Menu
▾
▴
[Opensc-devel] OpenSC doesn't support symmetric decrypt/encrypt operations
|
From: carblue <ka6...@on...> - 2020-11-16 12:47:38
|
Hi all, I would like to know from OpenSC maintainers/users, whether there is interest in implementing "OpenSC support of symmetric decrypt/encrypt operations done by cards capable to do that". As Hannu Honkanen pointed out in https://github.com/OpenSC/OpenSC/issues/1796/#issuecomment-536728933 "(Symmetric) keys can be loaded using pkcs15-init and symmetric keys can be used to wrap/unwrap keys but not for just doing encryption. It could be implemented in quite similar way as the wrap/unwrap ...". With such support available I think of this use case: I could implement/fix #1796 testing 'key unwrap' in pkcs11.tool, that is most meaningful with my ACOS5 card, i.e. test C_UnwrapKey + sym. key arrived on-card and is cryptographically usable: E.g. create some random AES key in memory, encrypt some test message with that key via OpenSSL, wrap the AES key by means of a public RSA key from card, call C_UnwrapKey and - supposed that stores the unwrapped AES key to card and cos is able to sym. decrypt (true for acos5) - decrypt the encrypted test message with the unwrapped AES key by an on-card operation, and finally compare that to original/plain test message. There would probably also be other code branches depending on how cards handle the unwrapped key (session object / in-memory object? / CKA_TOKEN / CKA_EXTRACTABLE). Hence, if there is positive feedback, then I will start such an implementation at https://github.com/carblue/OpenSC-1/tree/sym_hw_encrypt and possibly others join in. I haven't yet looked deeply into that area of OpenSC code, but this question arises: I assume, the existing sc_card_operations:decipher is reserved for asym. key operation, so there is a need for 2 new sc_card_operations: Proposal: encrypt / decrypt Any ideas / comments / proposals ? Cheers, Carsten Blüggel (carblue) |
