Menu
▾
▴
Re: [Opensc-devel] missing key usage of pubkey
|
From: Cornelius K. <cor...@ne...> - 2016-04-18 07:24:55
|
Hi Andreas, that is totally true. Usually the public key does not need to reside on my HW device and it can not if I think of classical applications like message encryption, where the encrypting party does not have my hardware device - of course. But it may be a bit different with the smartcard HSM. I want to use the smartcard HSM (or the nitrokey HSM) to do server side encrption. I.e. I want to encrypt information in the database. The server will encrypt incoming or changing data with the public key. And decrypt data read from the database. And as the smartcard is connected, I could easily use the key from the smartcard also to encrypt the data. Well, now I need to add a dependency to a 2nd external RSA lib. It is ok, I understand the reason. I know I will not change opensc here. ;-) But it is a bit disillusioning. Anyway, thanks a lot for your response, fix and background information. Kind regards Cornelius Am Montag, den 18.04.2016, 08:47 +0200 schrieb Andreas Schwier: > Hi Cornelius, > > yes, that is what I'm saying: No support for public key operations in > OpenSC. The reason is, that OpenSC is a PKCS#11 Interface to access > private keys on a hardware device, it's not a fully-fledged crypto > library. Typically public key operations don't require the token and are > performed using a software crypto library. There are very few > applications where public and private key operations are performed on > the same system (e.g. Local disk encrypting). > > Andreas > > > > On 04/16/2016 02:22 PM, Cornelius Kölbel wrote: > > Hello Andreas, > > > > thanks for the clarification and the pull request. > > > > OpenSC does not provide public key operations? > > So you telling me, that running C_EncryptInit/C_Encrypt will not work > > a.k.a raise a NotImplemented Exception? > > > > Kind regards > > Cornelius > > > > Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier: > >> Dear Cornelius, > >> > >> I can confirm that this is a bug. > >> > >> A patch is available on Github [1]. > >> > >> The reason why this wasn't spotted before is, that the flag does not > >> really have any relevance, as OpenSC does not provide for public key > >> operations anyway. So the only use case for the public key object is to > >> extract the public key value, i.e. to place that in a certificate. > >> > >> Andreas > >> > >> [1] https://github.com/OpenSC/OpenSC/pull/734 > >> > >> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote: > >>> Hi Andreas, > >>> > >>> I compile 0.15 and used it the below way. It still looks the same. > >>> (Maybe I didn't use it correctly) > >>> > >>> But it still looks the same. When I list all objects, the public key > >>> (12) does not have the key-usage "encrypt". > >>> > >>> Kind regards > >>> Cornelius > >>> > >>> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l > >>> --keypairgen --key-type rsa:2048 --id 12 > >>> Using slot 1 with a present token (0x1) > >>> Logging in to "SmartCard-HSM (UserPIN)". > >>> Please enter User PIN: > >>> Key pair generated: > >>> Private Key Object; RSA > >>> label: Private Key > >>> ID: 12 > >>> Usage: decrypt, sign, unwrap > >>> Public Key Object; RSA 2048 bits > >>> label: Private Key > >>> ID: 12 > >>> Usage: encrypt, verify, wrap > >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security > >>> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool > >>> --module /usr/local/lib/opensc-pkcs11.so -l -O > >>> Using slot 1 with a present token (0x1) > >>> Logging in to "SmartCard-HSM (UserPIN)". > >>> Please enter User PIN: > >>> Private Key Object; RSA > >>> label: Private Key > >>> ID: 11 > >>> Usage: decrypt, sign, unwrap > >>> Public Key Object; RSA 2048 bits > >>> label: Private Key > >>> ID: 11 > >>> Usage: none > >>> Private Key Object; RSA > >>> label: Private Key > >>> ID: 12 > >>> Usage: decrypt, sign, unwrap > >>> Public Key Object; RSA 2048 bits > >>> label: Private Key > >>> ID: 12 > >>> Usage: none > >>> > >>> > >>> > >>> > >>> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier: > >>>> Dear Cornelius, > >>>> > >>>> get a newer version ;-) > >>>> > >>>> 0.13 was the first version to support the SmartCard-HSM and a lot has > >>>> happened since