Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to Sign/Decrypt Data with IsoApplet #38

Open
noumanqaiser opened this issue Nov 1, 2024 · 3 comments
Open

Unable to Sign/Decrypt Data with IsoApplet #38

noumanqaiser opened this issue Nov 1, 2024 · 3 comments

Comments

@noumanqaiser
Copy link

noumanqaiser commented Nov 1, 2024
edited
Loading

Hello,

After failing to produce key on-card with a J3R200, I went ahead to buy a new card( NXP J3R180) which support on card key generation, With this card, here are the things I did, I will restate all incase if someone is trying out similar stuff at a later point in time:

I downloaded the ISOApplet.cap file and ran the following command from the command prompt:
(before running gp command, i had set the environment variables for GP_KEY_ENC , GP_KEY_MAC, GP_KEY_DEK using data sent by vendor, to be able to interact with the card using gp)

gp -r "Generic USB Smart Card Reader 0" --install IsoApplet.cap --default
Once installed, i used the openSC PKCS15-init tool to initialize the card and set a pin:

pkcs15-init --create-pkcs15
Once successfully initialized, I generated a keypair on the card using the command below:

pkcs15-init --generate-key rsa/2048 --auth-id 01 --key-usage sign,decrypt --label "KeyPair1" --id "10"
post this, I was succesful in seeing the private and public key listed in the card by using the command below:

pkcs15-tool --dump
I was also able to export the public key from the card:

pkcs15-tool --read-public-key 10 -o publickey.pem
With the exported public key, I was able to encrypt sample data aswell using openssl, assuming sample.txt contains the data to be encrypted:

openssl pkeyutl -encrypt -inkey publickey.pem -pubin -in sample.txt -out encrypted_sample.bin
This is pretty much where I get stuck, I just cannot see to find a way to use the private key in any cryptographic operation, I want to decrypt the data produced in the previous step but cannot seem to find any way to do that, Similarly I cant seem to find out how I can sign the data.

Here are things I have tried out and didnt work:

  1. use the pkcs-crypt tool to decipher the data:

pkcs15-crypt --decipher --key "10" --input "encrypted_sample.bin" --output "decrypted_sample.txt" --reader 0
no matter what I do, pkcs-crypt cannot find the private key generated above, which makes me feel this tool cannot utilize the key generated in by pkcs15-tool.

  1. Try to create an Openssl Pkcs engine and use that to run cryptographic operation: unfortunately there is barely any proper guidance I was able to find online/on how to use openssl v3.4 on Windows with the pkcs engine. Here is my conf file:
openssl_conf = openssl_init

[openssl_init]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
dynamic_path = C:/packages/libp11/pkcs11.dll
MODULE_PATH = C:/Program Files/OpenSC Project/OpenSC/pkcs11/opensc-pkcs11.dll
init = 0

I also set the environment variable: OPENSSL_CONF to point to my conf file above, but I cant seem to make openssl use this onf file, I also tried following command:
Openssl engine dynamic -pre ID:pkcs11 -pre SO_PATH:C:\packages\libp11\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll

I get an error as shown below:

C:\Users\Admin>Openssl engine dynamic -pre ID:pkcs11 -pre SO_PATH:C:\packages\libp11\pkcs11.dll -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
(dynamic) Dynamic engine loading support
[Success]: ID:pkcs11
[Success]: SO_PATH:C:\packages\libp11\pkcs11.dll
[Success]: LIST_ADD:1
[Failure]: LOAD
A07D0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\packages\libp11\pkcs11.dll)
A07D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:147:
A07D0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:438:
[Failure]: MODULE_PATH:C:\Program
A07D0000:error:13000089:engine routines:int_ctrl_helper:invalid cmd name:crypto\engine\eng_ctrl.c:90:
A07D0000:error:13000089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:crypto\engine\eng_ctrl.c:253:
A07D0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\Program Files\OpenSSL\lib\engines-3\Files\\OpenSC)
A07D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:147:
A07D0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:438:
A07D0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto\engine\eng_list.c:475:id=Files\OpenSC
A07D0000:error:12800067:DSO support routines:win32_load:could not load the shared library:crypto\dso\dso_win32.c:108:filename(C:\Program Files\OpenSSL\lib\engines-3\Project\OpenSC\pkcs11\\opensc-pkcs11.dll)
A07D0000:error:12800067:DSO support routines:DSO_load:could not load the shared library:crypto\dso\dso_lib.c:147:
A07D0000:error:13000084:engine routines:dynamic_load:dso not found:crypto\engine\eng_dyn.c:438:
A07D0000:error:13000074:engine routines:ENGINE_by_id:no such engine:crypto\engine\eng_list.c:475:id=Project\OpenSC\pkcs11\opensc-pkcs11.dll

With the above, I just help with following question: What is the simplest possible way to sign or decrypt a string using the javacard/isoapplet, What could I be doing wrong.
@philipWendland
Copy link
Owner

philipWendland commented Nov 3, 2024
edited
Loading

As for OpenSSL, did you see the example in the IsoApplet wiki? I seemingly edited it in 2019, but I am not sure whether it is still up to date. https://github.com/philipWendland/IsoApplet/wiki/Using-the-IsoApplet-with-OpenSSL#preparations

To be honest, I also don't know that the differences on a Windows machine would be. I can imagine that there is hardly any documentation for that.

@philipWendland
Copy link
Owner

philipWendland commented Nov 3, 2024
edited
Loading

When using pkcs15-crypt to decrypt using the smart card, I get the following error:
Unable to find PIN code for private key: Requested object not found

Is this the same error you got?

Can you again provide some verbose logs? Also please post the output of pkcs15-tool --dump

@philipWendland
Copy link
Owner

philipWendland commented Nov 3, 2024
edited
Loading

For me, the issue was a wrong auth-id during card/applet initialization. I needed to specify authid FF. Maybe the default behaviour changed in OpenSSL?

The following sequence works for me now:

pkcs15-init --generate-key "rsa/2048" --pin 0000 --id 0 --auth-id "FF" -u "decrypt" --label "rsa-enc"
pkcs15-tool --read-public-key 0 -o pubkey
openssl rsautl -encrypt -inkey pubkey -pubin -out encrypted.bin -in testfile.txt -pkcs
pkcs15-crypt -c --input encrypted.bin --output decrypted.txt --pin 0000 --pkcs1 --key 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@philipWendland @noumanqaiser