Using RSA keys by reference in the pkcs#11 engine
By janp on Oct 02, 2007
We have received a couple of questions about whether our pkcs#11 engine can
reference RSA keys using the label that is associated with the key in the
key store. That way we could look up the key by the label and let all
the crypto work be done without ever exporting the private key out of the token. Let's see an example using Solaris
pktool and pkcs#11 soft token key store:
$ pktool list keystore=pkcs11 objtype=key:private Enter PIN for Sun Software PKCS#11 softtoken : Found 1 keys. Key #1 - RSA private key: mycert
mycert is the label for a certificate and also for a private key that was created with it. What we would like to do is to instruct OpenSSL to use the private key that is stored in the soft token:
$ openssl rsautl -inkey pkcs11:mycert -out test2 -in test -sign -keyform e -engine pkcs11 engine "pkcs11" set. Enter PIN:
pkcs11:mycert reference. Normally you would have to
supply a filename containing the private key. Overloading the filename with a
reference comprising of "pkcs11:" prefix and the label is just a temporary
scheme we choosed for simplicity.
So, actually we already had some code so with the current version of the patch, it's possible to reference private and public keys the way we already showed (referencing public keys in the key stores are not that important since they are, well, public). Read the README to learn more about limitations, API to use in your application, planned scheme for referencing the keys and ideas for enhancements. This code is not in OpenSolaris yet so it might not end up in the future release of Solaris.
The patch is pkcs11_engine-0.9.8e.patch.2007-10-02. If you use this particular functionality with this patch I would be very glad to get any feedback from you.