aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md7
-rwxr-xr-xcreate-keys.sh20
-rw-r--r--environment.sh5
-rw-r--r--openssl.conf2
4 files changed, 25 insertions, 9 deletions
diff --git a/README.md b/README.md
index bc647a5..14b80a8 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,12 @@
Packages you need (on Debian Jessie, anyway):
- sudo apt-get install libengine-pkcs11-openssl opensc opensc-pkcs11 cryptech-alpha
+ sudo apt-get install opensc cryptech-alpha
+ sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
+
+We're using the backported version of libengine-pkcs11-openssl because
+we want ECDSA support -- the ancient version that originally shipped
+with Jessie only supported RSA.
General plan here is to use pkcs11-tool to create keys, then use the
pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely
diff --git a/create-keys.sh b/create-keys.sh
index 5cfda45..e3630d9 100755
--- a/create-keys.sh
+++ b/create-keys.sh
@@ -1,11 +1,17 @@
#!/bin/sh -
-. ./environment.sh
+# pkcs11-tool's naming scheme for key types is buried in code.
+# The useful choices in our case appear to be:
+#
+# rsa:1024
+# rsa:2048
+# EC:prime256v1
+# EC:prime384v1
+
+: ${key_type='EC:prime256v1'}
-# Not really sure which silly name to use for the EC curve, doc is not great. prime256v1? ansiX9p256r1? secp256r1?
-# If I had to guess, ansiX9p256r1, so try that: --key-type EC:ansiX9p256r1
-# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later.
+. ./environment.sh
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type"
diff --git a/environment.sh b/environment.sh
index f3f5c75..078b5a6 100644
--- a/environment.sh
+++ b/environment.sh
@@ -14,6 +14,11 @@ export PKCS11_PIN=fnord
export OPENSSL_CONF=`pwd`/openssl.conf
+# Where to find the engine module this week (its name changes with
+# architecture, OpenSSL version, and phase of the moon).
+
+export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'`
+
# If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC
# pkcs11-spy.so debugging tool, which we will splice between OpenSSL
# and the real PKCS #11 library. This is not something you would want
diff --git a/openssl.conf b/openssl.conf
index 7f156ce..887e25d 100644
--- a/openssl.conf
+++ b/openssl.conf
@@ -13,7 +13,7 @@ pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
-dynamic_path = /usr/lib/engines/engine_pkcs11.so
+dynamic_path = ${ENV::ENGINE_MODULE}
init = 0
# For convenience while testing, we use environment variables to pass