Skip to content

Instantly share code, notes, and snippets.

@nikileshsa

nikileshsa/README.md

Forked from Jakuje/README.md
Created March 17, 2019 17:01
Show Gist options
  • Save nikileshsa/5652ac2986f41f353a9703aca04e5110 to your computer and use it in GitHub Desktop.
Save nikileshsa/5652ac2986f41f353a9703aca04e5110 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSC test Sign, Verify, Encipher and Decipher from commandline with OpenSSL CLI
Raw
README.md 
export PIN=111111
export SIGN_KEY=11
export ENC_KEY=55

Sign/Verify using private key/certificate

  • Create a data to sign

    echo "data to sign (max 100 bytes)" > data

  • Get the certificate from the card:

    ./pkcs11-tool -r -p $PIN --id $SIGN_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $SIGN_KEY.cert

  • Convert it to the public key (PEM format)

    openssl x509 -inform DER -in $SIGN_KEY.cert -pubkey > $SIGN_KEY.cert.pub

RSA-PKCS

  • Sign the data on the smartcard using private key:

    cat data | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so > data.sig

  • Verify

    openssl rsautl -verify -inkey $SIGN_KEY.cert.pub -in data.sig -pubin

RSA-X-509

  • Prepare data with padding:

    (echo -ne "\x00\x01" && for i in `seq 224`; do echo -ne "\xff"; done && echo -ne "\00" && cat data) > data_pad

  • Sign the data on the smartcard using private key:

    cat data_pad | ./pkcs11-tool --id $SIGN_KEY -s -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so > data_pad.sig

  • Verify

    openssl rsautl -verify -inkey $SIGN_KEY.cert.pub -in data_pad.sig -pubin -raw

Encrypt/Decrypt using private key/certificate

  • Create a data to encrypt

    echo "data to encrpyt should be longer, better, faster and whatever we need to hide in front of nasty eyes of the ones that should not see them. " > data

  • Get the certificate from the card:

    ./pkcs11-tool -r -p $PIN --id $ENC_KEY --type cert --module ../pkcs11/.libs/opensc-pkcs11.so > $ENC_KEY.cert

  • Convert it to the public key (PEM format)

    openssl x509 -inform DER -in $ENC_KEY.cert -pubkey > $ENC_KEY.pub

RSA-PKCS

  • Encrypt the data locally

    openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data -pubin -out data.crypt

  • Decrypt the data on the card

    cat data.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-PKCS --module ../pkcs11/.libs/opensc-pkcs11.so

RSA-X-509

  • Prepare data with padding:

    (echo -ne "\x00\x02" && for i in `seq 113`; do echo -ne "\xff"; done && echo -ne "\00" && cat data) > data_pad

  • Encrypt the data locally

    openssl rsautl -encrypt -inkey $ENC_KEY.pub -in data_pad -pubin -out data_pad.crypt -raw

  • Decrypt the data on the card

    cat data_pad.crypt | ./pkcs11-tool --id $ENC_KEY --decrypt -p $PIN -m RSA-X-509 --module ../pkcs11/.libs/opensc-pkcs11.so
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment