Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Alon Bar-L. <alo...@gm...> - 2013-06-14 12:16:49
|
On Fri, Jun 14, 2013 at 12:59 PM, Andreas Schwier (ML) <and...@ca...> wrote: >> The model of RSASecurity "trust us" had failed. > That's why we allow an organization to issue their own device > certificates. This way you can decide if you trust a device certificate > issued by a device issuer (e.g. a card supplier) or only trust your own > device certificates. Who is 'we'? > > You could even operate your own root CA if you like to do so. > >> >> Enrollment can be done only once, and a public key can be assigned to >> single user. Hacked the device and succeeded in import external >> private key then his fault that people can login on his behalf. But >> importing a private key should be forbidden by the device. So I do not >> see any problem. >> >>> >>> The proposed mechanism only ensures that the key is unique and contained >>> in a secure device from which there is no escape. And this assertion is >>> quite important if you want to bind the identity to a device. >>> >>> I agree that there are some parallels with UEFI, but isn't PKI primarily >>> about trusting at least someone along the chain ? >>> >>> To get your RootCA certificate integrated into the browser list, you can >>> either ask the browser vendors to trust your CA or you put the >>> certificate in there on your own. >>> >>> Same for the attestation key of the device. You either rely on someone >>> else who verified the trustwortyness of the device manufacturer or you >>> verify it yourself. >>> >>> Andreas >>> >>> Btw. I don't read that the private key is exposed to anyone. >> >> If it is done outside my reach it can be at some government request to >> be exposed. >> >>> >>> Am 14.06.2013 11:10, schrieb Alon Bar-Lev: >>>> Hi, >>>> >>>> Sorry, I totally disagree... >>>> >>>> Manufacturer should manufacture secure platform that can be used for >>>> various of implementations. It should be accountable for the operation >>>> of the device. The trust within the manufacturer is limited to >>>> providing a device with no backdoors. >>>> >>>> The content, and in this case the private key, should not be exposed >>>> to anyone, including the manufacturer if I to trust the device. >>>> >>>> Establishing manufacturer trust chain will be the same as UEFI, bad >>>> for everyone but who ever hold the key for the CA. >>>> >>>> Had you said that I can somehow generate a public key after I bought >>>> the device and enroll it to some 3rd part to have it trusted, I would >>>> have agreed. But enforcing trust is not something that should be >>>> acceptable. >>>> >>>> Regards, >>>> Alon >>>> >>>> >>>> On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) >>>> <and...@ca...> wrote: >>>>> As the scheme is based on a piece of hardware it makes sense to trust >>>>> the manufacturer to provide a genuine device. >>>>> >>>>> This way you know the key remains safe on the client side and is not >>>>> some software based / man-in-the-middle generated key pair. >>>>> >>>>> It's quite the same what Anders does with the webpki attestation key and >>>>> what we do with the device authentication key in the SmartCard-HSM. >>>>> >>>>> The key questions is how this network of trusted suppliers will be >>>>> build. Who will certify suppliers ? Who operates a root CA that >>>>> certifies suppliers ? Will there be a security evaluation of the devices >>>>> (like CC) ? >>>>> >>>>> Andreas >>>>> >>>>> Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >>>>>> Yes, at first read I thought there is nothing new, we can do this with >>>>>> existing smartcards... >>>>>> >>>>>> But then read: >>>>>> """ >>>>>> Initial Signup: Site sends Javascript call to browser asking for >>>>>> public key for user. Browser finds activated U2F, asks it for public >>>>>> key to remember for user. U2F returns signed public key (signature is >>>>>> by U2F vendor). Site (optionally) verifies public key signature to >>>>>> ensure its an accepted vendor and saves public key + attached blob >>>>>> (encrypted private key). >>>>>> """ >>>>>> >>>>>> So it is a meter of trust, same as PKI... only that you are forced to >>>>>> trust the manufacturer... which is totally wrong. >>>>>> >>>>>> Initially I thought that each registration will create its own key >>>>>> pair... which could have been nice if the device has enough memory. >>>>>> Even single key pair is OK if you would like to share it between >>>>>> services. >>>>>> >>>>>> Regards, >>>>>> Alon >>>>>> >>>>>> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >>>>>> <hel...@gm...> wrote: >>>>>>> I love the big brother. >>>>>>> >>>>>>> >>>>>>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>>>>>> https://sites.google.com/site/oauthgoog/gnubby >>>>>>>> >>>>>>>> I think it is actually good that I finally have a competitor! >>>>>>>> >>>>>>>> Smart Card middleware will be a thing of the past. Hooray! >>>>>>>> >>>>>>>> Anders >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> This SF.net email is sponsored by Windows: >>>>>>>> >>>>>>>> Build for Windows Store. >>>>>>>> >>>>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>>>> _______________________________________________ >>>>>>>> Opensc-devel mailing list >>>>>>>> Ope...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> This SF.net email is sponsored by Windows: >>>>>>> >>>>>>> Build for Windows Store. >>>>>>> >>>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>>> _______________________________________________ >>>>>>> Opensc-devel mailing list >>>>>>> Ope...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> This SF.net email is sponsored by Windows: >>>>>> >>>>>> Build for Windows Store. >>>>>> >>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>> _______________________________________________ >>>>>> Opensc-devel mailing list >>>>>> Ope...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>> >>>>> >>>>> -- >>>>> >>>>> --------- CardContact Software & System Consulting >>>>> |.##> <##.| Andreas Schwier >>>>> |# #| Schülerweg 38 >>>>> |# #| 32429 Minden, Germany >>>>> |'##> <##'| Phone +49 571 56149 >>>>> --------- http://www.cardcontact.de >>>>> http://www.tscons.de >>>>> http://www.openscdp.org >>>>> >>>>> >>>>> -- >>>>> >>>>> --------- CardContact Software & System Consulting >>>>> |.##> <##.| Andreas Schwier >>>>> |# #| Schülerweg 38 >>>>> |# #| 32429 Minden, Germany >>>>> |'##> <##'| Phone +49 571 56149 >>>>> --------- http://www.cardcontact.de >>>>> http://www.tscons.de >>>>> http://www.openscdp.org >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Windows: >>>>> >>>>> Build for Windows Store. >>>>> >>>>> http://p.sf.net/sfu/windows-dev2dev >>>>> _______________________________________________ >>>>> Opensc-devel mailing list >>>>> Ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> -- >>> >>> --------- CardContact Software & System Consulting >>> |.##> <##.| Andreas Schwier >>> |# #| Schülerweg 38 >>> |# #| 32429 Minden, Germany >>> |'##> <##'| Phone +49 571 56149 >>> --------- http://www.cardcontact.de >>> http://www.tscons.de >>> http://www.openscdp.org >>> > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > |
|
From: Andreas S. (ML) <and...@ca...> - 2013-06-14 09:59:43
|
> The model of RSASecurity "trust us" had failed. That's why we allow an organization to issue their own device certificates. This way you can decide if you trust a device certificate issued by a device issuer (e.g. a card supplier) or only trust your own device certificates. You could even operate your own root CA if you like to do so. > > Enrollment can be done only once, and a public key can be assigned to > single user. Hacked the device and succeeded in import external > private key then his fault that people can login on his behalf. But > importing a private key should be forbidden by the device. So I do not > see any problem. > >> >> The proposed mechanism only ensures that the key is unique and contained >> in a secure device from which there is no escape. And this assertion is >> quite important if you want to bind the identity to a device. >> >> I agree that there are some parallels with UEFI, but isn't PKI primarily >> about trusting at least someone along the chain ? >> >> To get your RootCA certificate integrated into the browser list, you can >> either ask the browser vendors to trust your CA or you put the >> certificate in there on your own. >> >> Same for the attestation key of the device. You either rely on someone >> else who verified the trustwortyness of the device manufacturer or you >> verify it yourself. >> >> Andreas >> >> Btw. I don't read that the private key is exposed to anyone. > > If it is done outside my reach it can be at some government request to > be exposed. > >> >> Am 14.06.2013 11:10, schrieb Alon Bar-Lev: >>> Hi, >>> >>> Sorry, I totally disagree... >>> >>> Manufacturer should manufacture secure platform that can be used for >>> various of implementations. It should be accountable for the operation >>> of the device. The trust within the manufacturer is limited to >>> providing a device with no backdoors. >>> >>> The content, and in this case the private key, should not be exposed >>> to anyone, including the manufacturer if I to trust the device. >>> >>> Establishing manufacturer trust chain will be the same as UEFI, bad >>> for everyone but who ever hold the key for the CA. >>> >>> Had you said that I can somehow generate a public key after I bought >>> the device and enroll it to some 3rd part to have it trusted, I would >>> have agreed. But enforcing trust is not something that should be >>> acceptable. >>> >>> Regards, >>> Alon >>> >>> >>> On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) >>> <and...