Dear Anthony,
you can not import an externally generated private key. For security
reasons, the SmartCard-HSM only supports keys generated internally.
We've tested with XCA which uses OpenSSL and the engine mechanism, so
I'm quite confident it should work with the command line as well.
Let me come back after I tried it.
Andreas
Am 12.11.2012 07:54, schrieb Anthony Foiani:
> Andreas --
>
> On Sun, Nov 11, 2012 at 6:31 AM, Andreas Schwier
> <andreas.schw...@cardcontact.de> wrote:
>
>> The suggested way in the meantime is to generate the key pair, extract
>> the public key and generate a CSR externally, signing it with the
>> private key on the device.
> I haven't tried that precise sequence yet -- I tried it with openssl
> and it complained, I still need to try it with certtool as described
> by Nikos.
>
> I did try creating the keypair and certificate in software, then
> installing the resulting bits onto the token.
>
> I managed to install the certificate (which also provides the public key):
>
> $ echo $tool
> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so
> --login --pin 648219
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool -O
> Using slot 1 with a present token (0x1)
> Certificate Object, type = X.509 cert
> label: Foo
> ID: 10
> Public Key Object; RSA 2048 bits
> label: Foo
> ID: 10
> Usage: encrypt, verify
>
> Although the public key does not have the "wrap" usage flag set;
> compare with a keypair generated on the token:
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool \
> --keypairgen --key-type rsa:2048 --id 11 \
> --read-object --id 11 --type pubkey --output-file foobar.pub
> Using slot 1 with a present token (0x1)
> Key pair generated:
> Private Key Object; RSA
> label: Private Key
> ID: 11
> Usage: decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
> label: Private Key
> ID: 11
> Usage: encrypt, verify, wrap
>
> However, the bigger problem came when I tried to install the private key:
>
> $ LD_LIBRARY_PATH=/usr/local/lib $tool --write-object foo2a.key.der
> --id 11 --type privkey --label Foo
> Using slot 1 with a present token (0x1)
> error: PKCS11 function C_CreateObject failed: rv =
> CKR_ATTRIBUTE_VALUE_INVALID (0x13)
> Aborting.
>
> Turning on debugging (after making trivial repairs to the debug output
> code), it seems that these are the attributes that are getting
> stuffed:
>
> CKA_CLASS = CKO_PRIVATE_KEY
> CKA_TOKEN = TRUE
> CKA_PRIVATE = TRUE
> CKA_SENSITIVE = TRUE
> CKA_LABEL = Foo
> CKA_ID = 10
> CKA_KEY_TYPE = 0x7fff6d1c1175
> CKA_MODULUS = C770D5...
> CKA_PUBLIC_EXPONENT = 010001
> CKA_PRIVATE_EXPONENT = 97F798...
> CKA_PRIME_1 = EFE5AD...
> CKA_PRIME_2 = D4D3F6...
> CKA_EXPONENT_1 = 5815FD...
> CKA_EXPONENT_2 = 2DD24D...
> CKA_COEFFICIENT = 62BD2B...
>
> Looking for similar instances on the web, the recommendation seems to
> be: "hack pkcs11-tool to remove individual attributes until you find
> which one the token is complaining about".
>
> With your visibility into the software on the token, I'm hoping that
> you can help us avoid that kind of trial and error. :)
>
> Thanks very much for your help so far, and we're looking forward to
> hearing the results of your tests with openssl.
>
> Best regards,
> Anthony Foiani
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 571 56149
--------- http://www.cardcontact.de
http://www.tscons.de
http://www.openscdp.org
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
