Re: How to: read a certificate from PIV smart card, encode some text with its public key?

Fri, 09 Dec 2011 09:30:51 -0800 


On 12/9/2011 4:28 AM, Umaxik wrote:


Hi all,

I am totally new to this topic and stuck with this simple issue. Please,
provide me with any ideas / recommendations.

The issue:

0. Windows 7. OpenSC is not available. The text is pretty short (<=48
symbols).


Yes it is available, in the experimental minidriver.dll on Windows. See:

  https://www.opensc-project.org/opensc/wiki/UnitedStatesPIV
  https://www.opensc-project.org/opensc/wiki/DownloadRelease

Use the x86 installer. The minidriver, login and Mozilla
products are still 32 bit.

Microsoft also has a built in PIV driver for Windows 7. I have not
tried it to see what it can do with EC keys. But 2008 has EC support,
so Windows 7 should too.

To use the OpenSC minidriver will require some additional registry
changes. Drop me a note if you want to try this.

The other OpenSC *-tools and  opensc-pkcs11.dll are in the package too.


1. I have a PIV card with its Key Management Key Certificate. At the moment,
this certificate uses EC keys (other algorithms are allowed by NIST SP
800-73).


OpenSC-0.12.1 supports ECDSA for signatures, and there is code developed
to support ECDH for key derivation, that is in github, but not in the
main line yet.

The OpenSC engine-opensc also supports ECDSA, but is waiting on OpenSSL for
the ECDSA_METHOD defination to be moved to a public header file:

http://www.mail-archive.com/[email protected]/msg63508.html

http://www.opensc-project.org/opensc/ticket/295



2. I can download KMK packed with BER-Tlv (there is a set of data with other
parts).
3. The certificate itself can be successfully extracted with
ASN1_get_object().

4. I can create some 'certificate' in openssl:

                BIO* pMemoryBIO = BIO_new_mem_buf((void*)pData, lLength);
                if(!pMemoryBIO) {
                        return -1;
                }
                X509* pCertificate = d2i_X509_bio(pMemoryBIO, NULL);
                if(!pCertificate) {
                        return -1;
                }

But... What should I use then? I can understand neigher how to use this
pCertificate for packing the text nor if I do it totally wrong.

Is it correct that OpenSSL can distinguish algorithms used by certificates
(RSA, ECDH) by itself, so there is a magic way to encrypt something with any
valid certificate provided?

Does this call of d2i_X509_bio() create a correct certificate?

Many thanks,
Max Ushakov


--

 Douglas E. Engert  <[email protected]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [email protected]
Automated List Manager                           [email protected]






















					Reply via email to