> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Boyd Ako
> Sent: Wednesday, January 30, 2019 18:08
> Does anybody know how to use the smartcard to encrypt and decrypt files?
This may depend somewhat on the type of smartcard. While PKCS#11 is a standard,
there are all sorts of differences in implementations
> I was able to encrypt a file using the cert on the smartcard. However, I
> couldn't decrypt it.
> I think it's mainly because I don't know how to get the Private Key on the
> token to decrypt
> it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a
> "sorry, reading
> private keys not (yet) supported" message.
You're Doing It Wrong.
The point of hardware cryptographic devices is that *secrets stay on them*.
You're not supposed to get private keys off the device, except for special and
rare use cases such as cloning a device for redundancy.
If you want to do this with OpenSSL, you need to use the OpenSSL PKCS#11
engine. In most OpenSSL builds I've seen, the PKCS#11 engine isn't linked into
the openssl executable, so you use the "dynamic" engine to load it. And the
PKCS#11 engine will need a suitable driver.
This gets quite complicated, and I don't have time to dig up all my notes, and
I've never tried your use case anyway. (I used HSMs for code signing.) But
here's an example of using a NitroKey HSM to generate a CSR, using the openssl
utility and PKCS#11 engine on Windows:
C:\> openssl
OpenSSL> engine -t dynamic -pre SO_PATH:\path\to\pkcs11.dll -pre ID:pkcs11 -pre
LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\path\to\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:\path\to\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:\path\to\opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
[ available ]
OpenSSL> req -engine pkcs11 -new -key 0:10 -keyform engine -out csr.pem -text
-days 1095
engine "pkcs11" set.
No private keys found.
Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): 6-digit PIN
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: you can change any of these or hit Enter for
the defaults
State or Province Name (full name) [XX]:
Locality Name (eg, city) [Some City]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [Whatever]:
Common Name (eg. YOUR name) [Me]:
Email Address [f...@bar.com]:
OpenSSL>
Here pkcs11.dll is the OpenSSL PKCS#11 engine in dynamic-load module form. If
your OpenSSL installation doesn't have it, you'll have to build it.
opensc-pkcs11.dll is the PKCS#11 driver from the OpenSC open-source smartcard
interface project. OpenSC has a configuration file which needs to be set up to
match your particular hardware.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
