Add pkcs11 command

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Add pkcs11 command

Antonio Iacono
There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
project, but often only need the list of key ids to perform signature
operations with the engine.

I would propose a new pkcs11 command which, for now, only makes the
list of ids and labels of keys present in a token.

I have already prepared a draft in this branch
https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps

Thanks,
Antonio
Reply | Threaded
Open this post in threaded view
|

Re: Add pkcs11 command

Richard Levitte - VMS Whacker-2
There is a more generic command to do exactly this sort of thing,
'openssl storeutil', available since OpenSSL 1.1.1.

The pkcs11 backend / engine needs to implement the functionality
required to hook with the OSSL_STORE functionality for storeutil to be
useful.

Cheers,
Richard

On Wed, 06 Mar 2019 09:47:01 +0100,
Antonio Iacono wrote:

>
> There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
> project, but often only need the list of key ids to perform signature
> operations with the engine.
>
> I would propose a new pkcs11 command which, for now, only makes the
> list of ids and labels of keys present in a token.
>
> I have already prepared a draft in this branch
> https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps
>
> Thanks,
> Antonio
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: Add pkcs11 command

Antonio Iacono
I can write the function inside pkcs11 engine but then how do I "hook"
it to storeutl?

The first obstacle is here "No URI given, nothing to do" but with
pkcs11 I have no URI or File.

Thanks

On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte <[hidden email]> wrote:

>
> There is a more generic command to do exactly this sort of thing,
> 'openssl storeutil', available since OpenSSL 1.1.1.
>
> The pkcs11 backend / engine needs to implement the functionality
> required to hook with the OSSL_STORE functionality for storeutil to be
> useful.
>
> Cheers,
> Richard
>
> On Wed, 06 Mar 2019 09:47:01 +0100,
> Antonio Iacono wrote:
> >
> > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
> > project, but often only need the list of key ids to perform signature
> > operations with the engine.
> >
> > I would propose a new pkcs11 command which, for now, only makes the
> > list of ids and labels of keys present in a token.
> >
> > I have already prepared a draft in this branch
> > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps
> >
> > Thanks,
> > Antonio
> >
> --
> Richard Levitte         [hidden email]
> OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: Add pkcs11 command

Antonio Iacono
In reply to this post by Richard Levitte - VMS Whacker-2
OSSL_STORE_LOADER_set_open on bind ?

On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte <[hidden email]> wrote:

>
> There is a more generic command to do exactly this sort of thing,
> 'openssl storeutil', available since OpenSSL 1.1.1.
>
> The pkcs11 backend / engine needs to implement the functionality
> required to hook with the OSSL_STORE functionality for storeutil to be
> useful.
>
> Cheers,
> Richard
>
> On Wed, 06 Mar 2019 09:47:01 +0100,
> Antonio Iacono wrote:
> >
> > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
> > project, but often only need the list of key ids to perform signature
> > operations with the engine.
> >
> > I would propose a new pkcs11 command which, for now, only makes the
> > list of ids and labels of keys present in a token.
> >
> > I have already prepared a draft in this branch
> > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps
> >
> > Thanks,
> > Antonio
> >
> --
> Richard Levitte         [hidden email]
> OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: Add pkcs11 command

Richard Levitte - VMS Whacker-2
Not only.

What you need to do on bind is to create a whole OSSL_STORE_LOADER for
pkcs11.  OSSL_STORE_LOADER_set_open only sets the opening functions,
which is expected to take a URI and parse that into something
sensible, and return a context.  There are other functions to set as
well, such as the 'load', 'eof', 'error' and 'close' functions.

The OSSL_STORE_LOADER callback set is designed to work somewhat
vaguely like the stdio API, but instead of handling a set of bytes, it
handles a set of objects, which can be whatever the OSSL_STORE API
knows how to handle.

