-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pkcs11-tool: Add feature to get random data. #995
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use OpenSSL for seeding.
Please use opt_output
for printing the random bytes.
e6675f4
to
ac0accc
Compare
Is the only dependence on OpenSSL the call to RAND_bytes? I don't see any other. If that is the case You said you tried with a Yubikey (PIV applet), What version? PIV does not support C_SeedRandom, but does support C_GenerateRandom by using the PIV GENERAL AUTHENTICATE to get a challenge from the card. In an opensc-debug.log, look for the APDU The Yubico 4 appears to supports this. But it is not clear if older versions do. |
If you know the card is a PIV type card, you can also do: For example: opensc-tool -s "00 87 00 9B 04 7C 02 81 00 00" -s "00 87 00 9B 04 7C 02 81 00 00" |
I just had a look at the PKCS #11 specification. There is no requirement for C_GenerateRandom(), which says that C_SeedRandom() has to be called. Practically all card/HSM backed PKCS #11 providers don't support seeding anyways (at least they don't rely on that). Would it be ok to remove that whole seeding code. That would also remove the requirement for OpenSSL. @dengert Yes, I've tested with a Yubikey 4, but just because I was to lazy to get my CardOS5 card (which has the ISO7816-4 GET CHALLENGE which can be used for the purpose). But in general I want to add a (for me missing) feature to OpenSC's pkcs11-tool, which other PKCS#11 tools have (e.g. "p11tool --generate-random=num"). |
GnuTLS's p11tool [1] also simply calls C_GenerateRandom() without seeding. [1] https://gitlab.com/gnutls/gnutls/blob/master/lib/pkcs11_int.c#L285 |
ac0accc
to
0a0f20d
Compare
I agree, the call to C_SeedRandom could be removed, or at least not seeding from RAND_bytes. On the other hand, if someone wants to have pkcs11-tool call C_SeedRandom, should they be able to pass in the seed? Note: Calling RAND_bytes might cover up problems in a card (or OpenSC) random number generator and what you might be getting is just the entropy from the RAND_bytes. (The two cards, in my option, look OK. These are just my comments, others may still want the flexibility, I could go either way. |
@dengert I've already updated the PR to not contain RAND_bytes() and C_SeedRandom() calls. If someone needs the pkcs11-tool to expose the C_SeedRandom() call, she/he could come up with a wishlist-ticket or a PR. If you want me to do that now, then I can provide that as well. |
0a0f20d
to
1533b10
Compare
Its up to @frankmorgner |
looks good now |
One last request: could you please add some documentation to |
Yes, will do.
…On Tue, Mar 21, 2017 at 9:51 AM, Frank Morgner ***@***.***> wrote:
One last request: could you please add some documentation to
doc/tools/pkcs11-tool.1.xml?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#995 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAFqioIwYqMLFFVcqf8qJ0DBlTVcrziDks5rn4-kgaJpZM4MdHKh>
.
|
Getting random data is an essential part of the PKCS11 API. This patch provides a new command line parameter to get random data from the pkcs11-tool. Tested with a Yubikey (PIV applet) and the following command line: $ pkcs11-tool --slot=0 --generate-random=128 | hexdump -C 00000000 0c 35 85 2e 85 68 ab ce e8 56 b3 f6 f3 33 e6 37 |.5...h...V...3.7| 00000010 12 10 eb fd 8a 1e 75 b7 3f 4d fa 61 8f ab d8 bf |......u.?M.a....| 00000020 f7 2c 7d ba 07 a5 45 6e a7 85 1c 47 3b 46 01 2c |.,}...En...G;F.,| 00000030 79 18 6e 51 4d c4 ae 20 37 37 1d 7b 7e b0 d5 18 |y.nQM.. 77.{~...| 00000040 ef a4 3c 09 91 68 db dd 2a a8 fc b9 34 06 2a ee |..<..h..*...4.*.| 00000050 5a 86 55 54 11 1f ef 4e 07 73 79 27 0a e4 58 cf |Z.UT...N.sy'..X.| 00000060 f4 bd bc 2f ad 27 b1 a7 a4 fa c7 1a 7b 31 de a3 |.../.'......{1..| 00000070 e8 dc 85 28 18 82 00 45 3c f8 eb 48 a4 20 e4 3b |...(...E<..H. .;| 00000080 Signed-off-by: Christoph Müllner <[email protected]>
Signed-off-by: Christoph Müllner <[email protected]>
1533b10
to
792ae5c
Compare
Getting random data is an essential part of the PKCS11 API.
This patch provides a new command line parameter to get
random data from the pkcs11-tool.
Tested with a Yubikey (PIV applet) and the following command line:
$ pkcs11-tool --slot=0 --generate-random=128 | hexdump -C
00000000 0c 35 85 2e 85 68 ab ce e8 56 b3 f6 f3 33 e6 37 |.5...h...V...3.7|
00000010 12 10 eb fd 8a 1e 75 b7 3f 4d fa 61 8f ab d8 bf |......u.?M.a....|
00000020 f7 2c 7d ba 07 a5 45 6e a7 85 1c 47 3b 46 01 2c |.,}...En...G;F.,|
00000030 79 18 6e 51 4d c4 ae 20 37 37 1d 7b 7e b0 d5 18 |y.nQM.. 77.{~...|
00000040 ef a4 3c 09 91 68 db dd 2a a8 fc b9 34 06 2a ee |..<..h.....4..|
00000050 5a 86 55 54 11 1f ef 4e 07 73 79 27 0a e4 58 cf |Z.UT...N.sy'..X.|
00000060 f4 bd bc 2f ad 27 b1 a7 a4 fa c7 1a 7b 31 de a3 |.../.'......{1..|
00000070 e8 dc 85 28 18 82 00 45 3c f8 eb 48 a4 20 e4 3b |...(...E<..H. .;|
00000080
Signed-off-by: Christoph Müllner [email protected]