[Pcsclite-muscle] Directly using RSA key of a smartcard
Douglas E Engert
deengert at gmail.com
Fri Jun 23 06:12:26 PDT 2023
On 6/22/2023 4:21 AM, Jakub Jelen wrote:
> On 6/21/23 23:37, Ludovic Rousseau wrote:
>> Hello,
>>
>> Le mer. 21 juin 2023 à 19:09, Michael Conrad <mike at nrdvana.net> a écrit :
>>>
>>> Hello, I'm new to smartcards and curious if it is possible to ask the
>>> card "what is your public RSA key", encrypt something with that public
>>> key, and then ask the card to decrypt it back to the original value. In
>>> other words, I want to get at the raw encryption API without the hassle
>>> of the gpg infrastructure that is normally used for this. (and yes I
>>> understand that the things directly encrypted with RSA need to be small
>>> values like raw AES keys, used for further encryption and decryption
>>> using CBC or similar)
>>>
>>> If so, could you provide some pointers on convenient ways I might access
>>> this API from a script? (but I can write C if I need to)
>>
>> I would suggest to use the PKCS#11 API for that.
>>
>> One easy way it to use the Python wrapper PyKCS11 but you can do the
>> same using the C API.
>> https://pypi.org/project/PyKCS11/
>>
>> One example of encrypting with the public key and decrypt using the
>> private key is available in the sample code directory; rsa_encrypt.py
>> https://github.com/LudovicRousseau/PyKCS11/blob/master/samples/rsa_encrypt.py#L57-L61
>>
>> This sample code first generates an RSA key pair but you can remove
>> this part of the code and use an existing key pair on your yubikey.
OpenSC PR #905
https://github.com/OpenSC/OpenSC/pull/905
was added in 2016 to allow the key usage from a cetificarte to be used in place for hard defaults. This in effect allows any key, incuding the 20 retured keys, to be used for any purpose. This should
work with any PIV card, including Yubikey and includes the 20 retired keys too.
As defined in:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
PIV only supports RAW mode for RSA and uses the the same APDU for both:
"Part 2" "3.2.4 GENERAL AUTHENTICATE Card Command" defines the APDU used to do cryoto operations.
It is up to the appliction/middleware/driver to add/remove padding as needed.
"Part 1" "Section 3" defines the objects and certificates and how there are to be used.
"Part 1" "Appendix C––PIV Algorithm Identifier Discovery" show how to find key type (RSA or EC) and key size from a certificate
So any key must have a certificate which has the public key.
By definition 800-73-4 dictates how keys are to be used which is enforced by software not by the card.
>
> Indeed, you need a PKCS#11 module in between your application and the card and for that OpenSC can be used, which should work with the OpenPGP cards or most of the other common card types in the wild:
>
> https://github.com/OpenSC/OpenSC/
>
> Regards,
--
Douglas E. Engert <DEEngert at gmail.com>
More information about the pcsclite-muscle
mailing list