@ca...> wrote: >>>> As the scheme is based on a piece of hardware it makes sense to trust >>>> the manufacturer to provide a genuine device. >>>> >>>> This way you know the key remains safe on the client side and is not >>>> some software based / man-in-the-middle generated key pair. >>>> >>>> It's quite the same what Anders does with the webpki attestation key and >>>> what we do with the device authentication key in the SmartCard-HSM. >>>> >>>> The key questions is how this network of trusted suppliers will be >>>> build. Who will certify suppliers ? Who operates a root CA that >>>> certifies suppliers ? Will there be a security evaluation of the devices >>>> (like CC) ? >>>> >>>> Andreas >>>> >>>> Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >>>>> Yes, at first read I thought there is nothing new, we can do this with >>>>> existing smartcards... >>>>> >>>>> But then read: >>>>> """ >>>>> Initial Signup: Site sends Javascript call to browser asking for >>>>> public key for user. Browser finds activated U2F, asks it for public >>>>> key to remember for user. U2F returns signed public key (signature is >>>>> by U2F vendor). Site (optionally) verifies public key signature to >>>>> ensure its an accepted vendor and saves public key + attached blob >>>>> (encrypted private key). >>>>> """ >>>>> >>>>> So it is a meter of trust, same as PKI... only that you are forced to >>>>> trust the manufacturer... which is totally wrong. >>>>> >>>>> Initially I thought that each registration will create its own key >>>>> pair... which could have been nice if the device has enough memory. >>>>> Even single key pair is OK if you would like to share it between >>>>> services. >>>>> >>>>> Regards, >>>>> Alon >>>>> >>>>> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >>>>> <hel...@gm...> wrote: >>>>>> I love the big brother. >>>>>> >>>>>> >>>>>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>>>>> https://sites.google.com/site/oauthgoog/gnubby >>>>>>> >>>>>>> I think it is actually good that I finally have a competitor! >>>>>>> >>>>>>> Smart Card middleware will be a thing of the past. Hooray! >>>>>>> >>>>>>> Anders >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> This SF.net email is sponsored by Windows: >>>>>>> >>>>>>> Build for Windows Store. >>>>>>> >>>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>>> _______________________________________________ >>>>>>> Opensc-devel mailing list >>>>>>> Ope...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> This SF.net email is sponsored by Windows: >>>>>> >>>>>> Build for Windows Store. >>>>>> >>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>> _______________________________________________ >>>>>> Opensc-devel mailing list >>>>>> Ope...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Windows: >>>>> >>>>> Build for Windows Store. >>>>> >>>>> http://p.sf.net/sfu/windows-dev2dev >>>>> _______________________________________________ >>>>> Opensc-devel mailing list >>>>> Ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>> >>>> >>>> -- >>>> >>>> --------- CardContact Software & System Consulting >>>> |.##> <##.| Andreas Schwier >>>> |# #| Schülerweg 38 >>>> |# #| 32429 Minden, Germany >>>> |'##> <##'| Phone +49 571 56149 >>>> --------- http://www.cardcontact.de >>>> http://www.tscons.de >>>> http://www.openscdp.org >>>> >>>> >>>> -- >>>> >>>> --------- CardContact Software & System Consulting >>>> |.##> <##.| Andreas Schwier >>>> |# #| Schülerweg 38 >>>> |# #| 32429 Minden, Germany >>>> |'##> <##'| Phone +49 571 56149 >>>> --------- http://www.cardcontact.de >>>> http://www.tscons.de >>>> http://www.openscdp.org >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Anders R. <and...@te...> - 2013-06-14 09:48:30
|
On 2013-06-14 11:36, Alon Bar-Lev wrote: > On Fri, Jun 14, 2013 at 12:31 PM, Andreas Schwier (ML) > <and...@ca...> wrote: >> O.K. so how do you as a private person register your key with a 3rd >> party ? And why should that third party trust your keys to be unique >> (and not spread across the Facebook community) ? > > I am more concerned of how it is used/trusted internally in organizations. > > The model of RSASecurity "trust us" had failed. > > Enrollment can be done only once, and a public key can be assigned to > single user. Hacked the device and succeeded in import external > private key then his fault that people can login on his behalf. Hacking the device probably requires physical access to it. I doubt that is what concerns the majority today; they are more concerned about Internet-scale attacks. I.e. the traditional scope for smart cards is not as hot as it once was although physical protection is of course still a part of the plot. > But importing a private key should be forbidden by the device. So I do not > see any problem. If you succeed stealing someone's private key you only need a P12 to login :-) Anders > >> >> The proposed mechanism only ensures that the key is unique and contained >> in a secure device from which there is no escape. And this assertion is >> quite important if you want to bind the identity to a device. >> >> I agree that there are some parallels with UEFI, but isn't PKI primarily >> about trusting at least someone along the chain ? >> >> To get your RootCA certificate integrated into the browser list, you can >> either ask the browser vendors to trust your CA or you put the >> certificate in there on your own. >> >> Same for the attestation key of the device. You either rely on someone >> else who verified the trustwortyness of the device manufacturer or you >> verify it yourself. >> >> Andreas >> >> Btw. I don't read that the private key is exposed to anyone. > > If it is done outside my reach it can be at some government request to > be exposed. > >> >> Am 14.06.2013 11:10, schrieb Alon Bar-Lev: >>> Hi, >>> >>> Sorry, I totally disagree... >>> >>> Manufacturer should manufacture secure platform that can be used for >>> various of implementations. It should be accountable for the operation >>> of the device. The trust within the manufacturer is limited to >>> providing a device with no backdoors. >>> >>> The content, and in this case the private key, should not be exposed >>> to anyone, including the manufacturer if I to trust the device. >>> >>> Establishing manufacturer trust chain will be the same as UEFI, bad >>> for everyone but who ever hold the key for the CA. >>> >>> Had you said that I can somehow generate a public key after I bought >>> the device and enroll it to some 3rd part to have it trusted, I would >>> have agreed. But enforcing trust is not something that should be >>> acceptable. >>> >>> Regards, >>> Alon >>> >>> >>> On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) >>> <and...@ca...> wrote: >>>> As the scheme is based on a piece of hardware it makes sense to trust >>>> the manufacturer to provide a genuine device. >>>> >>>> This way you know the key remains safe on the client side and is not >>>> some software based / man-in-the-middle generated key pair. >>>> >>>> It's quite the same what Anders does with the webpki attestation key and >>>> what we do with the device authentication key in the SmartCard-HSM. >>>> >>>> The key questions is how this network of trusted suppliers will be >>>> build. Who will certify suppliers ? Who operates a root CA that >>>> certifies suppliers ? Will there be a security evaluation of the devices >>>> (like CC) ? >>>> >>>> Andreas >>>> >>>> Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >>>>> Yes, at first read I thought there is nothing new, we can do this with >>>>> existing smartcards... >>>>> >>>>> But then read: >>>>> """ >>>>> Initial Signup: Site sends Javascript call to browser asking for >>>>> public key for user. Browser finds activated U2F, asks it for public >>>>> key to remember for user. U2F returns signed public key (signature is >>>>> by U2F vendor). Site (optionally) verifies public key signature to >>>>> ensure its an accepted vendor and saves public key + attached blob >>>>> (encrypted private key). >>>>> """ >>>>> >>>>> So it is a meter of trust, same as PKI... only that you are forced to >>>>> trust the manufacturer... which is totally wrong. >>>>> >>>>> Initially I thought that each registration will create its own key >>>>> pair... which could have been nice if the device has enough memory. >>>>> Even single key pair is OK if you would like to share it between >>>>> services. >>>>> >>>>> Regards, >>>>> Alon >>>>> >>>>> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >>>>> <hel...@gm...> wrote: >>>>>> I love the big brother. >>>>>> >>>>>> >>>>>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>>>>> https://sites.google.com/site/oauthgoog/gnubby >>>>>>> >>>>>>> I think it is actually good that I finally have a competitor! >>>>>>> >>>>>>> Smart Card middleware will be a thing of the past. Hooray! >>>>>>> >>>>>>> Anders >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> This SF.net email is sponsored by Windows: >>>>>>> >>>>>>> Build for Windows Store. >>>>>>> >>>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>>> _______________________________________________ >>>>>>> Opensc-devel mailing list >>>>>>> Ope...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> This SF.net email is sponsored by Windows: >>>>>> >>>>>> Build for Windows Store. >>>>>> >>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>> _______________________________________________ >>>>>> Opensc-devel mailing list >>>>>> Ope...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Windows: >>>>> >>>>> Build for Windows Store. >>>>> >>>>> http://p.sf.net/sfu/windows-dev2dev >>>>> _______________________________________________ >>>>> Opensc-devel mailing list >>>>> Ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>> >>>> >>>> -- >>>> >>>> --------- CardContact Software & System Consulting >>>> |.##> <##.| Andreas Schwier >>>> |# #| Schülerweg 38 >>>> |# #| 32429 Minden, Germany >>>> |'##> <##'| Phone +49 571 56149 >>>> --------- http://www.cardcontact.de >>>> http://www.tscons.de >>>> http://www.openscdp.org >>>> >>>> >>>> -- >>>> >>>> --------- CardContact Software & System Consulting >>>> |.##> <##.| Andreas Schwier >>>> |# #| Schülerweg 38 >>>> |# #| 32429 Minden, Germany >>>> |'##> <##'| Phone +49 571 56149 >>>> --------- http://www.cardcontact.de >>>> http://www.tscons.de >>>> http://www.openscdp.org >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Alon Bar-L. <alo...@gm...> - 2013-06-14 09:37:02
|
On Fri, Jun 14, 2013 at 12:31 PM, Andreas Schwier (ML) <and...@ca...> wrote: > O.K. so how do you as a private person register your key with a 3rd > party ? And why should that third party trust your keys to be unique > (and not spread across the Facebook community) ? I am more concerned of how it is used/trusted internally in organizations. The model of RSASecurity "trust us" had failed. Enrollment can be done only once, and a public key can be assigned to single user. Hacked the device and succeeded in import external private key then his fault that people can login on his behalf. But importing a private key should be forbidden by the device. So I do not see any problem. > > The proposed mechanism only ensures that the key is unique and contained > in a secure device from which there is no escape. And this assertion is > quite important if you want to bind the identity to a device. > > I agree that there are some parallels with UEFI, but isn't PKI primarily > about trusting at least someone along the chain ? > > To get your RootCA certificate integrated into the browser list, you can > either ask the browser vendors to trust your CA or you put the > certificate in there on your own. > > Same for the attestation key of the device. You either rely on someone > else who verified the trustwortyness of the device manufacturer or you > verify it yourself. > > Andreas > > Btw. I don't read that the private key is exposed to anyone. If it is done outside my reach it can be at some government request to be exposed. > > Am 14.06.2013 11:10, schrieb Alon Bar-Lev: >> Hi, >> >> Sorry, I totally disagree... >> >> Manufacturer should manufacture secure platform that can be used for >> various of implementations. It should be accountable for the operation >> of the device. The trust within the manufacturer is limited to >> providing a device with no backdoors. >> >> The content, and in this case the private key, should not be exposed >> to anyone, including the manufacturer if I to trust the device. >> >> Establishing manufacturer trust chain will be the same as UEFI, bad >> for everyone but who ever hold the key for the CA. >> >> Had you said that I can somehow generate a public key after I bought >> the device and enroll it to some 3rd part to have it trusted, I would >> have agreed. But enforcing trust is not something that should be >> acceptable. >> >> Regards, >> Alon >> >> >> On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) >> <and...@ca...> wrote: >>> As the scheme is based on a piece of hardware it makes sense to trust >>> the manufacturer to provide a genuine device. >>> >>> This way you know the key remains safe on the client side and is not >>> some software based / man-in-the-middle generated key pair. >>> >>> It's quite the same what Anders does with the webpki attestation key and >>> what we do with the device authentication key in the SmartCard-HSM. >>> >>> The key questions is how this network of trusted suppliers will be >>> build. Who will certify suppliers ? Who operates a root CA that >>> certifies suppliers ? Will there be a security evaluation of the devices >>> (like CC) ? >>> >>> Andreas >>> >>> Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >>>> Yes, at first read I thought there is nothing new, we can do this with >>>> existing smartcards... >>>> >>>> But then read: >>>> """ >>>> Initial Signup: Site sends Javascript call to browser asking for >>>> public key for user. Browser finds activated U2F, asks it for public >>>> key to remember for user. U2F returns signed public key (signature is >>>> by U2F vendor). Site (optionally) verifies public key signature to >>>> ensure its an accepted vendor and saves public key + attached blob >>>> (encrypted private key). >>>> """ >>>> >>>> So it is a meter of trust, same as PKI... only that you are forced to >>>> trust the manufacturer... which is totally wrong. >>>> >>>> Initially I thought that each registration will create its own key >>>> pair... which could have been nice if the device has enough memory. >>>> Even single key pair is OK if you would like to share it between >>>> services. >>>> >>>> Regards, >>>> Alon >>>> >>>> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >>>> <hel...@gm...> wrote: >>>>> I love the big brother. >>>>> >>>>> >>>>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>>>> https://sites.google.com/site/oauthgoog/gnubby >>>>>> >>>>>> I think it is actually good that I finally have a competitor! >>>>>> >>>>>> Smart Card middleware will be a thing of the past. Hooray! >>>>>> >>>>>> Anders >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> This SF.net email is sponsored by Windows: >>>>>> >>>>>> Build for Windows Store. >>>>>> >>>>>> http://p.sf.net/sfu/windows-dev2dev >>>>>> _______________________________________________ >>>>>> Opensc-devel mailing list >>>>>> Ope...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Windows: >>>>> >>>>> Build for Windows Store. >>>>> >>>>> http://p.sf.net/sfu/windows-dev2dev >>>>> _______________________________________________ >>>>> Opensc-devel mailing list >>>>> Ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> -- >>> >>> --------- CardContact Software & System Consulting >>> |.##> <##.| Andreas Schwier >>> |# #| Schülerweg 38 >>> |# #| 32429 Minden, Germany >>> |'##> <##'| Phone +49 571 56149 >>> --------- http://www.cardcontact.de >>> http://www.tscons.de >>> http://www.openscdp.org >>> >>> >>> -- >>> >>> --------- CardContact Software & System Consulting >>> |.##> <##.| Andreas Schwier >>> |# #| Schülerweg 38 >>> |# #| 32429 Minden, Germany >>> |'##> <##'| Phone +49 571 56149 >>> --------- http://www.cardcontact.de >>> http://www.tscons.de >>> http://www.openscdp.org >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > |
|
From: Andreas S. (ML) <and...@ca...> - 2013-06-14 09:31:44
|
