Using RSA keys by reference in the pkcs#11 engine

We have received a couple of questions about whether our pkcs#11 engine can reference RSA keys using the label that is associated with the key in the key store. That way we could look up the key by the label and let all the crypto work be done without ever exporting the private key out of the token. Let's see an example using Solaris pktool and pkcs#11 soft token key store:

$ pktool list keystore=pkcs11 objtype=key:private
Enter PIN for Sun Software PKCS#11 softtoken  : 
Found 1 keys.
Key #1 - RSA private key:  mycert

where mycert is the label for a certificate and also for a private key that was created with it. What we would like to do is to instruct OpenSSL to use the private key that is stored in the soft token:

$ openssl rsautl -inkey pkcs11:mycert -out test2 -in test -sign -keyform e -engine pkcs11
engine "pkcs11" set.
Enter PIN:

Note the pkcs11:mycert reference. Normally you would have to supply a filename containing the private key. Overloading the filename with a reference comprising of "pkcs11:" prefix and the label is just a temporary scheme we choosed for simplicity.

So, actually we already had some code so with the current version of the patch, it's possible to reference private and public keys the way we already showed (referencing public keys in the key stores are not that important since they are, well, public). Read the README to learn more about limitations, API to use in your application, planned scheme for referencing the keys and ideas for enhancements. This code is not in OpenSolaris yet so it might not end up in the future release of Solaris.

The patch is pkcs11_engine-0.9.8e.patch.2007-10-02. If you use this particular functionality with this patch I would be very glad to get any feedback from you.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jan Pechanec

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today