OpenSC test Sign, Verify, Encipher and Decipher from commandline with OpenSSL CLI

README.md

export PIN=111111
export SIGN_KEY=11
export ENC_KEY=55

Sign/Verify using private key/certificate

• Create a data to sign

  echo "data to sign (max 100 bytes)" > data
  

• Get the certificate from the card:

  ./pkcs11-tool -r -p $PIN --id $SIGN_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $SIGN_KEY.cert
  

• Convert it to the public key (PEM format)

  openssl x509 -inform DER -in $SIGN_KEY.cert -pubkey > $SIGN_KEY.pub
  

or

• Get the public key from the card:

   ./pkcs11-tool -r -p $PIN --id $SIGN_KEY --type pubkey --module ../pkcs11/.libs/opensc-pkcs11.so > $SIGN_KEY.der
  

• Convert it to PEM format:

  openssl rsa -inform DER -outform PEM -in $SIGN_KEY.der -pubin > $SIGN_KEY.pub
  

RSA-PKCS

• Sign the data on the smartcard using private key:

  cat data | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so > data.sig
  

• Verify

  openssl rsautl -verify -inkey $SIGN_KEY.pub -in data.sig -pubin
  

SHA1-RSA-PKCS

• Sign the data on the smartcard using private key:

  cat data | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m SHA1-RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so > data.sig
  

• Verify and parse the returned ASN1 structure:

  openssl rsautl -verify -inkey $SIGN_KEY.pub -in data.sig -pubin | openssl asn1parse -inform DER
  

• Compare the result with the sha1 sum of the input file:

  sha1sum data
  

Similarily can be tested the SHA256, SHA384 and SHA512, just by replacing SHA1 with these hashes in above commands.

SHA1-RSA-PKCS-PSS

• Sign the data on the smartcard using private key:

   cat data | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m SHA1-RSA-PKCS-PSS --module ../pkcs11/.libs/opensc-pkcs11.so > data.sig
  

• Verify

  openssl dgst -keyform DER -verify $SIGN_KEY.pub -sha1 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -signature data.sig data
  

For other parameters, replace the hash algorithsm, add a --salt-len parameter for the pkcs11-tool and adjust rsa_pss_saltlen argument of openssl.

RSA-X-509

• Prepare data with padding:

  (echo -ne "\x00\x01" && for i in `seq 224`; do echo -ne "\xff"; done && echo -ne "\00" && cat data) > data_pad
  

• Sign the data on the smartcard using private key:

  cat data_pad | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so > data_pad.sig
  

• Verify

  openssl rsautl -verify -inkey $SIGN_KEY.pub -in data_pad.sig -pubin -raw
  

Encrypt/Decrypt using private key/certificate

• Create a data to encrypt

  echo "data to encrpyt should be longer, better, faster and whatever we need to hide in front of nasty eyes of the ones that should not see them. " > data
  

• Get the certificate from the card:

  ./pkcs11-tool -r -p $PIN --id $ENC_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $ENC_KEY.cert
  

• Convert it to the public key (PEM format)

  openssl x509 -inform DER -in $ENC_KEY.cert -pubkey > $ENC_KEY.pub
  

RSA-PKCS

• Encrypt the data locally

  openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data -pubin -out data.crypt
  

• Decrypt the data on the card

  cat data.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so
  

RSA-X-509

• Prepare data with padding:

  (echo -ne "\x00\x02" && for i in `seq 113`; do echo -ne "\xff"; done && echo -ne "\00" && cat data) > data_pad
  

• Encrypt the data locally

  openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data_pad -pubin -out data_pad.crypt -raw
  

• Decrypt the data on the card

  cat data_pad.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so
  

RSA-PKCS-OAEP

• Encrypt the data locally

  openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data -pubin -out data.crypt -oaep
  

  or

  openssl pkeyutl -encrypt -inkey $ENC_KEY.pub -pubin -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 -in data -out data.sha256.crypt
  

• Decrypt the data on the card

  cat data.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-PKCS-OAEP --module ../pkcs11/.libs/opensc-pkcs11.so
  

  or

  cat data.sha256.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-PKCS-OAEP --hash-algorithm=sha256  --module ../pkcs11/.libs/opensc-pkcs11.so
  

Hello Jakub,

I am trying encryption-decryption part using RSA-PKCS11 approach. I am finding difficult to get ENC_KEY id to read certificate from card using below command.
./pkcs11-tool -r -p $PIN --id $ENC_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $ENC_KEY.cert

As an alternative, I tried to pass --label for key object along with user pin i am seeing below issue.
Using slot 0 with a present token (0x37276fc7)
error: object not found
Aborting

However, list objects function on pkcs11 shows private key object present in token.
#pkcs11-tool --module /usr/local/lib/libp11sgx.so.0.0.0 -p 1234 --label client_key_priv -O
Using slot 0 with a present token (0x37276fc7)
Private Key Object; RSA
label: client_key_priv
Usage: decrypt, sign
Access: sensitive

Would be helpful if you could provide any leads on possible cause.
Appreciate your help!!

@manju956 you need to use the same --module to get comparable results. The first one is using opensc, the other is using some libp11sgx.so. Just replace ../pkcs11/.libs/opensc-pkcs11.so with /usr/local/lib/libp11sgx.so.0.0.0 and you should be good.

Worked. Appreciate the help :)

Hello,

We are trying to sign some data using the private key stored on the card and for that we are sending the following command:

cat data | pkcs11-tool --id $ID -s -p $PIN -m RSA-PKCS > data.sig

But we are getting the response as below:

Using slot 0 with a present token (0x0) Using signature algorithm RSA-PKCS error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7) Aborting.

This is the same command that you have mentioned in the README above but we are not getting the expected response

We are using one of the drivers in opensc.

Certificate extraction and public key extraction are working just fine on our driver but seems like there is a challenge here somewhere.

Please advice what we are missing?

Hello,

We are trying to sign some data using the private key stored on the card and for that we are sending the following command:

cat data | pkcs11-tool --id $ID -s -p $PIN -m RSA-PKCS > data.sig

But we are getting the response as below:

Using slot 0 with a present token (0x0) Using signature algorithm RSA-PKCS error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7) Aborting.

This is the same command that you have mentioned in the README above but we are not getting the expected response

We are using one of the drivers in opensc.

Certificate extraction and public key extraction are working just fine on our driver but seems like there is a challenge here somewhere.

Please advice what we are missing?

Please, open a new issue in the https://github.com/OpenSC/OpenSC/ project and provide more information about the card and driver you are using and ideally also a debug log from opensc to see what is going on under the hood.

Hello,

We used a different command and it worked.

Thank you for your support.