O.K. so how do you as a private person register your key with a 3rd party ? And why should that third party trust your keys to be unique (and not spread across the Facebook community) ? The proposed mechanism only ensures that the key is unique and contained in a secure device from which there is no escape. And this assertion is quite important if you want to bind the identity to a device. I agree that there are some parallels with UEFI, but isn't PKI primarily about trusting at least someone along the chain ? To get your RootCA certificate integrated into the browser list, you can either ask the browser vendors to trust your CA or you put the certificate in there on your own. Same for the attestation key of the device. You either rely on someone else who verified the trustwortyness of the device manufacturer or you verify it yourself. Andreas Btw. I don't read that the private key is exposed to anyone. Am 14.06.2013 11:10, schrieb Alon Bar-Lev: > Hi, > > Sorry, I totally disagree... > > Manufacturer should manufacture secure platform that can be used for > various of implementations. It should be accountable for the operation > of the device. The trust within the manufacturer is limited to > providing a device with no backdoors. > > The content, and in this case the private key, should not be exposed > to anyone, including the manufacturer if I to trust the device. > > Establishing manufacturer trust chain will be the same as UEFI, bad > for everyone but who ever hold the key for the CA. > > Had you said that I can somehow generate a public key after I bought > the device and enroll it to some 3rd part to have it trusted, I would > have agreed. But enforcing trust is not something that should be > acceptable. > > Regards, > Alon > > > On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) > <and...@ca...> wrote: >> As the scheme is based on a piece of hardware it makes sense to trust >> the manufacturer to provide a genuine device. >> >> This way you know the key remains safe on the client side and is not >> some software based / man-in-the-middle generated key pair. >> >> It's quite the same what Anders does with the webpki attestation key and >> what we do with the device authentication key in the SmartCard-HSM. >> >> The key questions is how this network of trusted suppliers will be >> build. Who will certify suppliers ? Who operates a root CA that >> certifies suppliers ? Will there be a security evaluation of the devices >> (like CC) ? >> >> Andreas >> >> Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >>> Yes, at first read I thought there is nothing new, we can do this with >>> existing smartcards... >>> >>> But then read: >>> """ >>> Initial Signup: Site sends Javascript call to browser asking for >>> public key for user. Browser finds activated U2F, asks it for public >>> key to remember for user. U2F returns signed public key (signature is >>> by U2F vendor). Site (optionally) verifies public key signature to >>> ensure its an accepted vendor and saves public key + attached blob >>> (encrypted private key). >>> """ >>> >>> So it is a meter of trust, same as PKI... only that you are forced to >>> trust the manufacturer... which is totally wrong. >>> >>> Initially I thought that each registration will create its own key >>> pair... which could have been nice if the device has enough memory. >>> Even single key pair is OK if you would like to share it between >>> services. >>> >>> Regards, >>> Alon >>> >>> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >>> <hel...@gm...> wrote: >>>> I love the big brother. >>>> >>>> >>>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>>> https://sites.google.com/site/oauthgoog/gnubby >>>>> >>>>> I think it is actually good that I finally have a competitor! >>>>> >>>>> Smart Card middleware will be a thing of the past. Hooray! >>>>> >>>>> Anders >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net email is sponsored by Windows: >>>>> >>>>> Build for Windows Store. >>>>> >>>>> http://p.sf.net/sfu/windows-dev2dev >>>>> _______________________________________________ >>>>> Opensc-devel mailing list >>>>> Ope...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> >> >> -- >> >> --------- CardContact Software & System Consulting >> |.##> <##.| Andreas Schwier >> |# #| Schülerweg 38 >> |# #| 32429 Minden, Germany >> |'##> <##'| Phone +49 571 56149 >> --------- http://www.cardcontact.de >> http://www.tscons.de >> http://www.openscdp.org >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Anders R. <and...@te...> - 2013-06-14 09:18:42
|
On 2013-06-14 11:03, Andreas Schwier (ML) wrote: > As the scheme is based on a piece of hardware it makes sense to trust > the manufacturer to provide a genuine device. > > This way you know the key remains safe on the client side and is not > some software based / man-in-the-middle generated key pair. > > It's quite the same what Anders does with the webpki attestation key and > what we do with the device authentication key in the SmartCard-HSM. > > The key questions is how this network of trusted suppliers will be > build. Who will certify suppliers ? Who operates a root CA that > certifies suppliers ? Will there be a security evaluation of the devices > (like CC) ? Totally agree. There is one thing that made me puzzled though and that is that Google claims: "Note that the attestation certificate does not uniquely identify the U2F device" To do that you either have the same key in a bunch of devices which is a genuinely bad idea or you use a state-of-the-art solutions like DAA (Direct Anonymous Attestation). The Google documents doesn't go into details here. Personally I think you should offer both fully unique ID and a DAA-like thing. I haven't had the time, knowledge, and motivation to dig into the latter and there are many competing schemes and tons of IPR as well. Anders > > Andreas > > Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >> Yes, at first read I thought there is nothing new, we can do this with >> existing smartcards... >> >> But then read: >> """ >> Initial Signup: Site sends Javascript call to browser asking for >> public key for user. Browser finds activated U2F, asks it for public >> key to remember for user. U2F returns signed public key (signature is >> by U2F vendor). Site (optionally) verifies public key signature to >> ensure its an accepted vendor and saves public key + attached blob >> (encrypted private key). >> """ >> >> So it is a meter of trust, same as PKI... only that you are forced to >> trust the manufacturer... which is totally wrong. >> >> Initially I thought that each registration will create its own key >> pair... which could have been nice if the device has enough memory. >> Even single key pair is OK if you would like to share it between >> services. >> >> Regards, >> Alon >> >> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >> <hel...@gm...> wrote: >>> I love the big brother. >>> >>> >>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>> https://sites.google.com/site/oauthgoog/gnubby >>>> >>>> I think it is actually good that I finally have a competitor! >>>> >>>> Smart Card middleware will be a thing of the past. Hooray! >>>> >>>> Anders >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Andreas S. (ML) <and...@ca...> - 2013-06-14 09:14:17
|
No, the point is that the big players have no interest in the products you are looking for. They make their money with banks, telecoms and governments. They couldn't care less about interoperability and usability. And it's only very few big players and they are not interested in innovation unless it broadens their patent portfolio or allows an even better customer lock-in. But you can do it yourself: Write your own JavaCard Applet and put a product on the market. Time will tell if customers like it. Andreas Am 14.06.2013 10:58, schrieb Anders Rundgren: > On 2013-06-14 10:41, helpcrypto helpcrypto wrote: >> I love the big brother. > Big brother rules because all the little brothers never got > their act together but rather use their "power" to fight > other little brothers. > > The smart card community is a prime example of a failed > brotherhood (priesthood?) driven by suspicion, religious > beliefs in specific solutions, and a general lack of > interest in solving things that matters for the majority > like price, availability and utility. > > Anders > >> >> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te... <mailto:and...@te...>> wrote: >> >> https://sites.google.com/site/oauthgoog/gnubby >> >> I think it is actually good that I finally have a competitor! >> >> Smart Card middleware will be a thing of the past. Hooray! >> >> Anders >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... <mailto:Ope...@li...> >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Alon Bar-L. <alo...@gm...> - 2013-06-14 09:10:55
|
