Smartcard cert used for encrypt\decrypt

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Smartcard cert used for encrypt\decrypt

Boyd Ako
Does anybody know how to use the smartcard to encrypt and decrypt files?

I was able to encrypt a file using the cert on the smartcard. However, I couldn't decrypt it. I think it's mainly because I don't know how to get the Private Key on the token to decrypt it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a "sorry, reading private keys not (yet) supported" message.

To encrypt:
pkcs15-tool -r 0002 > x509.cert
openssl smime -encrypt -binary -aes-256-cbc -in clear.txt -out clear.txt.enc -outform PEM x509.cert


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard cert used for encrypt\decrypt

Michael Wojcik
> From: openssl-users [mailto:[hidden email]] On Behalf Of Boyd Ako
> Sent: Wednesday, January 30, 2019 18:08

> Does anybody know how to use the smartcard to encrypt and decrypt files?

This may depend somewhat on the type of smartcard. While PKCS#11 is a standard, there are all sorts of differences in implementations

> I was able to encrypt a file using the cert on the smartcard. However, I couldn't decrypt it.
> I think it's mainly because I don't know how to get the Private Key on the token to decrypt
> it. I've tried `pkcs11-tool -l --id 0002 -r --type privkey` but I get a "sorry, reading
> private keys not (yet) supported" message.

You're Doing It Wrong.

The point of hardware cryptographic devices is that *secrets stay on them*. You're not supposed to get private keys off the device, except for special and rare use cases such as cloning a device for redundancy.

If you want to do this with OpenSSL, you need to use the OpenSSL PKCS#11 engine. In most OpenSSL builds I've seen, the PKCS#11 engine isn't linked into the openssl executable, so you use the "dynamic" engine to load it. And the PKCS#11 engine will need a suitable driver.

This gets quite complicated, and I don't have time to dig up all my notes, and I've never tried your use case anyway. (I used HSMs for code signing.) But here's an example of using a NitroKey HSM to generate a CSR, using the openssl utility and PKCS#11 engine on Windows:

C:\> openssl
OpenSSL> engine -t dynamic -pre SO_PATH:\path\to\pkcs11.dll -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:\path\to\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:\path\to\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:\path\to\opensc-pkcs11.dll
Loaded: (pkcs11) pkcs11 engine
     [ available ]
OpenSSL> req -engine pkcs11 -new -key 0:10 -keyform engine -out csr.pem -text -days 1095
engine "pkcs11" set.
No private keys found.
Enter PKCS#11 token PIN for SmartCard-HSM (UserPIN): 6-digit PIN
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]: you can change any of these or hit Enter for the defaults
State or Province Name (full name) [XX]:
Locality Name (eg, city) [Some City]:
Organization Name (eg, company) [MyOrg]:
Organizational Unit Name (eg, section) [Whatever]:
Common Name (eg. YOUR name) [Me]:
Email Address [[hidden email]]:
OpenSSL>

Here pkcs11.dll is the OpenSSL PKCS#11 engine in dynamic-load module form. If your OpenSSL installation doesn't have it, you'll have to build it. opensc-pkcs11.dll is the PKCS#11 driver from the OpenSC open-source smartcard interface project. OpenSC has a configuration file which needs to be set up to match your particular hardware.

--
Michael Wojcik
Distinguished Engineer, Micro Focus

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard cert used for encrypt\decrypt

Antonio Iacono
In reply to this post by Boyd Ako
> Does anybody know how to use the smartcard to encrypt and decrypt files?

Hi Boyd,

there are many ways to encrypt/decrypto with smartcard but since you
wrote to the list of OpenSSL I answer you how to do with OpenSSL.
In the meantime you need two other software, in addition to openssl,
the engine and the pkcs11 library.
A step-by-step guide can be found here:
https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC

Antonio
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Smartcard cert used for encrypt\decrypt

Blumenthal, Uri - 0553 - MITLL

On 1/31/19, 09:19, "openssl-users on behalf of Antonio Iacono" <[hidden email] on behalf of [hidden email]> wrote:

 

    > Does anybody know how to use the smartcard to encrypt and decrypt files?

 

Smartcard performs public-key crypto operations, which aren't suitable for bulk processing, such as file encryption/decryption. In general, you'd need a hybrid scheme - generate a random symmetric key, encrypt the file with that symmetric key, and encrypt this symmetric key itself with an appropriate public key from the smartcard. Decryption would be the reverse: with the smartcard (using the private key) decrypt the symmetric key, and pass that symmetric key to OpenSSL to decrypt the file.

 

Here's an example, which I hope would be useful, as it shows how to use OpenSSL to encrypt and decrypt data (like symmetric keys – short). It uses OpenSC as PKCS#11 library, libp11 as PKCS#11 engine/interface to OpenSSL, p11-kit to allow URI for objects on the smartcard, and OpenSSL itself:

 

#!/bin/bash

 

# Settings for US DoD CAC smartcard

MANUFACTURER="manufacturer=Common%20Access%20Card;"

PRK="pkcs11:${MANUFACTURER}id=%00%03;type=private"

PUBK="pkcs11:${MANUFACTURER}id=%00%03;type=public"

 

# Generate a random text file

openssl -out textfile.txt -hex 600

TEXTFILE="textfile.txt"

 

# Generate random symmetric key

KEY=`openssl rand -hex 32`

# Generate random IV for file encryption

IV=`openssl rand  -hex 16`

 

# Encrypt symmetric key to token RSA KEY MAN Key

Echo $KEY | xxd -r -p 200 | openssl pkeyutl -engine pkcs11 -keyform engine -encrypt -pubin -inkey "${PUBK}" -pkeyopt rsa_padding_mode:oaep -out encrypted.key.enc

# Encrypt file with above symmetric key and IV

openssl enc -aes-256-cfb -a -e -in ${TEXTFILE} -out ${TEXTFILE}.enc -K ${KEY} -iv ${IV}

 

# Decrypt symmetric key on the token

KEY2=`openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey "${PRK}" -pkeyopt rsa_padding_mode:oaep -in ${TMP}.key.enc | xxd -p -c 200`

# Decrypt the file

openssl enc -aes-256-cfb -a -d -in ${TEXTFILE}.enc -out ${TEXTFILE}.dec -K ${KEY2} -iv ${IV}

 

 

 

 

   

    Hi Boyd,

   

    there are many ways to encrypt/decrypto with smartcard but since you

    wrote to the list of OpenSSL I answer you how to do with OpenSSL.

    In the meantime you need two other software, in addition to openssl,

    the engine and the pkcs11 library.

    A step-by-step guide can be found here:

    https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC

   

    Antonio

    --

    openssl-users mailing list

    To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

   


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (7K) Download Attachment