[Cryptech-Commits] [user/sra/openssl-engine] branch master updated: Add ECDSA support, via updated OpenSC pkcs11 engine.

git at cryptech.is git at cryptech.is
Wed Jun 7 19:49:02 UTC 2017


This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository user/sra/openssl-engine.

The following commit(s) were added to refs/heads/master by this push:
     new b208b2c  Add ECDSA support, via updated OpenSC pkcs11 engine.
b208b2c is described below

commit b208b2cab51c0fce3d98e8e462b14d07fa3fcc66
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Wed Jun 7 15:36:51 2017 -0400

    Add ECDSA support, via updated OpenSC pkcs11 engine.
    
    This works on Debian Jessie (8.8) with the jessie-backports version of
    libengine-pkcs11-openssl:
    
        cryptech-alpha              3.0.1496536286
        libengine-pkcs11-openssl    0.4.3-1~bpo8+1
        opensc                      0.14.0-2
        openssl                     1.0.1t-1+deb8u6
    
    Version dependencies between OpenSSL and OpenSC are an even worse
    swamp than usual at the moment, due to API changes in OpenSSL 1.1, so
    it's anybody's guess whether this works on any other platform.  YMMV.
---
 README.md      |  7 ++++++-
 create-keys.sh | 20 +++++++++++++-------
 environment.sh |  5 +++++
 openssl.conf   |  2 +-
 4 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index bc647a5..14b80a8 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,12 @@
 
 Packages you need (on Debian Jessie, anyway):
 
-    sudo apt-get install libengine-pkcs11-openssl opensc opensc-pkcs11 cryptech-alpha
+    sudo apt-get install opensc cryptech-alpha
+    sudo apt-get install -t jessie-backports libengine-pkcs11-openssl
+
+We're using the backported version of libengine-pkcs11-openssl because
+we want ECDSA support -- the ancient version that originally shipped
+with Jessie only supported RSA.
 
 General plan here is to use pkcs11-tool to create keys, then use the
 pkcs11 OpenSSL engine and OpenSSL command line tool to do vaguely
diff --git a/create-keys.sh b/create-keys.sh
index 5cfda45..e3630d9 100755
--- a/create-keys.sh
+++ b/create-keys.sh
@@ -1,11 +1,17 @@
 #!/bin/sh -
 
-. ./environment.sh
+# pkcs11-tool's naming scheme for key types is buried in code.
+# The useful choices in our case appear to be:
+#
+#  rsa:1024
+#  rsa:2048
+#  EC:prime256v1
+#  EC:prime384v1
+
+: ${key_type='EC:prime256v1'}
 
-# Not really sure which silly name to use for the EC curve, doc is not great.  prime256v1?  ansiX9p256r1?  secp256r1?
-# If I had to guess, ansiX9p256r1, so try that:   --key-type EC:ansiX9p256r1
-# Still having trouble with OpenSSL using this key, so revert to RSA for now, try ECDSA again later.
+. ./environment.sh
 
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader  --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris   --key-type rsa:2048
-pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type rsa:2848
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 1 --label leader  --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 2 --label boris   --key-type "$key_type"
+pkcs11-tool --module ${PKCS11_MODULE} --login --pin ${PKCS11_PIN} --keypairgen --id 3 --label natasha --key-type "$key_type"
diff --git a/environment.sh b/environment.sh
index f3f5c75..078b5a6 100644
--- a/environment.sh
+++ b/environment.sh
@@ -14,6 +14,11 @@ export PKCS11_PIN=fnord
 
 export OPENSSL_CONF=`pwd`/openssl.conf
 
+# Where to find the engine module this week (its name changes with
+# architecture, OpenSSL version, and phase of the moon).
+
+export ENGINE_MODULE=`dpkg -L libengine-pkcs11-openssl | egrep '/(engine_)?pkcs11[.]so$'`
+
 # If USE_PKCS11SPY is set, it should be an absolute path to the OpenSC
 # pkcs11-spy.so debugging tool, which we will splice between OpenSSL
 # and the real PKCS #11 library.  This is not something you would want
diff --git a/openssl.conf b/openssl.conf
index 7f156ce..887e25d 100644
--- a/openssl.conf
+++ b/openssl.conf
@@ -13,7 +13,7 @@ pkcs11 = pkcs11_section
 
 [pkcs11_section]
 engine_id	= pkcs11
-dynamic_path	= /usr/lib/engines/engine_pkcs11.so
+dynamic_path	= ${ENV::ENGINE_MODULE}
 init		= 0
 
 # For convenience while testing, we use environment variables to pass

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.


More information about the Commits mailing list