Hi, Sorry, I totally disagree... Manufacturer should manufacture secure platform that can be used for various of implementations. It should be accountable for the operation of the device. The trust within the manufacturer is limited to providing a device with no backdoors. The content, and in this case the private key, should not be exposed to anyone, including the manufacturer if I to trust the device. Establishing manufacturer trust chain will be the same as UEFI, bad for everyone but who ever hold the key for the CA. Had you said that I can somehow generate a public key after I bought the device and enroll it to some 3rd part to have it trusted, I would have agreed. But enforcing trust is not something that should be acceptable. Regards, Alon On Fri, Jun 14, 2013 at 12:03 PM, Andreas Schwier (ML) <and...@ca...> wrote: > As the scheme is based on a piece of hardware it makes sense to trust > the manufacturer to provide a genuine device. > > This way you know the key remains safe on the client side and is not > some software based / man-in-the-middle generated key pair. > > It's quite the same what Anders does with the webpki attestation key and > what we do with the device authentication key in the SmartCard-HSM. > > The key questions is how this network of trusted suppliers will be > build. Who will certify suppliers ? Who operates a root CA that > certifies suppliers ? Will there be a security evaluation of the devices > (like CC) ? > > Andreas > > Am 14.06.2013 10:54, schrieb Alon Bar-Lev: >> Yes, at first read I thought there is nothing new, we can do this with >> existing smartcards... >> >> But then read: >> """ >> Initial Signup: Site sends Javascript call to browser asking for >> public key for user. Browser finds activated U2F, asks it for public >> key to remember for user. U2F returns signed public key (signature is >> by U2F vendor). Site (optionally) verifies public key signature to >> ensure its an accepted vendor and saves public key + attached blob >> (encrypted private key). >> """ >> >> So it is a meter of trust, same as PKI... only that you are forced to >> trust the manufacturer... which is totally wrong. >> >> Initially I thought that each registration will create its own key >> pair... which could have been nice if the device has enough memory. >> Even single key pair is OK if you would like to share it between >> services. >> >> Regards, >> Alon >> >> On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto >> <hel...@gm...> wrote: >>> I love the big brother. >>> >>> >>> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>>> https://sites.google.com/site/oauthgoog/gnubby >>>> >>>> I think it is actually good that I finally have a competitor! >>>> >>>> Smart Card middleware will be a thing of the past. Hooray! >>>> >>>> Anders >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Windows: >>>> >>>> Build for Windows Store. >>>> >>>> http://p.sf.net/sfu/windows-dev2dev >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > > > -- > > --------- CardContact Software & System Consulting > |.##> <##.| Andreas Schwier > |# #| Schülerweg 38 > |# #| 32429 Minden, Germany > |'##> <##'| Phone +49 571 56149 > --------- http://www.cardcontact.de > http://www.tscons.de > http://www.openscdp.org > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Andreas S. (ML) <and...@ca...> - 2013-06-14 09:03:10
|
As the scheme is based on a piece of hardware it makes sense to trust the manufacturer to provide a genuine device. This way you know the key remains safe on the client side and is not some software based / man-in-the-middle generated key pair. It's quite the same what Anders does with the webpki attestation key and what we do with the device authentication key in the SmartCard-HSM. The key questions is how this network of trusted suppliers will be build. Who will certify suppliers ? Who operates a root CA that certifies suppliers ? Will there be a security evaluation of the devices (like CC) ? Andreas Am 14.06.2013 10:54, schrieb Alon Bar-Lev: > Yes, at first read I thought there is nothing new, we can do this with > existing smartcards... > > But then read: > """ > Initial Signup: Site sends Javascript call to browser asking for > public key for user. Browser finds activated U2F, asks it for public > key to remember for user. U2F returns signed public key (signature is > by U2F vendor). Site (optionally) verifies public key signature to > ensure its an accepted vendor and saves public key + attached blob > (encrypted private key). > """ > > So it is a meter of trust, same as PKI... only that you are forced to > trust the manufacturer... which is totally wrong. > > Initially I thought that each registration will create its own key > pair... which could have been nice if the device has enough memory. > Even single key pair is OK if you would like to share it between > services. > > Regards, > Alon > > On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto > <hel...@gm...> wrote: >> I love the big brother. >> >> >> On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >>> https://sites.google.com/site/oauthgoog/gnubby >>> >>> I think it is actually good that I finally have a competitor! >>> >>> Smart Card middleware will be a thing of the past. Hooray! >>> >>> Anders >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Anders R. <and...@te...> - 2013-06-14 08:58:43
|
On 2013-06-14 10:41, helpcrypto helpcrypto wrote: > I love the big brother. Big brother rules because all the little brothers never got their act together but rather use their "power" to fight other little brothers. The smart card community is a prime example of a failed brotherhood (priesthood?) driven by suspicion, religious beliefs in specific solutions, and a general lack of interest in solving things that matters for the majority like price, availability and utility. Anders > > > On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te... <mailto:and...@te...>> wrote: > > https://sites.google.com/site/oauthgoog/gnubby > > I think it is actually good that I finally have a competitor! > > Smart Card middleware will be a thing of the past. Hooray! > > Anders > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... <mailto:Ope...@li...> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Alon Bar-L. <alo...@gm...> - 2013-06-14 08:54:20
|
Yes, at first read I thought there is nothing new, we can do this with existing smartcards... But then read: """ Initial Signup: Site sends Javascript call to browser asking for public key for user. Browser finds activated U2F, asks it for public key to remember for user. U2F returns signed public key (signature is by U2F vendor). Site (optionally) verifies public key signature to ensure its an accepted vendor and saves public key + attached blob (encrypted private key). """ So it is a meter of trust, same as PKI... only that you are forced to trust the manufacturer... which is totally wrong. Initially I thought that each registration will create its own key pair... which could have been nice if the device has enough memory. Even single key pair is OK if you would like to share it between services. Regards, Alon On Fri, Jun 14, 2013 at 11:41 AM, helpcrypto helpcrypto <hel...@gm...> wrote: > > I love the big brother. > > > On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...> wrote: >> >> https://sites.google.com/site/oauthgoog/gnubby >> >> I think it is actually good that I finally have a competitor! >> >> Smart Card middleware will be a thing of the past. Hooray! >> >> Anders >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: helpcrypto h. <hel...@gm...> - 2013-06-14 08:47:18
|
Didnt think on using spy, damm it!
Thank you!
On Mon, Jun 10, 2013 at 3:57 PM, Douglas E. Engert <dee...@an...> wrote:
>
>
> On 6/8/2013 7:36 AM, helpcrypto helpcrypto wrote:
> > Sent to another maillist, cause i dont know which is the correct
> one...Sorry!
> >
> >
> > ---------- Forwarded message ----------
> > To: "ope...@li... <mailto:
> ope...@li...>" <
> ope...@li... <mailto:
> ope...@li...>>
> >
> >
> > Hi.
> >
> >
> > Probably im missing something, but could any of you tell me why this is
> happening? What should I implement?
> >
> >
> > $ pkcs11-tool --module libmypkcs11.so -M
> > Using slot 0 with a present token (0x1)
> > Supported mechanisms:
> > RSA-PKCS, keySize={1024,1024}, decrypt, sign
> > RSA-PKCS-KEY-PAIR-GEN, keySize={1024,1024}, generate_key_pair
>
> The mech list says what the card supports.
> It does not say what keys you have on the card.
>
> Try something like:
> pkcs11-tool --module libmypkcs11.so --login -O
> to see what objects you have on the card.
>
> When you do a sign operation you usually specify the ID of a specific key
> to be used. The card may have more then one.
>
> >
> > $ pkcs11-tool --module libmypkcs11.so --sign --login -v --key-type
> rsa:1024
> > Using slot 0 with a present token (0x1)
> > Logging in to "My Card".
> > Please enter User PIN:
> > error: No appropriate mechanism found
> > Aborting.
> >
>
> PKCS#11 SPY can be very helpful too when testing some other
> pkcs#11 lib. For example modify this to use your libmypkcs11.so:
>
>
> #!/bin/sh
> # test pkcs11-tool with spy
> # and can also use coolkey
> #
>
> OPENSC=/opt/smartcard
>
> case $1 in
> cool*)
> PKCS11SPY=/path to/libcoolkeypk11.so
> COOL_KEY_LOG_FILE=/tmp/coolkey.log
> export COOL_KEY_LOG_FILE
> SLOT=1
> shift
> ;;
> *)
> PKCS11SPY=$OPENSC/lib/opensc-pkcs11.so
> SLOT=1
> ;;
> esac
>
> export PKCS11SPY
> PKCS11=$OPENSC/lib/pkcs11-spy.so
> export PKCS11
>
>
> #gdb -args \
> $OPENSC/bin/pkcs11-tool --module $PKCS11 --slot $SLOT "$@"
>
>
>
> >
> > Thanks!
