Hi all I have a rather basic question on which libraries/APIs to use for implementing the following in eg. a C or Java program. The basic idea is: init: - create 256bit key for AES-256 - create RSA keypair on token (no x.509) - encrypt aes-key with pubkey of rsa-pair, delete cleartext version loop: - when needed, decrypt aes-key with private rsa key, load to memory - perform symmetric en-/decryption with key in memory
Mainly the question is: Since the cryptographic functions on the token (which could also be a network HSM) appear to be carried out by the pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all? Thanks in advance for any pointer. Here's the shellcode that should be "translated" into a compiled program: echo "Generate AES Key" secret=`head -c64 /dev/urandom` openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key echo "Generate keypair on pkcs#15 storage" pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY pkcs15-tool --read-public-key 45 -o rsa.pub echo "Encrypt AES Key" openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c echo "Remove AES Key" for i in `seq 0 7` do size=`stat aes.key | grep Size | awk {'print $2'}` head -c $size /dev/urandom > aes.key sync sync sleep 1 done rm aes.key sync echo "Decrypt AES Key to memory (depending on shell)" eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "` echo "Encrypt data" openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt -aes256 echo "Decrypt data" openssl enc -d -K $key -iv $iv -in data.file.crypt -out data.file.decrypt -aes256 echo "Clear memory" unset key iv salt kind regards & thanks Markus PS: The above shellcode is based on http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel