[Pcsclite-muscle] Directly using RSA key of a smartcard

David Woodhouse dwmw2 at infradead.org
Fri Jun 23 02:29:56 PDT 2023


On Fri, 2023-06-23 at 09:47 +0100, David Woodhouse wrote:
> On Thu, 2023-06-22 at 11:10 +0100, David Woodhouse wrote:
> > 
> >  $ echo Test | openssl dgst -sha256 -sign 'pkcs11:manufacturer=piv_II;id=%04' -engine pkcs11 -keyform engine  > signature.bin
> >  $ echo Test openssl dgst -sha256 -verify pubkey.pem -signature signature.bin
> > Verified OK
> 
> Someone on StackExchange pointed out that this is *signature* not
> encryption, and isn't quite what you asked for.
> 
> He's correct; I was being a bit lazy because those command lines
> happened to be in my bash history anyway from what I was playing with
> this week. And encryption *ought* to be similar.... except...

...except I hadn't had enough coffee yet this morning. If I stop mixing
up the mapping from key slot to object ID, stop using old pubkey files
after I've overwritten the one in the device, stop *trusting* the
device itself to give me a valid pubkey which matches the corresponding
privkey... it all works fine.

$ yubico-piv-tool -s9e -ARSA2048 -agenerate | tee pubkey.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAg7YtufRQ6coNvxvByUxb
LHh3OFwM6rg1WlWKkolamk/rGtpMKorQzBytQXH6TbnC7cVIRn+jugxUdT4bG8Vj
wv5sXyMMSvi8jxUVn01SyVVPJ9eT15124lxsY0Ja8ghmu5DYlMkCOndq4YJ8ffcG
kSvZRVLP7ST6oQ8F57D78c1zPpNYaZqBpT0zPkVoE+2/7R+R8r052hDgDxGqFOAZ
V0EazBlaypvevIFWBK0LrtG8PRBdsS+gDG2ihCEZMG9riBUyEjMoOp1TwBzZ83YT
4T6a2Qi1+XP0iZBttUZg0vQZFYwD608+2/ArFcRbV6TePRX5RLtXkliSJ26eQvo0
wQIDAQAB
-----END PUBLIC KEY-----
Successfully generated a new private key.
$ echo Test | openssl pkeyutl -encrypt  -pubin -inkey pubkey.pem > Test.enc
$ openssl pkeyutl -decrypt -in Test.enc -engine pkcs11 -keyform engine  -inkey 'pkcs11:manufacturer=piv_II;id=%04'
Engine "pkcs11" set.
Test
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/pcsclite-muscle/attachments/20230623/0aadfbad/attachment.p7s>


More information about the pcsclite-muscle mailing list