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > How ServiceNow helps IT people transform IT departments:
> > 1. A cloud service to automate IT design, transition and operations
> > 2. Dashboards that offer high-level views of enterprise services
> > 3. A single system of record for all IT processes
> > http://p.sf.net/sfu/servicenow-d2d-j
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
> Douglas E. Engert <DEE...@an...>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
|
|
From: helpcrypto h. <hel...@gm...> - 2013-06-14 08:42:25
|
I love the big brother. On Tue, Jun 11, 2013 at 6:59 PM, Anders Rundgren <and...@te...>wrote: > https://sites.google.com/site/oauthgoog/gnubby > > I think it is actually good that I finally have a competitor! > > Smart Card middleware will be a thing of the past. Hooray! > > Anders > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Douglas E. E. <dee...@an...> - 2013-06-13 14:45:28
|
If you are willing to do some development, back in 2011 I had mods to openssl, engine-pkcs11 and libp11 to support ECDSA signatures. See this last message in the thread: http://www.mail-archive.com/ope...@li.../msg08848.html (Felipe Blauth got the mods working) I have attached the updated mods, but I have not used them in some time. As noted in the mods there is an outstanding OpenSSL bug. +#if defined(BUILD_WITH_EC) && !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_ECDSA) +/* OpenSSL has ECDSA_METHOD defined in internal header file ecs_locl.h + * For now: + * CPPFLAGS="-DBUILD_WITH_EC -I/path.to.openssl-1.0.0a/crypto/ecdh" + * See OpenSSL bug report #2459 02/23/2011 + * When this is fixed, the BUILD_WITH_EC test can be removed + * + * TODO ECDH_METHOD is in ech_locl.h too! + */ On 6/13/2013 5:25 AM, Ronny Schütz wrote: > Hi Andreas, > >> I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)? > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Mittwoch, 12. Juni 2013 21:53 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues > > Hi Ronny, > > On 06/12/2013 06:27 PM, Ronny Schütz wrote: >> Hi all, >> >> thanks a lot for all your replies. >> >>> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? >> >> Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. >> >>> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. >> >> Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. > The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported >> >>> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. >> >> Ok, then we most likely need to drop ECC anyway and use RSA instead. > I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. >> >> Best regards, >> Ronny >> >> -----Original Message----- >> From: Andreas Schwier [mailto:and...@ca...] >> Sent: Dienstag, 11. Juni 2013 16:25 >> To: ope...@li... >> Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 >> keypair creation issues >> >> Dear Ronny, >> >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). >> >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? >> >> Kind regards, >> >> Andreas >> >> >> [1] https://devnet.cardcontact.de/issues/3 >> [2] >> https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc >> 230541072c60afb >> >> On 06/11/2013 03:02 PM, Ronny Schütz wrote: >>> Hi, >>> >>> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >>> Available slots: >>> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >>> (empty) >>> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >>> token label : SmartCard-HSM (UserPIN) >>> token manufacturer : www.CardContact.de >>> token model : PKCS#15 emulated >>> token flags : rng, login required, PIN initialized, token initialized >>> hardware version : 24.13 >>> firmware version : 1.1 >>> serial num : DECC0100157 >>> >>> When creating the EC keypair, I get an error concerning the public key: >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >>> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >>> with a present token (0x1) Key pair generated: >>> Private Key Object; EC >>> label: ca >>> ID: 60 >>> Usage: decrypt, sign, unwrap >>> Public Key Object; EC EC_POINT 264 bits >>> EC_POINT: >>> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98 >>> 7 >>> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >>> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >>> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >>> >>> label: ca >>> ID: 60 >>> Usage: encrypt, verify, wrap >>> >>> And the public key isn't listed either >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >>> --pin 725570 --list-objects Private Key Object; EC >>> label: ca >>> ID: 60 >>> Usage: decrypt, sign, unwrap >>> >>> Now OpenSSL / req cannot find the private key for whatever reason. >>> >>> $ openssl >>> OpenSSL> version >>> OpenSSL 1.0.1 14 Mar 2012 >>> OpenSSL> engine -t dynamic -pre >>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >>> OpenSSL> -pre >>> OpenSSL> LIST_ADD:1 -pre LOAD -pre >>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >>> (dynamic) Dynamic engine loading support >>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >>> [Success]: ID:pkcs11 >>> [Success]: LIST_ADD:1 >>> [Success]: LOAD >>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >>> [Success]: VERBOSE >>> Loaded: (pkcs11) pkcs11 engine >>> initializing engine >>> [ available ] >>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >>> initializing engine >>> engine "pkcs11" set. >>> Looking in slot 1 for key: 60 >>> Found 2 slots >>> [18446744073709551615] Virtual hotplug slot no tok >>> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >>> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >>> SmartCard-HSM (UserPIN) Found 0 certificate: >>> PKCS#11 token PIN: >>> No keys found. >>> PKCS11_get_private_key returned NULL >>> cannot load Private Key from engine >>> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >>> unable to load Private Key >>> error in req >>> OpenSSL> >>> >>> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >>> >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >>> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >>> with a present token (0x1) Key pair generated: >>> Private Key Object; RSA >>> label: ca-rsa >>> ID: 70 >>> Usage: decrypt, sign, unwrap >>> Public Key Object; RSA 2048 bits >>> label: ca-rsa >>> ID: 70 >>> Usage: encrypt, verify, wrap >>> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >>> --pin 725570 --list-objects Private Key Object; RSA >>> label: ca-rsa >>> ID: 70 >>> Usage: decrypt, sign, unwrap >>> $ openssl >>> OpenSSL> engine -t dynamic -pre >>> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >>> OpenSSL> -pre >>> OpenSSL> LIST_ADD:1 -pre LOAD -pre >>> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >>> (dynamic) Dynamic engine loading support >>> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >>> [Success]: ID:pkcs11 >>> [Success]: LIST_ADD:1 >>> [Success]: LOAD >>> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >>> [Success]: VERBOSE >>> Loaded: (pkcs11) pkcs11 engine >>> initializing engine >>> [ available ] >>> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >>> initializing engine >>> engine "pkcs11" set. >>> Looking in slot 1 for key: 70 >>> Found 2 slots >>> [18446744073709551615] Virtual hotplug slot no tok >>> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >>> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >>> SmartCard-HSM (UserPIN) Found 0 certificate: >>> PKCS#11 token PIN: >>> Found 1 key: >>> 1 P ca-rsa >>> PKCS11_get_private_key returned NULL >>> cannot load Private Key from engine >>> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >>> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >>> unable to load Private Key >>> error in req >>> OpenSSL> >>> >>> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >>> >>> Thanks & Best regards, >>> Ronny >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> - >>> -------- This SF.net email is sponsored by Windows: >>> >>> Build for Windows Store. >>> >>> http://p.sf.net/sfu/windows-dev2dev >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > . > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Ronny S. <Ron...@to...> - 2013-06-13 10:25:51
|
Hi Andreas, > I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. That would be helpful, thanks! What I actually want to achieve is to use the SmartCard-HSM to carry a custom CA keypair + certificate (RSA:2048 or better EC:secp256r1) and use the token to either process CSRs and generate X.509 certificates or to at least generate the signature to issue client certificates using OpenSSL. Would this work considering that: "at least engine_pkcs11 only speaks RSA" (Martin)? Best regards, Ronny -----Original Message----- From: Andreas Schwier [mailto:and...@ca...] Sent: Mittwoch, 12. Juni 2013 21:53 To: ope...@li... Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues Hi Ronny, On 06/12/2013 06:27 PM, Ronny Schütz wrote: > Hi all, > > thanks a lot for all your replies. > >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. > > Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported > >> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. > > Ok, then we most likely need to drop ECC anyway and use RSA instead. I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Dienstag, 11. Juni 2013 16:25 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 > keypair creation issues > > Dear Ronny, > > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). > > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Kind regards, > > Andreas > > > [1] https://devnet.cardcontact.de/issues/3 > [2] > https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc > 230541072c60afb > > On 06/11/2013 03:02 PM, Ronny Schütz wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: >> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da98 >> 7 >> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 >> OpenSSL> -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> --------------------------------------------------------------------- >> - >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Andreas S. <and...@ca...> - 2013-06-12 19:52:51
