search

joernheissler / cryptokey

Python library for pluggable asymmetric low-level encryption
MIT License
0 stars 0 forks source link

How to use it? #1

Closed ftbarata closed 5 years ago

ftbarata commented 5 years ago

How to use it?

joernheissler commented 5 years ago

Hello! I just moved to devel branch to master branch.

There are basic examples in the README (rendering is broken; guess I need to improve my knowledge on RST format). And there is a more verbose example in https://github.com/joernheissler/cryptokey/blob/master/cryptokey/asn1utils/__init__.py#L180 which creates PKCS#10 signing requests. I already use this for my acme client library which is my first actual use case, https://github.com/joernheissler/hacmec

You'd like to sign ASN.1 structures (from asn1crypto) using some HSM / crypto token for which you've got a PKCS#11 library, right?

Support for those libraries would only be as workaround to attract more users :-) My goal is to replace PKCS#11, i.e. no more proprietary C libraries, no ugly API. Instead rewrite everything in python, even if it means reverse engineering crypto tokens and their libraries.

I'm going to support the openpgp smartcard (https://g10code.com/p-card.html) "soon"; luckily they provide documentation. But I still need to figure out if (and how) to support multiple async frameworks without rewriting all the code. The trio-framework might work on "sansio": https://trio.discourse.group/t/priorities-roadmap/34 I'll probably try to follow their ideas.

What kind of device do you use? Does it come with documentation or any open-source libraries?

Once you figure out how to communicate with the device and have it sign some data, adding a new backend for my library shouldn't be too hard: https://github.com/joernheissler/cryptokey/blob/master/cryptokey/backend/textbook/rsa.py is an example. Basically you need to implement a few getters and one of the sign-Methods. Which, depends on the capabilities of the device. E.g. the openpgp smartcard would need the sign_v15_raw method.

ftbarata commented 5 years ago

Hi Joern! Thank you for reply. Well, I have a working code to generate and sign an RFC 5755 attribute certificate, using the asn1crypto and signing with a pkcs11 USB Gemalto Aladdin eToken PRO, using python-pkcs11 library.

The problem is the CertificateListBuilder constructor requires the private key to be passed in as argument, and I can't extract the RSAPrivateKey from the PKCS11 device. So I'm looking for any way to sign the Certificate Revocation List with PKCS11 device. Do you have any idea?

Fellipe

Em ter, 26 de fev de 2019 às 15:50, Jörn Heissler notifications@github.com escreveu:

Hello! I just moved to devel branch to master branch.

There are basic examples in the README (rendering is broken; guess I need to improve my knowledge on RST format). And there is a more verbose example in https://github.com/joernheissler/cryptokey/blob/master/cryptokey/asn1utils/__init__.py#L180 which creates PKCS#10 signing requests. I already use this for my acme client library which is my first actual use case, https://github.com/joernheissler/hacmec

You'd like to sign ASN.1 structures (from asn1crypto) using some HSM / crypto token for which you've got a PKCS#11 library, right?

Support for those libraries would only be as workaround to attract more users :-) My goal is to replace PKCS#11, i.e. no more proprietary C libraries, no ugly API. Instead rewrite everything in python, even if it means reverse engineering crypto tokens and their libraries.

I'm going to support the openpgp smartcard ( https://g10code.com/p-card.html) "soon"; luckily they provide documentation. But I still need to figure out if (and how) to support multiple async frameworks without rewriting all the code. The trio-framework might work on "sansio": https://trio.discourse.group/t/priorities-roadmap/34 I'll probably try to follow their ideas.

What kind of device do you use? Does it come with documentation or any open-source libraries?

Once you figure out how to communicate with the device and have it sign some data, adding a new backend for my library shouldn't be too hard:

https://github.com/joernheissler/cryptokey/blob/master/cryptokey/backend/textbook/rsa.py is an example. Basically you need to implement a few getters and one of the sign-Methods. Which, depends on the capabilities of the device. E.g. the openpgp smartcard would need the sign_v15_raw method.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467564079, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPFdju13Xr8bkY_ySEHPmHWBBhwKOks5vRYIKgaJpZM4bSXQO .

joernheissler commented 5 years ago

If you're issuing your own CRL, does that mean you're building some CA?

There are two steps:

  1. Implement a backend for your token. Pure python would be preferred, but adding support through python-pkcs11 should be possible (and way easier!). Do you have working example code? Documentation for your token?

  2. The CertificateListBuilder.build would need to be rewritten. It's tightly coupled to wbond's oscrypto library. I.e. copy+paste the parts where the ASN.1 structure is built, replace the parts where the private key is used. Maybe the method can be refactored a bit to make it easier to replace the private key.

ftbarata commented 5 years ago

Hi, so, take a look at the attached file. It has the code snippet of CRL Builder.

Take a look at this closed thread I've recently opened:

https://github.com/danni/python-pkcs11/issues/43

"1) Implement a backend for your token. Pure python would be preferred, but adding support through python-pkcs11 should be possible (and way easier!). Do you have working example code? Documentation for your token?" A: I don't have skills to implement a backend. I just use the python-pkcs11 methods to play with the token. I'm not sure about what token documentation you're talking about.

"2) The CertificateListBuilder.build would need to be rewritten. It's tightly coupled to wbond's oscrypto library. I.e. copy+paste the parts where the ASN.1 structure is built, replace the parts where the private key is used. Maybe the method can be refactored a bit to make it easier to replace the private key." A: That's the point. I don't have skills to rewrite code of guru's like you, William Bond and Danni(python-pkcs11). Maybe I could ask for someone do it for me at fiverr.com or freelancer.com.

Do you have any solution for this problem?

Fellipe

Em ter, 26 de fev de 2019 às 16:19, Jörn Heissler notifications@github.com escreveu:

If you're issuing your own CRL, does that mean you're building some CA?

There are two steps:

1.

Implement a backend for your token. Pure python would be preferred, but adding support through python-pkcs11 should be possible (and way easier!). Do you have working example code? Documentation for your token? 2.

The CertificateListBuilder.build would need to be rewritten. It's tightly coupled to wbond's oscrypto library. I.e. copy+paste the parts where the ASN.1 structure is built, replace the parts where the private key is used. Maybe the method can be refactored a bit to make it easier to replace the private key.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467574836, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNV7cqUUQRCjixpWZl34yeJK7psNks5vRYjAgaJpZM4bSXQO .

joernheissler commented 5 years ago

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

ftbarata commented 5 years ago

Sure. Let me try it now.

Fellipe

Em ter, 26 de fev de 2019 às 20:21, Jörn Heissler notifications@github.com escreveu:

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467656382, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNPsGs4RA1gZhIlgHPX38KmlnufPks5vRcF4gaJpZM4bSXQO .

ftbarata commented 5 years ago

I'm running python 3.5.5 and I'm getting:

from asyncio import run ImportError: cannot import name 'run'

Fellipe

Em ter, 26 de fev de 2019 às 20:28, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sure. Let me try it now.

Fellipe

Em ter, 26 de fev de 2019 às 20:21, Jörn Heissler < notifications@github.com> escreveu:

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467656382, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNPsGs4RA1gZhIlgHPX38KmlnufPks5vRcF4gaJpZM4bSXQO .

ftbarata commented 5 years ago

Sorry. I went to IRC and someone told me that it was added in python 3.7. So, now I'm running python 3.7.0 and I'm getting:

from cryptokey.backend.pkcs11.rsa import Pkcs11RsaPrivateKey ModuleNotFoundError: No module named 'cryptokey.backend.pkcs11'

Fellipe

Em ter, 26 de fev de 2019 às 20:42, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

I'm running python 3.5.5 and I'm getting:

from asyncio import run ImportError: cannot import name 'run'

Fellipe

Em ter, 26 de fev de 2019 às 20:28, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sure. Let me try it now.

Fellipe

Em ter, 26 de fev de 2019 às 20:21, Jörn Heissler < notifications@github.com> escreveu:

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467656382, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNPsGs4RA1gZhIlgHPX38KmlnufPks5vRcF4gaJpZM4bSXQO .

ftbarata commented 5 years ago

Sorry. I've updated again. I'm fixing the session get_key. I'll give a feedback soon.

Fellipe

Em ter, 26 de fev de 2019 às 20:56, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sorry. I went to IRC and someone told me that it was added in python 3.7. So, now I'm running python 3.7.0 and I'm getting:

from cryptokey.backend.pkcs11.rsa import Pkcs11RsaPrivateKey ModuleNotFoundError: No module named 'cryptokey.backend.pkcs11'

Fellipe

Em ter, 26 de fev de 2019 às 20:42, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

I'm running python 3.5.5 and I'm getting:

from asyncio import run ImportError: cannot import name 'run'

Fellipe

Em ter, 26 de fev de 2019 às 20:28, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sure. Let me try it now.

Fellipe

Em ter, 26 de fev de 2019 às 20:21, Jörn Heissler < notifications@github.com> escreveu:

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467656382, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNPsGs4RA1gZhIlgHPX38KmlnufPks5vRcF4gaJpZM4bSXQO .

ftbarata commented 5 years ago

IT WORKED!! So, I didn't understand what you did.... Have you extracted the privatekey from the pkcs11 device?

Fellipe

Em ter, 26 de fev de 2019 às 21:08, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sorry. I've updated again. I'm fixing the session get_key. I'll give a feedback soon.

Fellipe

Em ter, 26 de fev de 2019 às 20:56, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sorry. I went to IRC and someone told me that it was added in python 3.7. So, now I'm running python 3.7.0 and I'm getting:

from cryptokey.backend.pkcs11.rsa import Pkcs11RsaPrivateKey ModuleNotFoundError: No module named 'cryptokey.backend.pkcs11'

Fellipe

Em ter, 26 de fev de 2019 às 20:42, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

I'm running python 3.5.5 and I'm getting:

from asyncio import run ImportError: cannot import name 'run'

Fellipe

Em ter, 26 de fev de 2019 às 20:28, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Sure. Let me try it now.

Fellipe

Em ter, 26 de fev de 2019 às 20:21, Jörn Heissler < notifications@github.com> escreveu:

https://github.com/joernheissler/cryptokey/blob/pkcs11/examples/pkcs11_create_csr works with my openpgp card. Can you check if it works with your token?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467656382, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPNPsGs4RA1gZhIlgHPX38KmlnufPks5vRcF4gaJpZM4bSXQO .

joernheissler commented 5 years ago

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

ftbarata commented 5 years ago

Hi Joern, I'm not a python guru like you, so, I'm having a hard time understanding how to put these lines into build function. I've commented out some stuffs related to the private key passed in as parameter to constructor in the build function, and take a look at this snippet:

if issuer_private_key.algorithm == 'rsa':

sign_func = asymmetric.rsa_pkcs1v15_sign

elif issuer_private_key.algorithm == 'dsa':

sign_func = asymmetric.dsa_sign

elif issuer_private_key.algorithm == 'ec':

sign_func = asymmetric.ecdsa_sign

#

if not is_oscrypto:

issuer_private_key = asymmetric.load_private_key(issuer_private_key)

signature = sign_func(issuer_private_key, tbs_cert_list.dump(),

self._hash_algo)

WHAT GOES HERE?

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature })

I guess I need to do: rsa_priv_key = Pkcs11RsaPrivateKey(privatekey obtained_from_the_pkcs11_session) signature_with_cryptokey = rsa_priv_key.sign_v15_raw(msg=tbs_cert_list.dump())

And then, 'signature': signature_with_cryptokey

Is it correct?

Fellipe

Em qua, 27 de fev de 2019 às 04:32, Jörn Heissler notifications@github.com escreveu:

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467755047, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPIkZTJCriRv0sgGTknIaFliYD8Nzks5vRjSVgaJpZM4bSXQO .

ftbarata commented 5 years ago

Doing this, I'm getting:

"TypeError: asn1crypto.core.OctetBitString value must be a byte string, not coroutine while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

/root/.pyenv/versions/3.7.0/lib/python3.7/threading.py:951: RuntimeWarning: coroutine 'Pkcs11RsaPrivateKey.sign_v15_raw' was never awaited del exc_type, exc_value, exc_tb"

Could you give me a hand?

Fellipe

Em qua, 27 de fev de 2019 às 11:31, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Hi Joern, I'm not a python guru like you, so, I'm having a hard time understanding how to put these lines into build function. I've commented out some stuffs related to the private key passed in as parameter to constructor in the build function, and take a look at this snippet:

if issuer_private_key.algorithm == 'rsa':

sign_func = asymmetric.rsa_pkcs1v15_sign

elif issuer_private_key.algorithm == 'dsa':

sign_func = asymmetric.dsa_sign

elif issuer_private_key.algorithm == 'ec':

sign_func = asymmetric.ecdsa_sign

#

if not is_oscrypto:

issuer_private_key = asymmetric.load_private_key(issuer_private_key)

signature = sign_func(issuer_private_key, tbs_cert_list.dump(), self._hash_algo)

WHAT GOES HERE?

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature })

I guess I need to do: rsa_priv_key = Pkcs11RsaPrivateKey(privatekey obtained_from_the_pkcs11_session) signature_with_cryptokey = rsa_priv_key.sign_v15_raw(msg=tbs_cert_list.dump())

And then, 'signature': signature_with_cryptokey

Is it correct?

Fellipe

Em qua, 27 de fev de 2019 às 04:32, Jörn Heissler < notifications@github.com> escreveu:

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467755047, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPIkZTJCriRv0sgGTknIaFliYD8Nzks5vRjSVgaJpZM4bSXQO .

ftbarata commented 5 years ago

Updating:

@contextmanager def open_sig_key() -> pkcs11.types.PrivateKey: """ Horrible function to return an opened private key. Maybe the python-pkcs11 library is buggy, or maybe I just didn't understand it... """ success = False with suppress(pkcs11.exceptions.TokenNotPresent): for token in lib.get_tokens(): with suppress(pkcs11.exceptions.PinLocked): with token.open(user_pin=pin) as sess: with suppress(pkcs11.exceptions.NoSuchKey): for i in sess.get_objects({Attribute.CLASS: ObjectClass.PRIVATE_KEY}):

key =

sess.get_key(key_type=pkcs11.KeyType.RSA, object_class=pkcs11.ObjectClass.PRIVATE_KEY) if 'NACIONAL' in i[Attribute.LABEL]: success = True yield i return

with open_sig_key() as key: priv = Pkcs11RsaPrivateKey(key) certificate_list = builder.build(priv) certificate_list = pem_armor_crl(certificate_list=certificate_list).decode() novo_crl_pem = certificate_list

data_dict.update({'crl_pem':novo_crl_pem})

# update_crl = _request(urn=assina_crl_urn, data_dict=data_dict)['response']
# print('Crl assinado e atualizado.', update_crl)
print(novo_crl_pem)

rsa_priv_key = priv_key_from_pkcs11_session signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump()))

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature_with_cryptokey })

File "agent.py", line 440, in run certificate_list = builder.build(priv) File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/crlbuilder_modificado/init.py", line 671, in build signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump())) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/runners.py", line 43, in run return loop.run_until_complete(main) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/base_events.py", line 568, in run_until_complete return future.result() File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/cryptokey/backend/pkcs11/rsa.py", line 74, in sign_v15_raw bytes_value=self.key.sign(msg, mechanism=pkcs11.Mechanism.RSA_PKCS), File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/pkcs11/types.py", line 936, in sign return self._sign(data, **kwargs) File "pkcs11/_pkcs11.pyx", line 900, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_pkcs11.pyx", line 910, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_errors.pyx", line 88, in pkcs11._pkcs11.assertRV pkcs11.exceptions.DataLenRange

Fellipe

Em qua, 27 de fev de 2019 às 12:52, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Doing this, I'm getting:

"TypeError: asn1crypto.core.OctetBitString value must be a byte string, not coroutine while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

/root/.pyenv/versions/3.7.0/lib/python3.7/threading.py:951: RuntimeWarning: coroutine 'Pkcs11RsaPrivateKey.sign_v15_raw' was never awaited del exc_type, exc_value, exc_tb"

Could you give me a hand?

Fellipe

Em qua, 27 de fev de 2019 às 11:31, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Hi Joern, I'm not a python guru like you, so, I'm having a hard time understanding how to put these lines into build function. I've commented out some stuffs related to the private key passed in as parameter to constructor in the build function, and take a look at this snippet:

if issuer_private_key.algorithm == 'rsa':

sign_func = asymmetric.rsa_pkcs1v15_sign

elif issuer_private_key.algorithm == 'dsa':

sign_func = asymmetric.dsa_sign

elif issuer_private_key.algorithm == 'ec':

sign_func = asymmetric.ecdsa_sign

#

if not is_oscrypto:

issuer_private_key = asymmetric.load_private_key(issuer_private_key)

signature = sign_func(issuer_private_key, tbs_cert_list.dump(), self._hash_algo)

WHAT GOES HERE?

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature })

I guess I need to do: rsa_priv_key = Pkcs11RsaPrivateKey(privatekey obtained_from_the_pkcs11_session) signature_with_cryptokey = rsa_priv_key.sign_v15_raw(msg=tbs_cert_list.dump())

And then, 'signature': signature_with_cryptokey

Is it correct?

Fellipe

Em qua, 27 de fev de 2019 às 04:32, Jörn Heissler < notifications@github.com> escreveu:

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467755047, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPIkZTJCriRv0sgGTknIaFliYD8Nzks5vRjSVgaJpZM4bSXQO .

ftbarata commented 5 years ago

Updating I've changed the Mechanism to match the one I'm using:

bytes_value=self.key.sign(msg, mechanism=pkcs11.Mechanism.SHA256_RSA_PKCS

And now I'm getting: TypeError: asn1crypto.core.OctetBitString value must be a byte string, not cryptokey.public.rsa.RsaSignature while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

How to convert from cryptokey.public.rsa.RsaSignature to asn1crypto.core.OctetBitString ?

Fellipe

Em qua, 27 de fev de 2019 às 13:54, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Updating:

@contextmanager def open_sig_key() -> pkcs11.types.PrivateKey: """ Horrible function to return an opened private key. Maybe the python-pkcs11 library is buggy, or maybe I just didn't understand it... """ success = False with suppress(pkcs11.exceptions.TokenNotPresent): for token in lib.get_tokens(): with suppress(pkcs11.exceptions.PinLocked): with token.open(user_pin=pin) as sess: with suppress(pkcs11.exceptions.NoSuchKey): for i in sess.get_objects({Attribute.CLASS: ObjectClass.PRIVATE_KEY}):

key = sess.get_key(key_type=pkcs11.KeyType.RSA, object_class=pkcs11.ObjectClass.PRIVATE_KEY)

                        if 'NACIONAL' in i[Attribute.LABEL]:
                            success = True
                            yield i
                            return

with open_sig_key() as key: priv = Pkcs11RsaPrivateKey(key) certificate_list = builder.build(priv) certificate_list = pem_armor_crl(certificate_list=certificate_list).decode() novo_crl_pem = certificate_list

data_dict.update({'crl_pem':novo_crl_pem})

# update_crl = _request(urn=assina_crl_urn, data_dict=data_dict)['response']
# print('Crl assinado e atualizado.', update_crl)
print(novo_crl_pem)

rsa_priv_key = priv_key_from_pkcs11_session signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump()))

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature_with_cryptokey })

File "agent.py", line 440, in run certificate_list = builder.build(priv) File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/crlbuilder_modificado/init.py", line 671, in build signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump())) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/runners.py", line 43, in run return loop.run_until_complete(main) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/base_events.py", line 568, in run_until_complete return future.result() File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/cryptokey/backend/pkcs11/rsa.py", line 74, in sign_v15_raw bytes_value=self.key.sign(msg, mechanism=pkcs11.Mechanism.RSA_PKCS), File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/pkcs11/types.py", line 936, in sign return self._sign(data, **kwargs) File "pkcs11/_pkcs11.pyx", line 900, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_pkcs11.pyx", line 910, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_errors.pyx", line 88, in pkcs11._pkcs11.assertRV pkcs11.exceptions.DataLenRange

Fellipe

Em qua, 27 de fev de 2019 às 12:52, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Doing this, I'm getting:

"TypeError: asn1crypto.core.OctetBitString value must be a byte string, not coroutine while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

/root/.pyenv/versions/3.7.0/lib/python3.7/threading.py:951: RuntimeWarning: coroutine 'Pkcs11RsaPrivateKey.sign_v15_raw' was never awaited del exc_type, exc_value, exc_tb"

Could you give me a hand?

Fellipe

Em qua, 27 de fev de 2019 às 11:31, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Hi Joern, I'm not a python guru like you, so, I'm having a hard time understanding how to put these lines into build function. I've commented out some stuffs related to the private key passed in as parameter to constructor in the build function, and take a look at this snippet:

if issuer_private_key.algorithm == 'rsa':

sign_func = asymmetric.rsa_pkcs1v15_sign

elif issuer_private_key.algorithm == 'dsa':

sign_func = asymmetric.dsa_sign

elif issuer_private_key.algorithm == 'ec':

sign_func = asymmetric.ecdsa_sign

#

if not is_oscrypto:

issuer_private_key = asymmetric.load_private_key(issuer_private_key)

signature = sign_func(issuer_private_key, tbs_cert_list.dump(), self._hash_algo)

WHAT GOES HERE?

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature })

I guess I need to do: rsa_priv_key = Pkcs11RsaPrivateKey(privatekey obtained_from_the_pkcs11_session) signature_with_cryptokey = rsa_priv_key.sign_v15_raw(msg=tbs_cert_list.dump())

And then, 'signature': signature_with_cryptokey

Is it correct?

Fellipe

Em qua, 27 de fev de 2019 às 04:32, Jörn Heissler < notifications@github.com> escreveu:

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467755047, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPIkZTJCriRv0sgGTknIaFliYD8Nzks5vRjSVgaJpZM4bSXQO .

ftbarata commented 5 years ago

I think I got it:

'signature': signature_with_cryptokey.bytes_value

-----BEGIN X509 CRL----- MIICUzCCATsCAQIwDQYJKoZIhvcNAQELBQAwdDELMAkGA1UEBhMCQlIxEzARBgNV BAoTCklDUC1CcmFzaWwxNjA0BgNVBAsTLVNlY3JldGFyaWEgZGEgUmVjZWl0YSBG ZWRlcmFsIGRvIEJyYXNpbCAtIFJGQjEYMBYGA1UEAxMPQUMgVkFMSUQgUkZCIHY1 Fw0xOTAyMjcxNzIyMjdaFw0xOTAzMDYxNzIyMjdaMCUwIwIEAswg9RcNMTkwMjI3 MTUyODE2WjAMMAoGA1UdFQQDCgEFoGwwajAfBgNVHSMEGDAWgBRTy6XkdVCZQCy+ WxVFyb7LMKqJxTAKBgNVHRQEAwIBATA7BgNVHRwBAf8EMTAvoC2gK4YpaHR0cHM6 Ly9jZXJ0LnNvdWZlbmViLm9yZy5ici9nZXRfY3JsLzQ2OTMwDQYJKoZIhvcNAQEL BQADggEBAEJHW/XXT8uIOQWF88eJd8s3VLako8YxeIbsB4Bec1KjVNKqRxSPLIS3 8zmmnBWk41rUSPTUeM+GJqK0WyB3ZlC8kdT0joKbrTgt8F7rpwJFYicvo32hbi4h OqPum9P5D8jJcD9Ded9Xp1ro6XEQMnvvBL4NtfPVg0NuVUfJC9VQobkXo/IdJR6q XLJ2FgVPihmPy1t57PyhGSMbvGk0F9fOkPOKRksddvCcJin33Rg3q2bcPcxKDiIt znZBpTHzn5Aq8t4VQBf3K2ljXHCP5eIcpbvhW5JdMKOXahaRCJHi1hGywGQyLvNX mQ9k8Ta0mI4+yuthgmR2h33l7Wb03yg= -----END X509 CRL-----

Is it correct? I didn't use the first two lines (exponent and modulus stuff)

Fellipe

Em qua, 27 de fev de 2019 às 14:20, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Updating I've changed the Mechanism to match the one I'm using:

bytes_value=self.key.sign(msg, mechanism=pkcs11.Mechanism.SHA256_RSA_PKCS

And now I'm getting: TypeError: asn1crypto.core.OctetBitString value must be a byte string, not cryptokey.public.rsa.RsaSignature while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

How to convert from cryptokey.public.rsa.RsaSignature to asn1crypto.core.OctetBitString ?

Fellipe

Em qua, 27 de fev de 2019 às 13:54, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Updating:

@contextmanager def open_sig_key() -> pkcs11.types.PrivateKey: """ Horrible function to return an opened private key. Maybe the python-pkcs11 library is buggy, or maybe I just didn't understand it... """ success = False with suppress(pkcs11.exceptions.TokenNotPresent): for token in lib.get_tokens(): with suppress(pkcs11.exceptions.PinLocked): with token.open(user_pin=pin) as sess: with suppress(pkcs11.exceptions.NoSuchKey): for i in sess.get_objects({Attribute.CLASS: ObjectClass.PRIVATE_KEY}):

key = sess.get_key(key_type=pkcs11.KeyType.RSA, object_class=pkcs11.ObjectClass.PRIVATE_KEY)

                        if 'NACIONAL' in i[Attribute.LABEL]:
                            success = True
                            yield i
                            return

with open_sig_key() as key: priv = Pkcs11RsaPrivateKey(key) certificate_list = builder.build(priv) certificate_list = pem_armor_crl(certificate_list=certificate_list).decode() novo_crl_pem = certificate_list

data_dict.update({'crl_pem':novo_crl_pem})

# update_crl = _request(urn=assina_crl_urn, data_dict=data_dict)['response']
# print('Crl assinado e atualizado.', update_crl)
print(novo_crl_pem)

rsa_priv_key = priv_key_from_pkcs11_session signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump()))

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature_with_cryptokey })

File "agent.py", line 440, in run certificate_list = builder.build(priv) File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/crlbuilder_modificado/init.py", line 671, in build signature_with_cryptokey = run(rsa_priv_key.sign_v15_raw(tbs_cert_list.dump())) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/runners.py", line 43, in run return loop.run_until_complete(main) File "/root/.pyenv/versions/3.7.0/lib/python3.7/asyncio/base_events.py", line 568, in run_until_complete return future.result() File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/cryptokey/backend/pkcs11/rsa.py", line 74, in sign_v15_raw bytes_value=self.key.sign(msg, mechanism=pkcs11.Mechanism.RSA_PKCS), File "/root/sigcerta/.virtualenv2/lib/python3.7/site-packages/pkcs11/types.py", line 936, in sign return self._sign(data, **kwargs) File "pkcs11/_pkcs11.pyx", line 900, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_pkcs11.pyx", line 910, in pkcs11._pkcs11.SignMixin._sign File "pkcs11/_errors.pyx", line 88, in pkcs11._pkcs11.assertRV pkcs11.exceptions.DataLenRange

