On 3/23/2012 3:29 PM, Martin Paljak wrote:
On Fri, Mar 23, 2012 at 22:16, Douglas E. Engert<deeng...@anl.gov> wrote:
ECDH/C_Derive - One needs a smart card that can do ECC key derivation.
I have some test cards and some demo cards from NIST that can do this,
The NIST people were using the mods for testing with thunderbird,
so there are at least 2 of us.
Working as in "working in a test" or "working with my software X in
environment Z".
The NIST Thunderbird tests required changes to nss to handle EC derivation
correctly, and can call opensc-pkcs11.so to decrypt e-mail using a PIV card.
I was able to use these nss mods as well.
If interested, I can find the references next week.)
For example, I have a card that can do ECC derivation, but only a test
script to test it against and it is not a PIV card...
Great. The card driver would also need modifications I assume.
Since The PIV could only do ECDH1-COFACTOR-DERIVE with a KDF_NULL,
if your card can do more, then additional code would be needed.
The point being the ECDH code so far does not implement a full
ECDH, but only that part that could be tested.
Attached is a test script that uses the certificate from one card,
and derives a key using a second card. When run the other way, both
will derive the same key.
What this means is that you are not going to get many votes because
in some cases only the author can test the code. A +1 from the author
may be the most you will get!
For non-obvious things, a "did not break anything I use" is as
valuable as "works for me as well".
In between lies a healthy amount of "don't know what it is but it
looks weird" kind of review, which can filter also many things.
Martin
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
#!/bin/bash
#
# test OpenSC pkcs11 with ECDH to derive a key
# using the pub key from the certificate
# of another card.
# Doing the equivement operation using
# the two cards should yeild the same derived key.
#
# $1 is ID of the EC key on the card in the reader.
# 03 is the Key Managment key, but other keys
# and certificates may be obtrained using the
# the history object.
#
# $2 is the PEM encoded certificate that the othercard
# will will use to do its derivation.
#
export LD_LIBRARY_PATH=/opt/smartcard/lib
export PATH=/opt/smartcard/bin:$PATH
export MODULE=/opt/smartcard/lib/opensc-pkcs11.so
SLOT=1
P11="pkcs11-tool --slot $SLOT --module $MODULE"
TMP=/tmp/derive.$$
OUT=""
O=""
while test $# -gt 0 ; do
arg="$1"
case $arg in
-o)
shift
OUT="-o $1"
shift
;;
-O)
shift
O="-O"
;;
-*)
echo Unknow option $1
exit 1
;;
*)
echo "Found $1"
break
;;
esac
done
if [ $# -ne 2 ] ; then
echo " two paramerters are required"
exit 2
fi
if [ ! -f $2 ] ; then
echo "$2 not found"
exit 1
fi
openssl x509 -noout -in $2 -pubkey \
| openssl ec -pubin -outform DER > $TMP.other.pubkey.der
$P11 -l --derive -m ECDH1-COFACTOR-DERIVE $O \
-d $1 -i $TMP.other.pubkey.der $OUT
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