|
Hi Ronny, On 06/12/2013 06:27 PM, Ronny Schütz wrote: > Hi all, > > thanks a lot for all your replies. > >> The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > >> issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. > > Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. The SmartCard-HSM does not support key import in plain. Only keys previously exported under the Device Key Encryption Key (DKEK) can be imported > >> You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. > > Ok, then we most likely need to drop ECC anyway and use RSA instead. I can provide you with a Smart Card Shell script that generates ECC keys and certificates on a SmartCard-HSM. > > Best regards, > Ronny > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Dienstag, 11. Juni 2013 16:25 > To: ope...@li... > Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues > > Dear Ronny, > > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). > > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? > > Kind regards, > > Andreas > > > [1] https://devnet.cardcontact.de/issues/3 > [2] > https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb > > On 06/11/2013 03:02 PM, Ronny Schütz wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: >> 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987 >> c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = >> CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 >> --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 >> with a present token (0x1) Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login >> --pin 725570 --list-objects Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre >> OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre >> OpenSSL> LIST_ADD:1 -pre LOAD -pre >> OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: >> SmartCard-HSM (UserPIN) Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> ---------------------------------------------------------------------- >> -------- This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ronny S. <Ron...@to...> - 2013-06-12 16:27:59
|
Hi all, thanks a lot for all your replies. > The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Yes, I was using the official OpenSC 0.13 release; I switched to the latest version from the GIT repository which indeed solves the RSA-2048 issue. > issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. Ok. I tried to create an EC:prime256v1 keypair + self-signed certificate using OpenSSL on my PC but was unable to write the private key to the device (pkcs11-tool; error: Unsupported key type: 0x198) either. > You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. Ok, then we most likely need to drop ECC anyway and use RSA instead. Best regards, Ronny -----Original Message----- From: Andreas Schwier [mailto:and...@ca...] Sent: Dienstag, 11. Juni 2013 16:25 To: ope...@li... Subject: Re: [Opensc-devel] SCM SCR 355 / EC:secp256r1/RSA-2048 keypair creation issues Dear Ronny, issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Kind regards, Andreas [1] https://devnet.cardcontact.de/issues/3 [2] https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb On 06/11/2013 03:02 PM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 > --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 > with a present token (0x1) Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: > 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987 > c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = > CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login > --pin 725570 --list-objects Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre > OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre > OpenSSL> LIST_ADD:1 -pre LOAD -pre > OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: > SmartCard-HSM (UserPIN) Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 > --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 > with a present token (0x1) Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login > --pin 725570 --list-objects Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre > OpenSSL> SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre > OpenSSL> LIST_ADD:1 -pre LOAD -pre > OpenSSL> MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: > SmartCard-HSM (UserPIN) Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ---------------------------------------------------------------------- > -------- This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Opensc-devel mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Frank M. <mo...@in...> - 2013-06-11 20:37:39
|
Quoting from Google's Product overview: "Support for the protocol needs to be implemented by (a) the website which wants to accept U2F auth and (b) the user’s web browser and (c) the U2F device which the user employs." ... sure, if you push support for the token into *all* browsers and to *all* services, you are ready to go. From the technology point of view this would have been possible for years. Maybe Google has the power to finally get it done. But I have to admit, that I like the form factor of the yubiko. The German eID system uses a mechanism that allows two factor web authentication with a contactless smartcard without any modification of the browser. Also, since it is already rolled out, no initialization is needed. However, the service provider still needs to integrate support for the token. On Tuesday, June 11 at 06:59PM, Anders Rundgren wrote: > > https://sites.google.com/site/oauthgoog/gnubby > > I think it is actually good that I finally have a competitor! > > Smart Card middleware will be a thing of the past. Hooray! > > Anders > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACE http://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc |
|
From: Anders R. <and...@te...> - 2013-06-11 16:59:44
|
https://sites.google.com/site/oauthgoog/gnubby I think it is actually good that I finally have a competitor! Smart Card middleware will be a thing of the past. Hooray! Anders |
|
From: Douglas E. E. <dee...@an...> - 2013-06-11 15:37:09
|
On 6/11/2013 9:40 AM, Martin Paljak wrote: > Hello, > > You did not specify a card (which must also support ECC), but keep in > mind that at least engine_pkcs11 only speaks RSA. See Re: [openssl.org #2568] enhancement request: remove ECC engine support's limitation from 2011. I have some code for the engine and p11 form 2011 for ECC. > > -- > Martin > +372 515 6495 > > > On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <Ron...@to...> wrote: >> Hi, >> >> I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots >> Available slots: >> Slot 0 (0xffffffffffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 >> token label : SmartCard-HSM (UserPIN) >> token manufacturer : www.CardContact.de >> token model : PKCS#15 emulated >> token flags : rng, login required, PIN initialized, token initialized >> hardware version : 24.13 >> firmware version : 1.1 >> serial num : DECC0100157 >> >> When creating the EC keypair, I get an error concerning the public key: >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca >> Using slot 1 with a present token (0x1) >> Key pair generated: >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> Public Key Object; EC EC_POINT 264 bits >> EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c >> warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) >> >> label: ca >> ID: 60 >> Usage: encrypt, verify, wrap >> >> And the public key isn't listed either >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects >> Private Key Object; EC >> label: ca >> ID: 60 >> Usage: decrypt, sign, unwrap >> >> Now OpenSSL / req cannot find the private key for whatever reason. >> >> $ openssl >> OpenSSL> version >> OpenSSL 1.0.1 14 Mar 2012 >> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 60 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 >> Found token: SmartCard-HSM (UserPIN) >> Found 0 certificate: >> PKCS#11 token PIN: >> No keys found. >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. >> >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa >> Using slot 1 with a present token (0x1) >> Key pair generated: >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> Public Key Object; RSA 2048 bits >> label: ca-rsa >> ID: 70 >> Usage: encrypt, verify, wrap >> $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects >> Private Key Object; RSA >> label: ca-rsa >> ID: 70 >> Usage: decrypt, sign, unwrap >> $ openssl >> OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE >> (dynamic) Dynamic engine loading support >> [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so >> [Success]: ID:pkcs11 >> [Success]: LIST_ADD:1 >> [Success]: LOAD >> [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so >> [Success]: VERBOSE >> Loaded: (pkcs11) pkcs11 engine >> initializing engine >> [ available ] >> OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" >> initializing engine >> engine "pkcs11" set. >> Looking in slot 1 for key: 70 >> Found 2 slots >> [18446744073709551615] Virtual hotplug slot no tok >> [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) >> Found slot: SCM SCR 355 [CCID Interface] 00 00 >> Found token: SmartCard-HSM (UserPIN) >> Found 0 certificate: >> PKCS#11 token PIN: >> Found 1 key: >> 1 P ca-rsa >> PKCS11_get_private_key returned NULL >> cannot load Private Key from engine >> 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: >> 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: >> unable to load Private Key >> error in req >> OpenSSL> >> >> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? >> >> Thanks & Best regards, >> Ronny >> >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Windows: >> >> Build for Windows Store. >> >> http://p.sf.net/sfu/windows-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Martin P. <ma...@ma...> - 2013-06-11 14:40:57
