODIFIABLE: False
>>>>>
>>>>> When I try to encrypt with the key handle on key x11 i get
>>>>> CKR_FUNCTION_NOT_SUPPORTED.
>>>>>
>>>>> So it looks like the attributes of the pubkey are not persisted.
>>>>>
>>>>> Am I missing something?
>>>>>
>>>>> Thanks a lot and kind regards
>>>>> Cornelius
>>>>>
>>>>>  
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Find and fix application performance issues faster with Applications Manager
>>>>> Applications Manager provides deep performance insights into multiple tiers of
>>>>> your business applications. It resolves application problems quickly and
>>>>> reduces your MTTR. Get your free trial!
>>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> Ope...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Find and fix application performance issues faster with Applications Manager
>>> Applications Manager provides deep performance insights into multiple tiers of
>>> your business applications. It resolves application problems quickly and
>>> reduces your MTTR. Get your free trial!
>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier