libp11 icon indicating copy to clipboard operation
libp11 copied to clipboard

Published 20 hours ago verified publisher icon OpenSC

Introduce keypair generation as engine ctrl command

Open istepic opened this issue 2 years ago • 5 comments

As discussed in https://github.com/OpenSC/libp11/pull/379 and https://github.com/OpenSC/libp11/pull/378 we need a generic interface that supports multiple algorithms for key generation. Attempt was made to create a new keygen method and register it in PKCS11_pkey_meths() in p11_pkey.c (so that it's possible to generate keys using OpenSSL's EVP_PKEY_* API) but multiple design issues appeared. How and where do you pass the key ID, token label and alike was the first question. As suggested by the maintainer here: https://github.com/OpenSC/libp11/pull/379#issuecomment-820588833, app_data from EVP_PKEY_CTX was (mis)used and that worked well. The reason why this approach was abandoned is because a good (or bad) way to get a handle of the PKCS11_CTX_private, that is necessary for the Cryptoki call, was not found. The way other operations work is that they rely on the key being loaded first through ENGINE_load_public(private)_key because this is when the PKCS11_CTX gets initialized and a handle to PKCS11_OBJECT_private gets set to the ex_data of the underlying key. Key generation obviously cannot rely on that mechanism since key doesn't yet exist.

Instead, a generic PKCS11_generate_key interface was made that takes a structure describing the key generation algorithm. For now it only contains simple options like curve name for ECC or number of bits for RSA key generation. This interface can then be used as any other PKCS11 wrapper interface or using the ENGINE control commands. Using it with ENGINE control commands is demonstrated in the new tests/keygen.c file.

Code for ECC keygen was taken from: https://github.com/OpenSC/libp11/pull/379 and reworked to compile and work with some new additions to libp11 i.e. templates.

istepic avatar Sep 08 '22 13:09 istepic

Hello @mtrojnar, does this approach to key generation seem plausible at all to you?

istepic avatar Oct 05 '22 07:10 istepic

what is the status of this PR? has it been abandoned as well? It seems there was a previous attempt at implementing EC keygen which didn't prosper either (https://github.com/OpenSC/libp11/pull/379).

is there are reason not to pursue either of them?

ldts avatar Nov 02 '22 13:11 ldts

what is the status of this PR? has it been abandoned as well? It seems there was a previous attempt at implementing EC keygen which didn't prosper either (https://github.com/OpenSC/libp11/pull/379).

is there are reason not to pursue either of them?

IMHO biggest issue with both of these is when will OpenSSL drops engine support and what happens to libp11.

dengert avatar Nov 03 '22 01:11 dengert

Is there an alternative way of generating EC key pairs on the token? It is currently possible to generate EC keys with pkcs11-tool, but not libp11 API.

mwasilew avatar Nov 10 '22 21:11 mwasilew

Is there an alternative way of generating EC key pairs on the token? It is currently possible to generate EC keys with pkcs11-tool, but not libp11 API.

No alternative way for EC keys.

istepic avatar Nov 14 '22 17:11 istepic