pkcs11-tool: Add feature to get random data. #995
Conversation
cmuellner
force-pushed
the
pkcs11-generate-random
branch
2 times, most recently
from
e6675f4
to
ac0accc
Compare
|
Is the only dependence on OpenSSL the call to RAND_bytes? I don't see any other. If that is the case You said you tried with a Yubikey (PIV applet), What version? PIV does not support C_SeedRandom, but does support C_GenerateRandom by using the PIV GENERAL AUTHENTICATE to get a challenge from the card. In an opensc-debug.log, look for the APDU The Yubico 4 appears to supports this. But it is not clear if older versions do. |
|
If you know the card is a PIV type card, you can also do: For example: opensc-tool -s "00 87 00 9B 04 7C 02 81 00 00" -s "00 87 00 9B 04 7C 02 81 00 00" |
|
I just had a look at the PKCS #11 specification. There is no requirement for C_GenerateRandom(), which says that C_SeedRandom() has to be called. Practically all card/HSM backed PKCS #11 providers don't support seeding anyways (at least they don't rely on that). Would it be ok to remove that whole seeding code. That would also remove the requirement for OpenSSL. @dengert Yes, I've tested with a Yubikey 4, but just because I was to lazy to get my CardOS5 card (which has the ISO7816-4 GET CHALLENGE which can be used for the purpose). But in general I want to add a (for me missing) feature to OpenSC's pkcs11-tool, which other PKCS#11 tools have (e.g. "p11tool --generate-random=num"). |
|
GnuTLS's p11tool [1] also simply calls C_GenerateRandom() without seeding. [1] https://gitlab.com/gnutls/gnutls/blob/master/lib/pkcs11_int.c#L285 |
cmuellner
force-pushed
the
pkcs11-generate-random
branch
from
ac0accc
to
0a0f20d
Compare
|
I agree, the call to C_SeedRandom could be removed, or at least not seeding from RAND_bytes. On the other hand, if someone wants to have pkcs11-tool call C_SeedRandom, should they be able to pass in the seed? Note: Calling RAND_bytes might cover up problems in a card (or OpenSC) random number generator and what you might be getting is just the entropy from the RAND_bytes. (The two cards, in my option, look OK. These are just my comments, others may still want the flexibility, I could go either way. |
|
@dengert I've already updated the PR to not contain RAND_bytes() and C_SeedRandom() calls. If someone needs the pkcs11-tool to expose the C_SeedRandom() call, she/he could come up with a wishlist-ticket or a PR. If you want me to do that now, then I can provide that as well. |
cmuellner
force-pushed
the
pkcs11-generate-random
branch
from
0a0f20d
to
1533b10
Compare
|
Its up to @frankmorgner |
|
looks good now |
|
One last request: could you please add some documentation to |
|
Yes, will do.
…On Tue, Mar 21, 2017 at 9:51 AM, Frank Morgner ***@***.***> wrote:
One last request: could you please add some documentation to
doc/tools/pkcs11-tool.1.xml?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#995 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAFqioIwYqMLFFVcqf8qJ0DBlTVcrziDks5rn4-kgaJpZM4MdHKh>
.
|
Getting random data is an essential part of the PKCS11 API.
This patch provides a new command line parameter to get
random data from the pkcs11-tool.
Tested with a Yubikey (PIV applet) and the following command line:
$ pkcs11-tool --slot=0 --generate-random=128 | hexdump -C
00000000 0c 35 85 2e 85 68 ab ce e8 56 b3 f6 f3 33 e6 37 |.5...h...V...3.7|
00000010 12 10 eb fd 8a 1e 75 b7 3f 4d fa 61 8f ab d8 bf |......u.?M.a....|
00000020 f7 2c 7d ba 07 a5 45 6e a7 85 1c 47 3b 46 01 2c |.,}...En...G;F.,|
00000030 79 18 6e 51 4d c4 ae 20 37 37 1d 7b 7e b0 d5 18 |y.nQM.. 77.{~...|
00000040 ef a4 3c 09 91 68 db dd 2a a8 fc b9 34 06 2a ee |..<..h..*...4.*.|
00000050 5a 86 55 54 11 1f ef 4e 07 73 79 27 0a e4 58 cf |Z.UT...N.sy'..X.|
00000060 f4 bd bc 2f ad 27 b1 a7 a4 fa c7 1a 7b 31 de a3 |.../.'......{1..|
00000070 e8 dc 85 28 18 82 00 45 3c f8 eb 48 a4 20 e4 3b |...(...E<..H. .;|
00000080
Signed-off-by: Christoph Müllner <[email protected]>
Signed-off-by: Christoph Müllner <[email protected]>
cmuellner
force-pushed
the
pkcs11-generate-random
branch
from
1533b10
to
792ae5c
Compare
Getting random data is an essential part of the PKCS11 API.
This patch provides a new command line parameter to get
random data from the pkcs11-tool.
Tested with a Yubikey (PIV applet) and the following command line:
$ pkcs11-tool --slot=0 --generate-random=128 | hexdump -C
00000000 0c 35 85 2e 85 68 ab ce e8 56 b3 f6 f3 33 e6 37 |.5...h...V...3.7|
00000010 12 10 eb fd 8a 1e 75 b7 3f 4d fa 61 8f ab d8 bf |......u.?M.a....|
00000020 f7 2c 7d ba 07 a5 45 6e a7 85 1c 47 3b 46 01 2c |.,}...En...G;F.,|
00000030 79 18 6e 51 4d c4 ae 20 37 37 1d 7b 7e b0 d5 18 |y.nQM.. 77.{~...|
00000040 ef a4 3c 09 91 68 db dd 2a a8 fc b9 34 06 2a ee |..<..h.....4..|
00000050 5a 86 55 54 11 1f ef 4e 07 73 79 27 0a e4 58 cf |Z.UT...N.sy'..X.|
00000060 f4 bd bc 2f ad 27 b1 a7 a4 fa c7 1a 7b 31 de a3 |.../.'......{1..|
00000070 e8 dc 85 28 18 82 00 45 3c f8 eb 48 a4 20 e4 3b |...(...E<..H. .;|
00000080
Signed-off-by: Christoph Müllner [email protected]