From b208b2cab51c0fce3d98e8e462b14d07fa3fcc66 Mon Sep 17 00:00:00 2001 From: Rob Austein Date: Wed, 7 Jun 2017 15:36:51 -0400 Subject: Add ECDSA support, via updated OpenSC pkcs11 engine. This works on Debian Jessie (8.8) with the jessie-backports version of libengine-pkcs11-openssl: cryptech-alpha 3.0.1496536286 libengine-pkcs11-openssl 0.4.3-1~bpo8+1 opensc 0.14.0-2 openssl 1.0.1t-1+deb8u6 Version dependencies between OpenSSL and OpenSC are an even worse swamp than usual at the moment, due to API changes in OpenSSL 1.1, so it's anybody's guess whether this works on any other platform. YMMV. --- README.md | 7 ++++++- create-keys.sh | 20 +++++++++++++------- environment.sh | 5 +++++ openssl.conf | 2 +- 4 files changed, 25 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index bc647a5..14b80a8 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,12 @@ Packages you need (on Debian Jessie, anyway): - sudo apt-get install libengine-pkcs11-openssl opensc opensc-pkcs11 cryptech-alpha + sudo apt-get install opensc cryptech-alpha + sudo apt-get install -t jessie-backports libengine-pkcs11-openssl + +We're using the backported version of libengine-pkcs11-openssl because +we want ECDSA support -- the ancient version that originally shipped +with Jessie only supported RSA. General plan here is to use pkcs11-tool to create keys, then use the pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely diff --git a/create-keys.sh b/create-keys.sh index 5cfda45..e3630d9 100755 --- a/create-keys.sh +++ b/create-keys.sh @@ -1,11 +1,17 @@ #!/bin/sh - -. ./environment.sh +# pkcs11-tool's naming scheme for key types is buried in code. +# The useful choices in our case appear to be: +# +# rsa:1024 +# rsa:2048 +# EC:prime256v1 +# EC:prime384v1 + +: ${key_type='EC:prime256v1'} -# Not really sure which silly name to use for the EC curve, doc is not great. prime256v1? ansiX9p256r1? secp256r1? -# If I had to guess, ansiX9p256r1, so try that: --key-type EC:ansiX9p256r1 -# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later. +. ./environment.sh -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type rsa:2048 -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type rsa:2048 -pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848 +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader --key-type "$key_type" +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris --key-type "$key_type" +pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type" diff --git a/environment.sh b/environment.sh index f3f5c75..078b5a6 100644 --- a/environment.sh +++ b/environment.sh @@ -14,6 +14,11 @@ export PKCS11_PIN=fnord export OPENSSL_CONF=`pwd`/openssl.conf +# Where to find the engine module this week (its name changes with +# architecture, OpenSSL version, and phase of the moon). + +export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'` + # If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC # pkcs11-spy.so debugging tool, which we will splice between OpenSSL # and the real PKCS #11 library. This is not something you would want diff --git a/openssl.conf b/openssl.conf index 7f156ce..887e25d 100644 --- a/openssl.conf +++ b/openssl.conf @@ -13,7 +13,7 @@ pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so +dynamic_path = ${ENV::ENGINE_MODULE} init = 0 # For convenience while testing, we use environment variables to pass -- cgit v1.2.3