|
Hello, You did not specify a card (which must also support ECC), but keep in mind that at least engine_pkcs11 only speaks RSA. -- Martin +372 515 6495 On Tue, Jun 11, 2013 at 4:02 PM, Ronny Schütz <Ron...@to...> wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Douglas E. E. <dee...@an...> - 2013-06-11 14:29:17
|
The problem is most likely related to what was reported 9/20/2012 and an outlined of how to fix it: http://www.mail-archive.com/ope...@li.../msg10067.html On 6/11/2013 8:02 AM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > . > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Andreas S. <and...@ca...> - 2013-06-11 14:24:50
|
Dear Ronny, issuing ECDSA keys and certificates via openssl does currently not work with OpenSC, as the EC_PARAMS attribute is only defined if a certificate for the key exists on the device. For newly generated keys, this is obviously not the case. We are working on a fix, but that requires quite some rework in the OpenSC code (see [1]). The issue with RSA 2048 keys has been been fixed in [2]. Are you using the official 0.13 release from November ? Kind regards, Andreas [1] https://devnet.cardcontact.de/issues/3 [2] https://github.com/CardContact/OpenSC/commit/99af6cd8ee78776f50bc016fc230541072c60afb On 06/11/2013 03:02 PM, Ronny Schütz wrote: > Hi, > > I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots > Available slots: > Slot 0 (0xffffffffffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 > token label : SmartCard-HSM (UserPIN) > token manufacturer : www.CardContact.de > token model : PKCS#15 emulated > token flags : rng, login required, PIN initialized, token initialized > hardware version : 24.13 > firmware version : 1.1 > serial num : DECC0100157 > > When creating the EC keypair, I get an error concerning the public key: > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > Public Key Object; EC EC_POINT 264 bits > EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c > warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) > > label: ca > ID: 60 > Usage: encrypt, verify, wrap > > And the public key isn't listed either > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; EC > label: ca > ID: 60 > Usage: decrypt, sign, unwrap > > Now OpenSSL / req cannot find the private key for whatever reason. > > $ openssl > OpenSSL> version > OpenSSL 1.0.1 14 Mar 2012 > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 60 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > No keys found. > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. > > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa > Using slot 1 with a present token (0x1) > Key pair generated: > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > Public Key Object; RSA 2048 bits > label: ca-rsa > ID: 70 > Usage: encrypt, verify, wrap > $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects > Private Key Object; RSA > label: ca-rsa > ID: 70 > Usage: decrypt, sign, unwrap > $ openssl > OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE > (dynamic) Dynamic engine loading support > [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so > [Success]: VERBOSE > Loaded: (pkcs11) pkcs11 engine > initializing engine > [ available ] > OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" > initializing engine > engine "pkcs11" set. > Looking in slot 1 for key: 70 > Found 2 slots > [18446744073709551615] Virtual hotplug slot no tok > [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) > Found slot: SCM SCR 355 [CCID Interface] 00 00 > Found token: SmartCard-HSM (UserPIN) > Found 0 certificate: > PKCS#11 token PIN: > Found 1 key: > 1 P ca-rsa > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: > 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: > unable to load Private Key > error in req > OpenSSL> > > I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? > > Thanks & Best regards, > Ronny > > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ronny S. <Ron...@to...> - 2013-06-11 13:15:45
|
Hi, I'm trying to create a ECC keypair with self-signed certificate on a SCM SCR 355 (CardContact.de) using OpenSC 0.13.0 and OpenSSL 1.0.1 / enginePKCS11-0.1.8 under Ubuntu 12.04. $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots Available slots: Slot 0 (0xffffffffffffffff): Virtual hotplug slot (empty) Slot 1 (0x1): SCM SCR 355 [CCID Interface] 00 00 token label : SmartCard-HSM (UserPIN) token manufacturer : www.CardContact.de token model : PKCS#15 emulated token flags : rng, login required, PIN initialized, token initialized hardware version : 24.13 firmware version : 1.1 serial num : DECC0100157 When creating the EC keypair, I get an error concerning the public key: $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type EC:secp256r1 --id 60 --label ca Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; EC label: ca ID: 60 Usage: decrypt, sign, unwrap Public Key Object; EC EC_POINT 264 bits EC_POINT: 0443044104df184902123186393e28e0673cf755352c8653eaf42224a54aa3ba0da987c2eb33f8380fc39b7417a1a5138d7ea696ea95f816935d63d7c7372772d11cfca37c warning: PKCS11 function C_GetAttributeValue(EC_PARAMS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) label: ca ID: 60 Usage: encrypt, verify, wrap And the public key isn't listed either $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects Private Key Object; EC label: ca ID: 60 Usage: decrypt, sign, unwrap Now OpenSSL / req cannot find the private key for whatever reason. $ openssl OpenSSL> version OpenSSL 1.0.1 14 Mar 2012 OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> req -engine pkcs11 -new -key slot_1-id_60 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" initializing engine engine "pkcs11" set. Looking in slot 1 for key: 60 Found 2 slots [18446744073709551615] Virtual hotplug slot no tok [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: SmartCard-HSM (UserPIN) Found 0 certificate: PKCS#11 token PIN: No keys found. PKCS11_get_private_key returned NULL cannot load Private Key from engine 139838314968736:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key error in req OpenSSL> The key pair creation + CSR request creation appears to work with RSA-1024, i.e. I don't get errors and I see private and public key on the token. However, when using RSA-2048, there is no error during key generation, but --list-objects doesn't show the public key either and openssl req fails to retrieve the private key as well. $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --login --pin 725570 --keypairgen --key-type RSA:2048 --id 70 --label ca-rsa Using slot 1 with a present token (0x1) Key pair generated: Private Key Object; RSA label: ca-rsa ID: 70 Usage: decrypt, sign, unwrap Public Key Object; RSA 2048 bits label: ca-rsa ID: 70 Usage: encrypt, verify, wrap $ pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --login --pin 725570 --list-objects Private Key Object; RSA label: ca-rsa ID: 70 Usage: decrypt, sign, unwrap $ openssl OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/lib/pkcs11/opensc-pkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> req -engine pkcs11 -new -key slot_1-id_70 -keyform engine -out req.pem -text -x509 -days 36500 -subj "/CN=TestCA" initializing engine engine "pkcs11" set. Looking in slot 1 for key: 70 Found 2 slots [18446744073709551615] Virtual hotplug slot no tok [1] SCM SCR 355 [CCID Interfa login (SmartCard-HSM (UserPIN)) Found slot: SCM SCR 355 [CCID Interface] 00 00 Found token: SmartCard-HSM (UserPIN) Found 0 certificate: PKCS#11 token PIN: Found 1 key: 1 P ca-rsa PKCS11_get_private_key returned NULL cannot load Private Key from engine 140210187540128:error:80028012:PKCS11 library:PKCS11_get_attribute:Attribute type invalid:p11_attr.c:53: 140210187540128:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key error in req OpenSSL> I'm a bit lost ... Is there anything wrong in the parameters? Is there any workaround to create a proper key pair on the token? Thanks & Best regards, Ronny |
|
From: Douglas E. E. <dee...@an...> - 2013-06-10 13:57:18
|
On 6/8/2013 7:36 AM, helpcrypto helpcrypto wrote:
> Sent to another maillist, cause i dont know which is the correct one...Sorry!
>
>
> ---------- Forwarded message ----------
> To: "ope...@li... <mailto:ope...@li...>" <ope...@li... <mailto:ope...@li...>>
>
>
> Hi.
>
>
> Probably im missing something, but could any of you tell me why this is happening? What should I implement?
>
>
> $ pkcs11-tool --module libmypkcs11.so -M
> Using slot 0 with a present token (0x1)
> Supported mechanisms:
> RSA-PKCS, keySize={1024,1024}, decrypt, sign
> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,1024}, generate_key_pair
The mech list says what the card supports.
It does not say what keys you have on the card.
Try something like:
pkcs11-tool --module libmypkcs11.so --login -O
to see what objects you have on the card.
When you do a sign operation you usually specify the ID of a specific key
to be used. The card may have more then one.
>
> $ pkcs11-tool --module libmypkcs11.so --sign --login -v --key-type rsa:1024
> Using slot 0 with a present token (0x1)
> Logging in to "My Card".
> Please enter User PIN:
> error: No appropriate mechanism found
> Aborting.
>
PKCS#11 SPY can be very helpful too when testing some other
pkcs#11 lib. For example modify this to use your libmypkcs11.so:
#!/bin/sh
# test pkcs11-tool with spy
# and can also use coolkey
#
OPENSC=/opt/smartcard
case $1 in
cool*)
PKCS11SPY=/path to/libcoolkeypk11.so
COOL_KEY_LOG_FILE=/tmp/coolkey.log
export COOL_KEY_LOG_FILE
SLOT=1
shift
;;
*)
PKCS11SPY=$OPENSC/lib/opensc-pkcs11.so
SLOT=1
;;
esac
export PKCS11SPY
PKCS11=$OPENSC/lib/pkcs11-spy.so
export PKCS11
#gdb -args \
$OPENSC/bin/pkcs11-tool --module $PKCS11 --slot $SLOT "$@"
>
> Thanks!
>
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@an...>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
|
5 messages has been excluded from this view by a project administrator.
