Re: How to: read a certificate from PIV smart card, encode some text with its public key?

2012-01-10 Thread Umaxik 

Hi Douglas. 

I am quite late with the answer, sorry. :)


Douglas E. Engert wrote:
 
 

 Some words to finish this topic:

 My goal was to encrypt/decrypt some data with the PIV card (i.e., only
 the
 card keeper may use the data). It can be done in the easier way:

 1. PIV cards can have their Key Management Key destined to provide key
 establishment during transactions.
 2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST
 SP800-73-3,part2). That is:
 2.1. I create and store in code my own EC public key (openssl affords to
 create EC private keys and certificates with public keys included).
 2.2. The card is authorized.
 2.3. I call its 'General authentication' operation with KMK and this
 public
 key.
 
 Are you using any of the OpenSC code to talk to the card, or are you
 using some other code to send the 'General authentication' command to the
 card?
 
 If anyone is interested: https://github.com/dengert/OpenSC
 under the ECDH branch has the code that can be applied to OpenSC-0.12.2
 to support PKCS#11 C_DeriveKey for the PIV card. There is also a
 pkcs11-tool
 
 

No, I do not use either openSSL (library) or openSC when operating with PIV
card. SCardTransmit() is used to send commands to the card directly. It is
not very intelligent, though. 

Best regards,
Max Ushakov
-- 
View this message in context: 
http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p33109713.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to: read a certificate from PIV smart card, encode some text with its public key?

2011-12-13 Thread Umaxik 

Many thanks, Douglas!

You helped me to sort this problem out after I had spent a week or so.

Some words to finish this topic:

My goal was to encrypt/decrypt some data with the PIV card (i.e., only the
card keeper may use the data). It can be done in the easier way:

1. PIV cards can have their Key Management Key destined to provide key
establishment during transactions.
2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST
SP800-73-3,part2). That is:
2.1. I create and store in code my own EC public key (openssl affords to
create EC private keys and certificates with public keys included).
2.2. The card is authorized.
2.3. I call its 'General authentication' operation with KMK and this public
key.
2.4. As a result, I have the secret code. This code is suitable for AES
encryption.

Therefore, I use openssl in order to create this public key and to operate
with AES encryption.

Best regards,
Max Ushakov
-- 
View this message in context: 
http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p32966373.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to: read a certificate from PIV smart card, encode some text with its public key?

2011-12-13 Thread Douglas E. Engert 



On 12/13/2011 7:32 AM, Umaxik wrote:


Many thanks, Douglas!

You helped me to sort this problem out after I had spent a week or so.


Good to hear.



Some words to finish this topic:

My goal was to encrypt/decrypt some data with the PIV card (i.e., only the
card keeper may use the data). It can be done in the easier way:

1. PIV cards can have their Key Management Key destined to provide key
establishment during transactions.
2. If this KMK uses ECDH, I can emulate C(1;1) scheme (NIST
SP800-73-3,part2). That is:
2.1. I create and store in code my own EC public key (openssl affords to
create EC private keys and certificates with public keys included).
2.2. The card is authorized.
2.3. I call its 'General authentication' operation with KMK and this public
key.


Are you using any of the OpenSC code to talk to the card, or are you
using some other code to send the 'General authentication' command to the card?

If anyone is interested: https://github.com/dengert/OpenSC
under the ECDH branch has the code that can be applied to OpenSC-0.12.2
to support PKCS#11 C_DeriveKey for the PIV card. There is also a pkcs11-tool



2.4. As a result, I have the secret code. This code is suitable for AES
encryption.

Therefore, I use openssl in order to create this public key and to operate
with AES encryption.


And you should only need to save the (ephemeral) public key, and destroy
the private key, and the AES key.



Best regards,
Max Ushakov


--

 Douglas E. Engert  deeng...@anl.gov
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

How to: read a certificate from PIV smart card, encode some text with its public key?

