OpenSC / pkcs11-helper

Library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API and optional OpenSSL engine
Other
66 stars 43 forks source link

ecryptfs via pkcs11-helper #25

Closed Anabel-Dev closed 4 years ago

Anabel-Dev commented 4 years ago

Hello, Currently we are trying to encrypt a folder using ecryptfs via pkcs11-helper(a public key stored in ATECC608A). We able to communicate with the cryptochip through pkcs11(using p11tool). While running the ecryptfs-manager we didn't get any PKCS#11 serialized object id just it returns to the main menu ad depicted below:

$ ecryptfs-manager

eCryptfs key management menu

1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit

Make selection: 2

Select key type to use for newly created files: 1) pkcs11-helper 2) passphrase 3) openssl Selection: 1

Returning to main menu

eCryptfs key management menu

1. Add passphrase key to keyring
2. Add public key to keyring
3. Generate new public/private keypair
4. Exit

Make selection: 4

We configured the ~/.ecryptfsrc.pkcs11 file as pkcs11-log-level=5 pkcs11-provider,name=cryptoauthlib,library=/usr/lib/libcryptoauth.so

can anyone please explain or share your comments what we are doing wrong?

alonbl commented 4 years ago

A private key must be paired with a certificate public object for pkcs11-helper to locate. The initialization should be done by standard pkcs11 tools ahead.

Anabel-Dev commented 4 years ago

Thank you for your suggestion. There are so many tools to initialize the pkcs11 such as p11-kit, p11tool, openvpn. Can you please suggest a standard pkcs11 tool for us?

We are using pkcs11-tool and we got a token state uninitiaized as depicted below:

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -I Cryptoki version 2.40 Manufacturer Microchip Technology Inc v Library Cryptoauthlib PKCS11 Interface (ver 3.2) Using slot 0 with a present token (0x0)

Are we going on correct way or share your point of view?

alonbl commented 4 years ago

Use pkcs11-tool and make sure you have private key and a matching certificate with the same cka_id. Please use materials available to rich this.

Anabel-Dev commented 4 years ago

Thank you for your suggestion. Actually We are new to this pkcs11-tool. Still we are facing some issues in token initialization as well as it requires use PIN for --keypairgen. Already we downloaded opensc git from the below mentioned link: https://github.com/OpenSC/OpenSC And followed the steps.

still it does not initialize the token:

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -t -l Using slot 0 with a present token (0x0) Logging in to "0123EE". Please enter User PIN: error: PKCS11 function C_Login failed: rv = CKR_CANT_LOCK (0xa)

Aborting.

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --slot-index 0 --test Using slot with index 0 (0x0) C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported ERR: C_GenerateRandom(buf1,0) failed: CKR_ARGUMENTS_BAD (0x7) Digests: not implemented Signatures: not logged in, skipping signature tests Verify: not logged in, skipping verify tests Key unwrap: not a R/W session, skipping key unwrap tests Decryption: not logged in, skipping decryption tests 1 errors

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --test-hotplug -v Testing card detection using C_GetSlotList() Please press return to continue, x to exit: Available slots: Slot 0 (0x0): 0_3_0 manufacturer: Microchip Technology Inc hardware ver: 0.2 firmware ver: 255.255 flags: token present, hardware slot token label : 0123EE token manufacturer : Microchip Technology Inc token model : ATECC608A token flags : rng, login required hardware version : 0.2 firmware version : 255.255 serial num : xxxxxxxxxxxx Please press return to continue, x to exit: x Testing card detection using C_WaitForSlotEvent() Please press return to continue, x to exit: x Using slot 0 with a present token (0x0)

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so --init-token --label device Using slot 0 with a present token (0x0) Please enter the new SO PIN: Please enter the new SO PIN (again): Segmentation fault

How can we label the device. Is that our choice or there is some specific name for it?

Can you please expalin the procedure to generate a private key as well as a certificate with same CKA_ID for us or suggest us a link to follow? Thanks in advance.

Anabel-Dev commented 4 years ago

Hello, We are still stuck in the token initialization. Could you please help us with this?

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized

alonbl commented 4 years ago

On Wed, 4 Mar 2020 at 9:52 Anabel-Dev notifications@github.com wrote:

Hello, We are still stuck in the token initialization. Could you please help us with this?

$ pkcs11-tool --module=/usr/lib/libcryptoauth.so -L Available slots: Slot 0 (0x0): 0_3_0 token state: uninitialized

Please contact provider vendor.

Anabel-Dev commented 4 years ago

Hello, Now we are able to initialize the token. But still we dont know how to generate a matching certificate with the same cka_id using private key. can you help us for this one thing?

alonbl commented 4 years ago

Are you aware that this is not commercial support?

Anabel-Dev commented 4 years ago

Yes I'm aware. Thank you for your support so far.