Hi all
I have a rather basic question on which libraries/APIs to use for
implementing the following in eg. a C or Java program.
The basic idea is:
init:
- create 256bit key for AES-256
- create RSA keypair on token (no x.509)
- encrypt aes-key with pubkey of rsa-pair, delete cleartext version
loop:
- when needed, decrypt aes-key with private rsa key, load to memory
- perform symmetric en-/decryption with key in memory
Mainly the question is: Since the cryptographic functions on the token
(which could also be a network HSM) appear to be carried out by the
pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all?
Thanks in advance for any pointer.
Here's the shellcode that should be "translated" into a compiled program:
echo "Generate AES Key"
secret=`head -c64 /dev/urandom`
openssl enc -aes-256-cbc -k "$secret" -P -md sha1 > aes.key
echo "Generate keypair on pkcs#15 storage"
pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY
pkcs15-tool --read-public-key 45 -o rsa.pub
echo "Encrypt AES Key"
openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c
echo "Remove AES Key"
for i in `seq 0 7`
do
size=`stat aes.key | grep Size | awk {'print $2'}`
head -c $size /dev/urandom > aes.key
sync
sync
sleep 1
done
rm aes.key
sync
echo "Decrypt AES Key to memory (depending on shell)"
eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d " "`
echo "Encrypt data"
openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt
-aes256
echo "Decrypt data"
openssl enc -d -K $key -iv $iv -in data.file.crypt -out
data.file.decrypt -aes256
echo "Clear memory"
unset key iv salt
kind regards & thanks
Markus
PS: The above shellcode is based on
http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
