Openssl 如何使用OpenSC使用智能卡的私钥解密消息
我们最近更新到了OpenSC 0.15.0,由于某些原因,我们不能再使用它来解密带有智能卡私钥的消息 显然,无论我们使用pkcs11工具(由OpenSC提供)和OpenSSL引擎,情况都是一样的 下面是我们所做工作的一个例子: pkcs11工具:Openssl 如何使用OpenSC使用智能卡的私钥解密消息,openssl,smartcard,pkcs#11,opensc,Openssl,Smartcard,Pkcs#11,Opensc,我们最近更新到了OpenSC 0.15.0,由于某些原因,我们不能再使用它来解密带有智能卡私钥的消息 显然,无论我们使用pkcs11工具(由OpenSC提供)和OpenSSL引擎,情况都是一样的 下面是我们所做工作的一个例子: pkcs11工具: % pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --decrypt -v -l --input-file encrypted.bin --id 9352 Using slot 1 with
% pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --decrypt -v -l --input-file encrypted.bin --id 9352
Using slot 1 with a present token (0x1)
Logging in to "OpenSC Card".
Please enter User PIN:
Using decrypt algorithm RSA-PKCS
error: PKCS11 function C_Decrypt failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.
或者通过使用OpenSSL引擎,下面是一个小示例程序:
#include <iostream>
#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
#include <openssl/crypto.h>
using namespace std;
int main()
{
OpenSSL_add_all_algorithms();
ENGINE_load_dynamic();
// Setup OpenSSL engine
ENGINE* engine = ENGINE_by_id("dynamic");
string enginePath = "/usr/local/lib/engines/pkcs11.so";
string modulePath = "/usr/local/lib/opensc-pkcs11.so";
ENGINE_ctrl_cmd_string(engine, "SO_PATH", enginePath.c_str(), 0);
ENGINE_ctrl_cmd_string(engine, "LIST_ADD", "1", 0);
ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0);
ENGINE_ctrl_cmd_string(engine, "MODULE_PATH", modulePath.c_str(), 0);
string pin = "123456";
ENGINE_ctrl_cmd_string(engine, "PIN", pin.c_str(), 0);
ENGINE_ctrl_cmd_string(engine, "VERBOSE", NULL, 0);
ENGINE_init(engine);
ENGINE_set_default(engine, ENGINE_METHOD_ALL);
string keyName = "id_9352";
EVP_PKEY *evp = ENGINE_load_private_key(engine, keyName.c_str(), NULL, NULL);
// Read encrypted file
long unsigned int length = 128;
unsigned char buf[length];
FILE* f = fopen("encrypted.bin", "r");
fread(buf, 1, length, f);
fclose(f);
// Try to decrypt
unsigned char output[length];
unsigned char* p = output;
RSA *rsa = EVP_PKEY_get1_RSA(evp);
int outputLen = RSA_private_decrypt(length, buf, p, rsa, RSA_PKCS1_PADDING);
if (outputLen == -1) {
long err = ERR_get_error();
cout << "Error decrypting: " << ERR_error_string(err, NULL) << endl;
return 1;
}
cout << output << endl;
return 0;
}
显然,在这两种情况下都是相同的错误,关于“数据长度范围”
更奇怪的是,当使用pkcs11工具执行签名操作(也使用私钥)时,工作正常:
% echo "test signing" > input.txt
% pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --sign -v --input-file input.txt --output-file out.sign --id 9352 -l
Using slot 1 with a present token (0x1)
Logging in to "OpenSC Card".
Please enter User PIN:
Using signature algorithm RSA-PKCS
% ls -l out.sign
-rw------- 1 user user 128 May 18 10:08 out.sign
因此,如果有人能指出我做错了什么,我会非常感激的我知道这来得很晚(问题提出三年后),但它可能会帮助一些人 我也遇到了同样的问题。但是当我列出OpenSC支持的所有机制时,我可以看到RSA_PKCS的最小密钥大小是
512
。实际上,这是模量大小。相应的键大小为4096
。因此,只需确保生成的密钥对长度至少为4096位。
在我的例子中,它成功了(使用pkcs11工具
命令。我还没有实现C
code)
% echo "test signing" > input.txt
% pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --sign -v --input-file input.txt --output-file out.sign --id 9352 -l
Using slot 1 with a present token (0x1)
Logging in to "OpenSC Card".
Please enter User PIN:
Using signature algorithm RSA-PKCS
% ls -l out.sign
-rw------- 1 user user 128 May 18 10:08 out.sign