search

ThalesGroup / pycryptoki

Python interface to SafeNet's PKCS11 library implementation
Apache License 2.0
58 stars 22 forks source link

Is it possible to extract a DSA public key with this? #11

Closed Kraust closed 6 years ago

Kraust commented 6 years ago

I noticed that you can get the prime, subprime, base, and value of a DSA key using c_get_attribute_value_ex but there doesn't seem to be a helper function to export these to a public key in either der or pem format.

astraw38 commented 6 years ago

Correct, you can get all the information from the key necessary for other formats, but we do not have a helper to DER-encode it in pycryptoki itself. If you have Gemalto's LunaClient installed, there is a utility "cmu" that can export public keys in DER format.

Kraust commented 6 years ago

It was actually ckdemo that motivated me to ask this question (as it does a similar thing to what I am trying to do), but yes I have access to cmu - do you know how to do this through cmu? The documentation I have is pretty bad, I was assuming cmu export did this but couldn't get anything out of it beyond x509 certificates.

Also I know this is probably the wrong place to ask, but do you know of any resources on how to generate the public key from the different attributes through python? My searches have come up pretty barren.

astraw38 commented 6 years ago

cmu export{ [-handle=<handle#>] | [-label=<label>] } -outputfile=<filename> [-binary] [-key] [-certdelete] [-password=<password>] [-slot=<slot#>]

If you're exporting a public key, include the '-key' flag. I know we've updated the CMU docs in later releases as they were pretty scant on info. Default format is PEM (I believe that if you specify -binary it outputs in DER format -- or you could use openssl to convert from PEM -> DER).

As for generating a public key in an HSM from attributes (using pycryptoki):

Create a template, then create an object:

template = {CKA_CLASS: CKO_PUBLIC_KEY,
               CKA_KEY_TYPE: CKK_RSA, # Key type
               CKA_LABEL: b"RSA 2048 verifying key", # Label
               CKA_PRIVATE: True,
               CKA_MODULUS: [0xe2, 0x32 ... ], # list of hex data  
               CKA_PUBLIC_EXPONENT: [0x01, 0x00, 0x01], # Or other hex data
               CKA_VERIFY: True}
pub_key = c_create_object_ex(session, template)

Are you doing EC keys? Because if so, you'd need to get some of the data (the CKA_EC_POINT in particular) from the private key.