Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

asymmetric key encryption in pkcs11 module does not work #3144

Open
Jakuje opened this issue May 10, 2024 · 0 comments
Open

asymmetric key encryption in pkcs11 module does not work #3144

Jakuje opened this issue May 10, 2024 · 0 comments

Comments

@Jakuje
Copy link
Member

Jakuje commented May 10, 2024

Problem Description

Currently, the OpenSC does not know how to encrypt data using public key. Indeed this is not a card operation so it happens off-card anyway so its not a huge issue and the application can pull the public key and do the encryption. But it would be convenient if this could work the same way as the C_Verify operation, which already does something very similar.

Currently, calling the following pkcs11-tool command

$ pkcs11-tool -m RSA-PKCS --encrypt --id 02 --input-file data --output-file data.enc

fails very early, already in pkcs11-tool, as it is now searchnig only for secret keys for encryption.

Proposed Resolution

Adding these:

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 46f8b735e..0874474b6 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -1385,9 +1385,11 @@ int main(int argc, char * argv[])
 			find_object_flags(session, mf_flags, &object,
 				opt_object_id_len ? opt_object_id : NULL,
 				opt_object_id_len, 0);
-		} else if (!find_object(session, CKO_SECRET_KEY, &object,
+		} else if (!find_object(session, CKO_PUBLIC_KEY, &object,
 				 opt_object_id_len ? opt_object_id : NULL, opt_object_id_len, 0))
-			util_fatal("Secret key not found");
+			if (!find_object(session, CKO_SECRET_KEY, &object,
+					opt_object_id_len ? opt_object_id : NULL, opt_object_id_len, 0))
+				util_fatal("Public/Secret key not found");
 	}
 
 	if (do_verify) {
@@ -2716,6 +2718,9 @@ static void encrypt_data(CK_SLOT_ID slot, CK_SESSION_HANDLE session,
 		mech.pParameter = iv;
 		mech.ulParameterLen = iv_size;
 		break;
+	case CKM_RSA_PKCS:
+		/* no special params */
+		break;
 	default:
 		util_fatal("Mechanism %s illegal or not supported\n", p11_mechanism_to_name(opt_mechanism));
 	}

will get the call to C_EncryptFinal, but it fails here, as the the public key on pkcs15 layer does not have the encrypt operation:

OpenSC/src/pkcs11/pkcs11-object.c

Line 862 in 1fb5655

if (object->ops->encrypt == NULL_PTR) {

Very different code is in the C_VerifyInit, which emulates the operation in the software.

Steps to reproduce

Run above pkcs11-tool command.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Jakuje