then. > >>>> > >>>> Andreas > >>>> > >>>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote: > >>>>> Hi, > >>>>> > >>>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04. > >>>>> It comes with 0.13.0-3ubuntu4.1. > >>>>> > >>>>> So you may simply tell me to get a newer version ;-) > >>>>> > >>>>> Now, when I generate a key pair everything looks fine. > >>>>> The key usage of the pubkey is marked as _encrypt_. > >>>>> > >>>>> But when I run -l -O the public key has no attributes! > >>>>> > >>>>> > >>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security > >>>>> (git)-[pkcs11] % pkcs11-tool > >>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen > >>>>> --key-type rsa:2048 --id > >>>>> 11 > >>>>> Using slot 1 with a present token (0x1) > >>>>> Logging in to "SmartCard-HSM (UserPIN)". > >>>>> Please enter User PIN: > >>>>> Key pair generated: > >>>>> Private Key Object; RSA > >>>>> label: Private Key > >>>>> ID: 11 > >>>>> Usage: decrypt, sign, unwrap > >>>>> Public Key Object; RSA 2048 bits > >>>>> label: Private Key > >>>>> ID: 11 > >>>>> Usage: encrypt, verify, wrap > >>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security > >>>>> (git)-[pkcs11] % pkcs11-tool > >>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O > >>>>> Using slot 1 with a present token (0x1) > >>>>> Logging in to "SmartCard-HSM (UserPIN)". > >>>>> Please enter User PIN: > >>>>> Private Key Object; RSA > >>>>> label: Private Key > >>>>> ID: 11 > >>>>> Usage: decrypt, sign, unwrap > >>>>> Public Key Object; RSA 2048 bits > >>>>> label: Private Key > >>>>> ID: 11 > >>>>> Usage: none > >>>>> > >>>>> Also when I look at the object all key usage attribs are set to false: > >>>>> > >>>>> [CKA_ALWAYS_SENSITIVE: True > >>>>> CKA_CLASS: CKO_PUBLIC_KEY > >>>>> CKA_DECRYPT: False > >>>>> CKA_DERIVE: False > >>>>> CKA_ENCRYPT: False > >>>>> CKA_EXTRACTABLE: (0L,) > >>>>> CKA_ID: (17L,) > >>>>> CKA_KEY_GEN_MECHANISM: -1 > >>>>> CKA_KEY_TYPE: CKK_RSA > >>>>> CKA_LABEL: Private Key > >>>>> CKA_LOCAL: True > >>>>> CKA_MODIFIABLE: False > >>>>> > >>>>> When I try to encrypt with the key handle on key x11 i get > >>>>> CKR_FUNCTION_NOT_SUPPORTED. > >>>>> > >>>>> So it looks like the attributes of the pubkey are not persisted. > >>>>> > >>>>> Am I missing something? > >>>>> > >>>>> Thanks a lot and kind regards > >>>>> Cornelius > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> ------------------------------------------------------------------------------ > >>>>> Find and fix application performance issues faster with Applications Manager > >>>>> Applications Manager provides deep performance insights into multiple tiers of > >>>>> your business applications. It resolves application problems quickly and > >>>>> reduces your MTTR. Get your free trial! > >>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> Opensc-devel mailing list > >>>>> Ope...@li... > >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel > >>>>> > >>>> > >>>> > >>> > >>> > >>> > >>> ------------------------------------------------------------------------------ > >>> Find and fix application performance issues faster with Applications Manager > >>> Applications Manager provides deep performance insights into multiple tiers of > >>> your business applications. It resolves application problems quickly and > >>> reduces your MTTR. Get your free trial! > >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > >>> > >>> > >>> > >>> _______________________________________________ > >>> Opensc-devel mailing list > >>> Ope...@li... > >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel > >>> > >> > >> > > > > > > > > ------------------------------------------------------------------------------ > > Find and fix application performance issues faster with Applications Manager > > Applications Manager provides deep performance insights into multiple tiers of > > your business applications. It resolves application problems quickly and > > reduces your MTTR. Get your free trial! > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > -- Cornelius Kölbel cor...@ne... +49 151 2960 1417 NetKnights GmbH http://www.netknights.it Landgraf-Karl-Str. 19, 34131 Kassel, Germany Tel: +49 561 3166797, Fax: +49 561 3166798 Amtsgericht Kassel, HRB 16405 Geschäftsführer: Cornelius Kölbel |
