Hello,
You can't.
pkcs11-helper targets developers who want to use smartcards without
overhead of the actual card management.
Well behaved smartcards should not allow export of private key.
Why do you need the private key anyway?
Alon.
On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang <weizhongqi...@gmail.com> wrote:
> hi all,
> I tried to use pkcs11-helper api to retrieve X509 and private key from nss
> softtoken, wit the 1.09 version of pkcs11-helper.
> I can get X509 object, but the returned RSA object only includes public key,
> rather than private key.
> I paste the code as the following.
> Could anyone give me some hint about how to get private key?
>
> Thanks a lot,
> Weizhong Qiang
>
>
>
> pkcs11h_certificate_id_list_t issuers;
> pkcs11h_certificate_id_list_t certs;
> pkcs11h_certificate_id_t find = NULL;
> CK_RV rv =
> pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL,
> PKCS11H_PROMPT_MASK_ALLOW_ALL, &issuers, &certs);
> if(rv != CKR_OK || certs == NULL) {
> PKCS11UtilLogger.msg(ERROR, "Cannot enumerate certificates: %s",
> pkcs11h_getMessage(rv));
> return false;
> }
> PKCS11UtilLogger.msg(INFO, "Succeed to enumerate certificate");
>
> int i = 0;
> for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert =
> cert->next) {
> std::string label=cert->certificate_id->displayName;
> i++;
> PKCS11UtilLogger.msg(INFO, "The name of the %d certficate is %s \n", i,
> label.c_str());
> if(certname == label) {
> pkcs11h_certificate_duplicateCertificateId(&find,
> cert->certificate_id);
> //TODO: probably it is need to deal with the case that multiple
> certificate with the same name exists.
> break;
> }
> }
>
> pkcs11h_certificate_freeCertificateIdList(issuers);
> pkcs11h_certificate_freeCertificateIdList(certs);
>
> if(find == NULL) {
> PKCS11UtilLogger.msg(ERROR, "Could not find certificate with the name
> %s", certname.c_str());
> return false;
> }
>
> pkcs11h_certificate_t certificate;
> rv = pkcs11h_certificate_create(find, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL,
> PKCS11H_PIN_CACHE_INFINITE, &certificate);
> if(rv != CKR_OK) {
> PKCS11UtilLogger.msg(ERROR, "Can not read certificate: %s",
> pkcs11h_getMessage(rv));
> pkcs11h_certificate_freeCertificateId(find);
> return false;
> }
> pkcs11h_certificate_freeCertificateId(find);
>
> pkcs11h_openssl_session_t openssl_session = NULL;
> if((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL)
> {
> PKCS11UtilLogger.msg(ERROR, "Cannot initialize openssl session to
> retrieve X509 and RSA");
> pkcs11h_certificate_freeCertificate(certificate);
> }
> certificate = NULL; // the certificate object will be released by
> openssl_session
>
> bool ret;
> X509* x509_local;
> RSA* rsa_local;
> x509_local = pkcs11h_openssl_session_getX509(openssl_session);
> if(!x509_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get X509 object");
> ret = false; }
> rsa_local = pkcs11h_openssl_session_getRSA (openssl_session);
> if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get RSA object"); ret
> = false; }
> ret = true;
>
> PKCS11UtilLogger.msg(INFO, "Succeed to get X509 and RSA");
> *x509 = x509_local;
> *rsa = rsa_local;
> pkcs11h_openssl_freeSession (openssl_session);
> return ret;
>
>
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