When you're done building the OSSL_STORE_LOADER (including a scheme
name, that's absolutely important), you hook it into libcrypto with
OSSL_STORE_register_loader(), an voilĂ , you should be able to do this:

    openssl storeutil -engine yourengine \
        'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234'

(I'm sorry, I don't know the URI scheme enough to say how to specify
that you want to get a list of all accessible certificates or other
objects)

There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod,
and the 'file:' scheme loader is in crypto/store/loader_file.c, but
fair warning, that one is a bit more complex than you would probably
expect from the average store loader.

Cheers,
Richard

On Wed, 06 Mar 2019 16:01:05 +0100,
Antonio Iacono wrote:

>
> OSSL_STORE_LOADER_set_open on bind ?
>
> On Wed, Mar 6, 2019 at 10:35 AM Richard Levitte <[hidden email]> wrote:
> >
> > There is a more generic command to do exactly this sort of thing,
> > 'openssl storeutil', available since OpenSSL 1.1.1.
> >
> > The pkcs11 backend / engine needs to implement the functionality
> > required to hook with the OSSL_STORE functionality for storeutil to be
> > useful.
> >
> > Cheers,
> > Richard
> >
> > On Wed, 06 Mar 2019 09:47:01 +0100,
> > Antonio Iacono wrote:
> > >
> > > There are some good tools for pkcs11, like pkcs11-tool of the OpenSC
> > > project, but often only need the list of key ids to perform signature
> > > operations with the engine.
> > >
> > > I would propose a new pkcs11 command which, for now, only makes the
> > > list of ids and labels of keys present in a token.
> > >
> > > I have already prepared a draft in this branch
> > > https://github.com/opensignature/openssl/tree/add-pkcs11-command/apps
> > >
> > > Thanks,
> > > Antonio
> > >
> > --
> > Richard Levitte         [hidden email]
> > OpenSSL Project         http://www.openssl.org/~levitte/
>
--
Richard Levitte         [hidden email]
OpenSSL Project         http://www.openssl.org/~levitte/
Reply | Threaded
Open this post in threaded view
|

Re: Add pkcs11 command

Antonio Iacono
OK thanks,

initial implementation of STORE into my pkcs11 engine (1) is ready.
I am able to do this openssl storeutl -engine pkcs11
'pkcs11:objecttype=cert;object=test'
and this is result:
engine "pkcs11" set.
0: Certificate
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIUDrAyYf/dMsavGGEuYMLqJxFrHOUwDQYJKoZIhvcNAQEL
...

(1) https://github.com/openssl/openssl/pull/8200


On Wed, Mar 6, 2019 at 4:37 PM Richard Levitte <[hidden email]> wrote:

> What you need to do on bind is to create a whole OSSL_STORE_LOADER for
> pkcs11.  OSSL_STORE_LOADER_set_open only sets the opening functions,
> which is expected to take a URI and parse that into something
> sensible, and return a context.  There are other functions to set as
> well, such as the 'load', 'eof', 'error' and 'close' functions.
>
> The OSSL_STORE_LOADER callback set is designed to work somewhat
> vaguely like the stdio API, but instead of handling a set of bytes, it
> handles a set of objects, which can be whatever the OSSL_STORE API
> knows how to handle.
>
> When you're done building the OSSL_STORE_LOADER (including a scheme
> name, that's absolutely important), you hook it into libcrypto with
> OSSL_STORE_register_loader(), an voilĂ , you should be able to do this:
>
>     openssl storeutil -engine yourengine \
>         'pkcs11:token=yourtoken;object=my-certificate;objecttype=cert;id=1234'
>
> (I'm sorry, I don't know the URI scheme enough to say how to specify
> that you want to get a list of all accessible certificates or other
> objects)
>
> There is the manual OSSL_STORE_LOADER(3) found in doc/man3/OSSL_STORE_LOADER.pod,
> and the 'file:' scheme loader is in crypto/store/loader_file.c, but
> fair warning, that one is a bit more complex than you would probably
> expect from the average store loader.
>
> Cheers,
> Richard
>