Whenever you generate a public/private key pair in hardware over PKCS#11 you need export the public key to generate an X.509v3 vertificate. pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.
PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.
This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.
Retrieve a public key from a key media using PKCS#11
Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.
In this example I already initialized a slot on the key media and generated a key. In the example I will use SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and export the public key using OpenSC pkcs11-tool
$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --slot 1472789662 --read-object --type pubkey --id 01 -o rsa01pub.key $ hd rsa01pub.key 00000000 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |0.."0...*.H.....| 00000010 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 |........0.......| 00000020 00 b4 9a 3b cf 59 76 05 d8 a8 4c 13 fa c6 f4 2c |...;.Yv...L....,| 00000030 af cb 69 bf a2 89 bb c3 da 51 f1 5b 64 d3 5f b2 |..i......Q.[d._.| 00000040 79 d7 ff d0 13 b0 25 4c b7 31 a8 79 7e b6 af 8a |y.....%L.1.y~...| 00000050 60 bc c0 2d 47 ee a2 d6 15 14 f6 99 87 55 c8 3f |`..-G........U.?| 00000060 18 a6 36 27 e9 44 b8 aa b2 b7 b2 25 7f 50 1f 7b |..6'.D.....%.P.{| 00000070 bb 89 bf 19 cc e1 bf 0c 99 a9 85 41 91 8e 76 02 |...........A..v.| 00000080 23 70 51 be 28 26 1c 09 58 78 c5 db 15 a0 73 60 |#pQ.(&..Xx....s`| 00000090 1f 0f 0e 56 a6 97 82 7f a6 58 c1 57 7d 9e b4 0d |...V.....X.W}...| 000000a0 f1 0b 66 c5 2c 97 b7 85 37 be dd 8b 93 c9 7f 55 |..f.,...7......U| 000000b0 04 75 40 1a 8e 0b 2e 5d 9d bd e3 91 01 25 0a a4 |.u@....].....%..| 000000c0 86 e9 cf 4a c8 16 5a 52 2e fc 3f 9d 9b 75 db 40 |...J..ZR..?..u.@| 000000d0 09 ab 07 60 dd d1 d2 1f ec c7 eb 37 a4 9e 25 bf |...`.......7..%.| 000000e0 99 f5 74 0f 71 ac 8a 79 95 d5 df a4 67 af a4 af |..t.q..y....g...| 000000f0 ad be c1 18 6f cd 04 2a 8b b0 c8 5e 37 3e 81 02 |....o..*...^7>..| 00000100 d2 f4 e4 4a 6c 75 05 26 d7 74 80 1c 30 9e 2f 28 |...Jlu.&.t..0./(| 00000110 46 62 e0 0a 45 84 b6 0a ce 3f 5f 32 52 be 3c 0f |Fb..E....?_2R.<.| 00000120 07 02 03 01 00 01 |......| 00000126 $ dumpasn1 rsa01pub.key 0 290: SEQUENCE { 4 13: SEQUENCE { 6 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 17 0: NULL : } 19 271: BIT STRING, encapsulates { 24 266: SEQUENCE { 28 257: INTEGER : 00 B4 9A 3B CF 59 76 05 D8 A8 4C 13 FA C6 F4 2C : AF CB 69 BF A2 89 BB C3 DA 51 F1 5B 64 D3 5F B2 : 79 D7 FF D0 13 B0 25 4C B7 31 A8 79 7E B6 AF 8A : 60 BC C0 2D 47 EE A2 D6 15 14 F6 99 87 55 C8 3F : 18 A6 36 27 E9 44 B8 AA B2 B7 B2 25 7F 50 1F 7B : BB 89 BF 19 CC E1 BF 0C 99 A9 85 41 91 8E 76 02 : 23 70 51 BE 28 26 1C 09 58 78 C5 DB 15 A0 73 60 : 1F 0F 0E 56 A6 97 82 7F A6 58 C1 57 7D 9E B4 0D : [ Another 129 bytes skipped ] 289 3: INTEGER 65537 : } : } : } 0 warnings, 0 errors.
The exported key file a .DER file which is ASN1 encoded. You an use dumpasn1 to decode the format and view the RSA public key. There are many tools available to convert the DER to PEM and vice versa.
Another example of an exported ECC key:
$ dumpasn1 ecc01pub.key 0 118: SEQUENCE { 2 16: SEQUENCE { 4 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1) 13 5: OBJECT IDENTIFIER secp384r1 (1 3 132 0 34) : } 20 98: BIT STRING : 04 36 34 4C FD 3F 0C 92 16 BC 82 3F E2 43 B8 36 : 37 36 BD 6B 00 C4 10 9B 2B CB 27 68 50 E4 6F EA : 3E 3E 93 B4 5A 53 30 61 B6 6F 3A 89 99 49 8C C2 : 0F BE E5 8E 65 0D CD D1 CA C7 45 34 3B 79 D3 EE : FD 58 1D 56 8A 18 F9 23 0D E6 1E 23 73 2B 17 E1 : E1 1B D4 B9 BA 1A E6 DA AE 85 41 39 51 83 09 D3 : 50 : } 0 warnings, 0 errors.
I used openssl to convert the DER formatted key to a PEM format:
$ openssl rsa -pubin -inform DER -in rsa01pub.key -outform PEM -out rsa01pub.pem $ more rsa01pub.pem -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJo7z1l2BdioTBP6xvQs r8tpv6KJu8PaUfFbZNNfsnnX/9ATsCVMtzGoeX62r4pgvMAtR+6i1hUU9pmHVcg/ GKY2J+lEuKqyt7Ilf1Afe7uJvxnM4b8MmamFQZGOdgIjcFG+KCYcCVh4xdsVoHNg Hw8OVqaXgn+mWMFXfZ60DfELZsUsl7eFN77di5PJf1UEdUAajgsuXZ2945EBJQqk hunPSsgWWlIu/D+dm3XbQAmrB2Dd0dIf7MfrN6SeJb+Z9XQPcayKeZXV36Rnr6Sv rb7BGG/NBCqLsMheNz6BAtL05EpsdQUm13SAHDCeLyhGYuAKRYS2Cs4/XzJSvjwP BwIDAQAB -----END PUBLIC KEY-----
Note: Don’t try to export the private key of a smart card, crypto token or HSM. It will not work, as the protection of the private key from copying is the main functionallity of a secure key media!
Where to find working PKCS#11 libraries?
The most common open source libraries are found here:
/usr/local/lib/softhsm/libsofthsm2.so /usr/local/lib/libykcs11.so /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.
libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.
opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.
Related Posts
- How to sign data with OpenSSL on an HSM
- First Steps with OpenSSL for signature and encryption
- Full working ECDSA signature with OpenSSL
- SoftHSM2: What crypto mechanisms and ciphers are supported?
- Simple start with Yubico PKCS#11 library
- Export a RSA / ECC public key with OpenSC pkcs11-tool
- SoftHSM2 view slot info and objects on a specific slot
- Generate RSA, ECC and AES keys with OpenSC pkcs11-tool
- Show slot and token info with OpenSC pkcs11-tool
- SoftHSM2 first steps to create slots
- Configuration of OpenSC pkcs11-tool
- S/MIME Zertifikat per OpenSSL erstellen
- EFS Schlüssel per OpenSSL erstellen