Your whole concept is totally wrong. If you switch to hardware cryptography, and utilize its advantages, you do not have direct access to the private key. This what makes hardware cryptography better than software only solutions.
OpenSSL is fully compatible with this approach, having RSA object that can be used for crypto operation without actually having the private key. This is done via the concept of "engine" which delegate the crypto calls to the hardware device. Try to perform private key operation using the RSA object and see that it works. Alon. On Thu, Nov 10, 2011 at 10:02 AM, weizhong qiang <weizhongqi...@gmail.com> wrote: > hi Alon, > > On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote: > > Hello, > > You can't. > pkcs11-helper targets developers who want to use smartcards without > overhead of the actual card management. > Well behaved smartcards should not allow export of private key. > > But it seems the pk12util can accomplish this task. > https://developer.mozilla.org/en/NSS_reference/NSS_tools_:_pk12util > > Why do you need the private key anyway? > > My current code (based on openssl) is for grid computing usage. We use > file-based EEC credential (cert.pem, key.pem) to generate a proxy > certificate, and then use the proxy certificate to communicate with peer > ends. > Now we need to switch to pkcs11 to utilize pkcs11 for the storage of EEC > credential, instead of the file-based storage, because pkcs11 provides more > level of security. > Why I need to retrieve private key is I need the X509 and private key for > generating the proxy certificate. > I see some piece of code here: > http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.c&ct=rc&cd=1&q=SSL_CTX_use_pkcs11&exact_package=git://github.com/spokn/lib.git&l=606 > /**********/ > > if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) { > msg (M_WARN, "PKCS#11: Unable get rsa object"); > goto cleanup; > } > > if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == > NULL) { > msg (M_WARN, "PKCS#11: Unable get certificate object"); > goto cleanup; > } > > if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) { > msg (M_WARN, "PKCS#11: Cannot set private key for openssl"); > goto cleanup; > } > > if (!SSL_CTX_use_certificate (ssl_ctx, x509)) { > msg (M_WARN, "PKCS#11: Cannot set certificate for openssl"); > goto cleanup; > } > ******/ > From the above code, I concluded that it is possible to retrieve the private > key. Maybe this piece of code will not work. > Thanks for your kind help. > Best Regards, > Weizhong Qiang > > > Alon. > > On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang <weizhongqi...@gmail.com> > wrote: > > hi all, > > I tried to use pkcs11-helper api to retrieve X509 and private key from nss > softtoken, wit the 1.09 version of pkcs11-helper. > > I can get X509 object, but the returned RSA object only includes public key, > rather than private key. > > I paste the code as the following. > > Could anyone give me some hint about how to get private key? > > Thanks a lot, > > Weizhong Qiang > > > > pkcs11h_certificate_id_list_t issuers; > > pkcs11h_certificate_id_list_t certs; > > pkcs11h_certificate_id_t find = NULL; > > CK_RV rv = > pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, > > PKCS11H_PROMPT_MASK_ALLOW_ALL, &issuers, &certs); > > if(rv != CKR_OK || certs == NULL) { > > PKCS11UtilLogger.msg(ERROR, "Cannot enumerate certificates: %s", > pkcs11h_getMessage(rv)); > > return false; > > } > > PKCS11UtilLogger.msg(INFO, "Succeed to enumerate certificate"); > > int i = 0; > > for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert = > cert->next) { > > std::string label=cert->certificate_id->displayName; > > i++; > > PKCS11UtilLogger.msg(INFO, "The name of the %d certficate is %s \n", i, > label.c_str()); > > if(certname == label) { > > pkcs11h_certificate_duplicateCertificateId(&find, > cert->certificate_id); > > //TODO: probably it is need to deal with the case that multiple > certificate with the same name exists. > > break; > > } > > } > > pkcs11h_certificate_freeCertificateIdList(issuers); > > pkcs11h_certificate_freeCertificateIdList(certs); > > if(find == NULL) { > > PKCS11UtilLogger.msg(ERROR, "Could not find certificate with the name > %s", certname.c_str()); > > return false; > > } > > pkcs11h_certificate_t certificate; > > rv = pkcs11h_certificate_create(find, NULL, > PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate); > > if(rv != CKR_OK) { > > PKCS11UtilLogger.msg(ERROR, "Can not read certificate: %s", > pkcs11h_getMessage(rv)); > > pkcs11h_certificate_freeCertificateId(find); > > return false; > > } > > pkcs11h_certificate_freeCertificateId(find); > > pkcs11h_openssl_session_t openssl_session = NULL; > > if((openssl_session = pkcs11h_openssl_createSession(certificate)) == > NULL) { > > PKCS11UtilLogger.msg(ERROR, "Cannot initialize openssl session to > retrieve X509 and RSA"); > > pkcs11h_certificate_freeCertificate(certificate); > > } > > certificate = NULL; // the certificate object will be released by > openssl_session > > bool ret; > > X509* x509_local; > > RSA* rsa_local; > > x509_local = pkcs11h_openssl_session_getX509(openssl_session); > > if(!x509_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get X509 object"); > ret = false; } > > rsa_local = pkcs11h_openssl_session_getRSA (openssl_session); > > if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get RSA object"); > ret = false; } > > ret = true; > > PKCS11UtilLogger.msg(INFO, "Succeed to get X509 and RSA"); > > *x509 = x509_local; > > *rsa = rsa_local; > > pkcs11h_openssl_freeSession (openssl_session); > > return ret; > > > _______________________________________________ > > opensc-devel mailing list > > opensc-devel@lists.opensc-project.org > > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