2011-12-09 Thread Umaxik 

Hi all,

I am totally new to this topic and stuck with this simple issue. Please,
provide me with any ideas / recommendations.

The issue:

0. Windows 7. OpenSC is not available. The text is pretty short (=48
symbols).
1. I have a PIV card with its Key Management Key Certificate. At the moment,
this certificate uses EC keys (other algorithms are allowed by NIST SP
800-73).
2. I can download KMK packed with BER-Tlv (there is a set of data with other
parts).
3. The certificate itself can be successfully extracted with
ASN1_get_object().

4. I can create some 'certificate' in openssl:

BIO* pMemoryBIO = BIO_new_mem_buf((void*)pData, lLength);
if(!pMemoryBIO) {
return -1;
}
X509* pCertificate = d2i_X509_bio(pMemoryBIO, NULL);
if(!pCertificate) {
return -1;
}

But... What should I use then? I can understand neigher how to use this
pCertificate for packing the text nor if I do it totally wrong.

Is it correct that OpenSSL can distinguish algorithms used by certificates
(RSA, ECDH) by itself, so there is a magic way to encrypt something with any
valid certificate provided?

Does this call of d2i_X509_bio() create a correct certificate?

Many thanks,
Max Ushakov
-- 
View this message in context: 
http://old.nabble.com/How-to%3A-read-a-certificate-from-PIV-smart-card%2C-encode-some-text-with-its-public-key--tp32941067p32941067.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: How to: read a certificate from PIV smart card, encode some text with its public key?

2011-12-09 Thread Douglas E. Engert 



On 12/9/2011 4:28 AM, Umaxik wrote:


Hi all,

I am totally new to this topic and stuck with this simple issue. Please,
provide me with any ideas / recommendations.

The issue:

0. Windows 7. OpenSC is not available. The text is pretty short (=48
symbols).


Yes it is available, in the experimental minidriver.dll on Windows. See:

  https://www.opensc-project.org/opensc/wiki/UnitedStatesPIV
  https://www.opensc-project.org/opensc/wiki/DownloadRelease

Use the x86 installer. The minidriver, login and Mozilla
products are still 32 bit.

Microsoft also has a built in PIV driver for Windows 7. I have not
tried it to see what it can do with EC keys. But 2008 has EC support,
so Windows 7 should too.

To use the OpenSC minidriver will require some additional registry
changes. Drop me a note if you want to try this.

The other OpenSC *-tools and  opensc-pkcs11.dll are in the package too.


1. I have a PIV card with its Key Management Key Certificate. At the moment,
this certificate uses EC keys (other algorithms are allowed by NIST SP
800-73).


OpenSC-0.12.1 supports ECDSA for signatures, and there is code developed
to support ECDH for key derivation, that is in github, but not in the
main line yet.

The OpenSC engine-opensc also supports ECDSA, but is waiting on OpenSSL for
the ECDSA_METHOD defination to be moved to a public header file:

http://www.mail-archive.com/openssl-users@openssl.org/msg63508.html

http://www.opensc-project.org/opensc/ticket/295



2. I can download KMK packed with BER-Tlv (there is a set of data with other
parts).
3. The certificate itself can be successfully extracted with
ASN1_get_object().

4. I can create some 'certificate' in openssl:

BIO* pMemoryBIO = BIO_new_mem_buf((void*)pData, lLength);
if(!pMemoryBIO) {
return -1;
}
X509* pCertificate = d2i_X509_bio(pMemoryBIO, NULL);
if(!pCertificate) {
return -1;
}

But... What should I use then? I can understand neigher how to use this
pCertificate for packing the text nor if I do it totally wrong.

Is it correct that OpenSSL can distinguish algorithms used by certificates
(RSA, ECDH) by itself, so there is a magic way to encrypt something with any
valid certificate provided?

Does this call of d2i_X509_bio() create a correct certificate?

Many thanks,
Max Ushakov


--

 Douglas E. Engert  deeng...@anl.gov
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org