Skip to content

Using the IsoApplet with OpenSSL

Jump to bottom
Philip Wendland edited this page Jan 12, 2019 · 3 revisions

This post describes how to use OpenSSL with your smartcard using the IsoApplet.

Preparations

You need to do several preparations before starting to use OpenSSL. The first part is to set up your smartcard and generate keys. The second part is to install additional libraries and engines that are needed by OpenSSL when used with OpenSC.

Smartcard and keys

  • Please see the documentation in this wiki and follow the instructions describing how to set up your drivers and smartcard for use with the IsoApplet. Make sure to initialize the applet with a PIN and PUK.
  • Generate a 2048 bit RSA key. The following example generates a private key that is to be used for signing. Other possibilities are "decrypt" or "sign,decrypt".
    pkcs15-init --generate-key "rsa/2048" --key-usage "sign" --id "1" --auth-id "FF" --label "OpenSSL test key"
  • You should now be able to verify that your new keypair is present by using pkcs15-tool --dump.
  • Extract the public key from your smartcard:
    pkcs15-tool --read-public-key "1" --output "smartcard-OpenSSL-pubkey.pem"

Installing additional libraries and engines

You need libp11 (source code), which includes engine_pkcs11, and pk11-kit. You might need to configure the OpenSC module like shown here.

OpenSSL allows you to source out cryptographic functions using engines. This is why engine_pkcs11, an engine designed to be used for different PKCS#11 providers, is needed. Libp11 is a wrapper library for PKCS#11 using a re-written Open Source PKCS#11 header file. Both are probably available from your operating system's repositories, so please check that before trying to build from source.

Using OpenSSL

You should now be able to use your smartcard with OpenSSL.

A simple test

Let's do a simple test to check whether signatures generated by the smartcard are verifyable with the extracted public key:

First, we create a simple text file containing random numbers and characters:

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 260 | head -n 1 > textToSign.txt

As a next step we try to sign the file using the private key that we generated directly on the smartcard ealier. The private-key-label is the label used when generating the private key on the smart card (pkcs15-init --label 'xyz' flag).

openssl dgst -engine pkcs11 -sign "pkcs11:object=private-key-label;type=private;pin-value=0000" -keyform ENGINE -sha256 -out signature textToSign.txt

You should now be able to verify (output: Verified OK) the signature using the extracted public key:

openssl dgst -sha256 -verify smartcard-OpenSSL-pubkey.pem  -keyform PEM -signature signature.bin textToSign.txt

Generating a self-signed certificate

To create a self-signed certificate, use something similar to this:

openssl
req -engine pkcs11 -new -key "pkcs11:object=private-key-label;type=private" -keyform ENGINE -out request.pem -text -x509 -subj "/CN=Your Name"
x509 -engine pkcs11 -signkey "pkcs11:object=private-key-label;type=private" -keyform ENGINE -in request.pem -out certificate.pem
quit

The req command creates a certificate request. The x509 command (self-)signs the certificate request using the same private as for the request and creates a certificate.pem file. The request.pem can also be signed by other authorities.

Clone this wiki locally