OpenSC pkcs11-tool PKCS#11

Export a RSA / ECC public key with OpenSC pkcs11-tool

Whenever you generate a public/private key pair in hardware over PKCS#11 you need export the public key to generate an X.509v3 vertificate. pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

Retrieve a public key from a key media using PKCS#11

Please see my previous and related posts how to compile a PKCS#11 library and configure OpenSC to use this cryptographic module.

In this example I already initialized a slot on the key media and generated a key. In the example I will use SoftHSM2 version 2.6.1 with Cryptoki 2.40 implementation of PKCS11 as the PKCS#11 module and export the public key using OpenSC pkcs11-tool

$ pkcs11-tool --modul /usr/local/lib/softhsm/libsofthsm2.so --slot 1472789662 --read-object --type pubkey --id 01 -o rsa01pub.key

$ hd rsa01pub.key
00000000  30 82 01 22 30 0d 06 09  2a 86 48 86 f7 0d 01 01  |0.."0...*.H.....|
00000010  01 05 00 03 82 01 0f 00  30 82 01 0a 02 82 01 01  |........0.......|
00000020  00 b4 9a 3b cf 59 76 05  d8 a8 4c 13 fa c6 f4 2c  |...;.Yv...L....,|
00000030  af cb 69 bf a2 89 bb c3  da 51 f1 5b 64 d3 5f b2  |..i......Q.[d._.|
00000040  79 d7 ff d0 13 b0 25 4c  b7 31 a8 79 7e b6 af 8a  |y.....%L.1.y~...|
00000050  60 bc c0 2d 47 ee a2 d6  15 14 f6 99 87 55 c8 3f  |`..-G........U.?|
00000060  18 a6 36 27 e9 44 b8 aa  b2 b7 b2 25 7f 50 1f 7b  |..6'.D.....%.P.{|
00000070  bb 89 bf 19 cc e1 bf 0c  99 a9 85 41 91 8e 76 02  |...........A..v.|
00000080  23 70 51 be 28 26 1c 09  58 78 c5 db 15 a0 73 60  |#pQ.(&..Xx....s`|
00000090  1f 0f 0e 56 a6 97 82 7f  a6 58 c1 57 7d 9e b4 0d  |...V.....X.W}...|
000000a0  f1 0b 66 c5 2c 97 b7 85  37 be dd 8b 93 c9 7f 55  |..f.,...7......U|
000000b0  04 75 40 1a 8e 0b 2e 5d  9d bd e3 91 01 25 0a a4  |.u@....].....%..|
000000c0  86 e9 cf 4a c8 16 5a 52  2e fc 3f 9d 9b 75 db 40  |...J..ZR..?..u.@|
000000d0  09 ab 07 60 dd d1 d2 1f  ec c7 eb 37 a4 9e 25 bf  |...`.......7..%.|
000000e0  99 f5 74 0f 71 ac 8a 79  95 d5 df a4 67 af a4 af  |..t.q..y....g...|
000000f0  ad be c1 18 6f cd 04 2a  8b b0 c8 5e 37 3e 81 02  |....o..*...^7>..|
00000100  d2 f4 e4 4a 6c 75 05 26  d7 74 80 1c 30 9e 2f 28  |...Jlu.&.t..0./(|
00000110  46 62 e0 0a 45 84 b6 0a  ce 3f 5f 32 52 be 3c 0f  |Fb..E....?_2R.<.|
00000120  07 02 03 01 00 01                                 |......|
00000126

