Tuesday 11.7.2017 16:04:20, Jakuje
First of all, we wil define some variables, with card PIN and IDs of signing and encryption keys:
export PIN=111111
export SIGN_KEY=11
export ENC_KEY=55
The following commands are supposed to be run from the directory src/tools/ of currenlty built OpenSC. If you want to run it against system-wide installed version, just replace ./pkcs11-tool with pkcs11-tool and use your system-wide pkcs11 provider as a --module argument.
Sign/Verify using private key/certificate
- Create a data to sign
echo "data to sign (max 100 bytes)" > data
- Get the certificate from the card
./pkcs11-tool -r -p $PIN --id $SIGN_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $SIGN_KEY.cert
- Convert it to the public key (PEM format)
openssl x509 -inform DER -in $SIGN_KEY.cert -pubkey > $SIGN_KEY.cert.pub
RSA-PKCS mechanism
- Sign the data on the smartcard using private key:
cat data | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so > data.sig
- Verify
openssl rsautl -verify -inkey $SIGN_KEY.cert.pub -in data.sig -pubin
RSA-X-509 mechanism
- Prepare data with padding (final string has to have 256 bytes for 2048 bits RSA keys):
(echo -ne "x00x01" && for i in `seq 224`; do echo -ne "xff"; done && echo -ne "�0" && cat data) > data_pad
- Sign the data on the smartcard using private key:
cat data_pad | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so > data_pad.sig
- Verify
openssl rsautl -verify -inkey $SIGN_KEY.cert.pub -in data_pad.sig -pubin -raw
Encrypt/Decrypt using private key/certificate
- Create a data to encrypt
echo "data to encrpyt should be longer, better, faster and whatever we need to hide in front of nasty eyes of the ones that should not see them. " > data
- * Get the certificate from the card:
./pkcs11-tool -r -p $PIN --id $ENC_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $ENC_KEY.cert
- Convert it to the public key (PEM format)
openssl x509 -inform DER -in $ENC_KEY.cert -pubkey > $ENC_KEY.pub
RSA-PKCS mechanism
- Encrypt the data locally
openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data -pubin -out data.crypt
- Decrypt the data on the card
cat data.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so
RSA-X-509 mechanism
- Prepare data with padding
(echo -ne "x00x02" && for i in `seq 113`; do echo -ne "xff"; done && echo -ne "�0" && cat data) > data_pad
- Encrypt the data locally
openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data_pad -pubin -out data_pad.crypt -raw
- Decrypt the data on the card
cat data_pad.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so