aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2017-06-07 15:36:51 -0400
committerRob Austein <sra@hactrn.net>2017-06-07 15:36:51 -0400
commitb208b2cab51c0fce3d98e8e462b14d07fa3fcc66 (patch)
treeefcd482cb795a5c0accbb9b9849b7d9f5f35dc11
parentae322afdec65e7d8c180fa761c0bbb3c682ef5c0 (diff)
Add ECDSA support, via updated OpenSC pkcs11 engine.
This works on Debian Jessie (8.8) with the jessie-backports version of libengine-pkcs11-openssl: cryptech-alpha 3.0.1496536286 libengine-pkcs11-openssl 0.4.3-1~bpo8+1 opensc 0.14.0-2 openssl 1.0.1t-1+deb8u6 Version dependencies between OpenSSL and OpenSC are an even worse swamp than usual at the moment, due to API changes in OpenSSL 1.1, so it's anybody's guess whether this works on any other platform. YMMV.
-rw-r--r--README.md7
-rwxr-xr-xcreate-keys.sh20
-rw-r--r--environment.sh5
-rw-r--r--openssl.conf2
4 files changed, 25 insertions, 9 deletions
diff --git a/README.md b/README.md
index bc647a5..14b80a8 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,12 @@
Packages you need (on Debian Jessie, anyway):
- sudo apt-get install libengine-pkcs11-openssl opensc opensc-pkcs11 cryptech-alpha
+ sudo apt-get install opensc cryptech-alpha
+ sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
+
+We're using the backported version of libengine-pkcs11-openssl because
+we want ECDSA support -- the ancient version that originally shipped
+with Jessie only supported RSA.
General plan here is to use pkcs11-tool to create keys, then use the
pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely
diff --git a/create-keys.sh b/create-keys.sh
index 5cfda45..e3630d9 100755
--- a/create-keys.sh
+++ b/create-keys.sh
@@ -1,11 +1,17 @@
#!/bin/sh -
-. ./environment.sh
+# pkcs11-tool's naming scheme for key types is buried in code.
+# The useful choices in our case appear to be:
+#
+# rsa:1024
+# rsa:2048
+# EC:prime256v1
+# EC:prime384v1
+
+: ${key_type='EC:prime256v1'}
-# Not really sure which silly name to use for the EC curve, doc is not great. prime256v1? ansiX9p256r1? secp256r1?
-# If I had to guess, ansiX9p256r1, so try that: --key-type EC:ansiX9p256r1
-# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later.
+. ./environment.sh
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type"
diff --git a/environment.sh b/environment.sh
index f3f5c75..078b5a6 100644
--- a/environment.sh
+++ b/environment.sh
@@ -14,6 +14,11 @@ export PKCS11_PIN=fnord
export OPENSSL_CONF=`pwd`/openssl.conf
+# Where to find the engine module this week (its name changes with
+# architecture, OpenSSL version, and phase of the moon).
+
+export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'`
+
# If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC
# pkcs11-spy.so debugging tool, which we will splice between OpenSSL
# and the real PKCS #11 library. This is not something you would want
diff --git a/openssl.conf b/openssl.conf
index 7f156ce..887e25d 100644
--- a/openssl.conf
+++ b/openssl.conf
@@ -13,7 +13,7 @@ pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
-dynamic_path = /usr/lib/engines/engine_pkcs11.so
+dynamic_path = ${ENV::ENGINE_MODULE}
init = 0
# For convenience while testing, we use environment variables to pass