$ dumpasn1 rsa01pub.key
  0 290: SEQUENCE {
  4  13:   SEQUENCE {
  6   9:     OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 17   0:     NULL
       :     }
 19 271:   BIT STRING, encapsulates {
 24 266:     SEQUENCE {
 28 257:       INTEGER
       :         00 B4 9A 3B CF 59 76 05 D8 A8 4C 13 FA C6 F4 2C
       :         AF CB 69 BF A2 89 BB C3 DA 51 F1 5B 64 D3 5F B2
       :         79 D7 FF D0 13 B0 25 4C B7 31 A8 79 7E B6 AF 8A
       :         60 BC C0 2D 47 EE A2 D6 15 14 F6 99 87 55 C8 3F
       :         18 A6 36 27 E9 44 B8 AA B2 B7 B2 25 7F 50 1F 7B
       :         BB 89 BF 19 CC E1 BF 0C 99 A9 85 41 91 8E 76 02
       :         23 70 51 BE 28 26 1C 09 58 78 C5 DB 15 A0 73 60
       :         1F 0F 0E 56 A6 97 82 7F A6 58 C1 57 7D 9E B4 0D
       :                 [ Another 129 bytes skipped ]
289   3:       INTEGER 65537
       :       }
       :     }
       :   }
 
0 warnings, 0 errors.

The exported key file a .DER file which is ASN1 encoded. You an use dumpasn1 to decode the format and view the RSA public key. There are many tools available to convert the DER to PEM and vice versa.

Another example of an exported ECC key:

$ dumpasn1 ecc01pub.key
  0 118: SEQUENCE {
  2  16:   SEQUENCE {
  4   7:     OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
 13   5:     OBJECT IDENTIFIER secp384r1 (1 3 132 0 34)
       :     }
 20  98:   BIT STRING
       :     04 36 34 4C FD 3F 0C 92 16 BC 82 3F E2 43 B8 36
       :     37 36 BD 6B 00 C4 10 9B 2B CB 27 68 50 E4 6F EA
       :     3E 3E 93 B4 5A 53 30 61 B6 6F 3A 89 99 49 8C C2
       :     0F BE E5 8E 65 0D CD D1 CA C7 45 34 3B 79 D3 EE
       :     FD 58 1D 56 8A 18 F9 23 0D E6 1E 23 73 2B 17 E1
       :     E1 1B D4 B9 BA 1A E6 DA AE 85 41 39 51 83 09 D3
       :     50
       :   }
 
0 warnings, 0 errors.

I used openssl to convert the DER formatted key to a PEM format:

$ openssl rsa -pubin -inform DER -in rsa01pub.key -outform PEM -out rsa01pub.pem
 
$ more rsa01pub.pem
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtJo7z1l2BdioTBP6xvQs
r8tpv6KJu8PaUfFbZNNfsnnX/9ATsCVMtzGoeX62r4pgvMAtR+6i1hUU9pmHVcg/
GKY2J+lEuKqyt7Ilf1Afe7uJvxnM4b8MmamFQZGOdgIjcFG+KCYcCVh4xdsVoHNg
Hw8OVqaXgn+mWMFXfZ60DfELZsUsl7eFN77di5PJf1UEdUAajgsuXZ2945EBJQqk
hunPSsgWWlIu/D+dm3XbQAmrB2Dd0dIf7MfrN6SeJb+Z9XQPcayKeZXV36Rnr6Sv
rb7BGG/NBCqLsMheNz6BAtL05EpsdQUm13SAHDCeLyhGYuAKRYS2Cs4/XzJSvjwP
BwIDAQAB
-----END PUBLIC KEY-----

Note: Don’t try to export the private key of a smart card, crypto token or HSM. It will not work, as the protection of the private key from copying is the main functionallity of a secure key media!

Where to find working PKCS#11 libraries?

The most common open source libraries are found here:

/usr/local/lib/softhsm/libsofthsm2.so
/usr/local/lib/libykcs11.so
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

libsofthsm2.so – The PKCS#11 library of SoftHSM2 a popular software defines key store. You need to install or compile SoftHSM2 to get this library.

libykcs11.so – The Yubico PKCS#11 library for all YubiKey token with smart card PIV functionallity. Install and compile Yubico yubico-piv-tool.

opensc-pkcs11.so – The popular OpenSC PKCS#11 library supporting many smart cards and PKI token. Install or compile opensc to use this software interface.

Related Posts

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.