Fellipe

Em qua, 27 de fev de 2019 às 12:52, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Doing this, I'm getting:

"TypeError: asn1crypto.core.OctetBitString value must be a byte string, not coroutine while constructing asn1crypto.core.OctetBitString while constructing asn1crypto.crl.CertificateList

/root/.pyenv/versions/3.7.0/lib/python3.7/threading.py:951: RuntimeWarning: coroutine 'Pkcs11RsaPrivateKey.sign_v15_raw' was never awaited del exc_type, exc_value, exc_tb"

Could you give me a hand?

Fellipe

Em qua, 27 de fev de 2019 às 11:31, Fellipe Theophilo < fellipetheophilo@gmail.com> escreveu:

Hi Joern, I'm not a python guru like you, so, I'm having a hard time understanding how to put these lines into build function. I've commented out some stuffs related to the private key passed in as parameter to constructor in the build function, and take a look at this snippet:

if issuer_private_key.algorithm == 'rsa':

sign_func = asymmetric.rsa_pkcs1v15_sign

elif issuer_private_key.algorithm == 'dsa':

sign_func = asymmetric.dsa_sign

elif issuer_private_key.algorithm == 'ec':

sign_func = asymmetric.ecdsa_sign

#

if not is_oscrypto:

issuer_private_key = asymmetric.load_private_key(issuer_private_key)

signature = sign_func(issuer_private_key, tbs_cert_list.dump(), self._hash_algo)

WHAT GOES HERE?

return crl.CertificateList({ 'tbs_cert_list': tbs_cert_list, 'signature_algorithm': { 'algorithm': signature_algorithm_id }, 'signature': signature })

I guess I need to do: rsa_priv_key = Pkcs11RsaPrivateKey(privatekey obtained_from_the_pkcs11_session) signature_with_cryptokey = rsa_priv_key.sign_v15_raw(msg=tbs_cert_list.dump())

And then, 'signature': signature_with_cryptokey

Is it correct?

Fellipe

Em qua, 27 de fev de 2019 às 04:32, Jörn Heissler < notifications@github.com> escreveu:

Have you extracted the privatekey from the pkcs11 device?

Of course not, that's not possible.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L34 and https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L41 extract the public key values.

https://github.com/joernheissler/cryptokey/blob/pkcs11/cryptokey/backend/pkcs11/rsa.py#L74 asks the token to sign some data.

Btw, you don't really need to use my library to get your work done. You could copy those 3 lines into the CertificateListBuilder.build function.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-467755047, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPIkZTJCriRv0sgGTknIaFliYD8Nzks5vRjSVgaJpZM4bSXQO .

joernheissler commented 5 years ago

Your CRL looks fine to me. But without the CA certificate, there is no way to check if it's really okay.

Try openssl crl -CAfile yourca.crt -in your.crl

ftbarata commented 5 years ago

Hi Joern,

I'm stuck on this: https://github.com/wbond/crlbuilder/issues/4 Do you have any workaround for this?

I'm thinking in use cryptography.io Revocation List Builder, but it seems will be very hard to change their source code to enable signing with pkcs11 device. Thanks in advance.

Fellipe

Em qui, 28 de fev de 2019 às 05:04, Jörn Heissler notifications@github.com escreveu:

Your CRL looks fine to me. But without the CA certificate, there is no way to check if it's really okay.

Try openssl crl -CAfile yourca.crt -in your.crl

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-468176125, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPHpVHirrH6AyeKEeU3BoDnXqSnT8ks5vR41vgaJpZM4bSXQO .

joernheissler commented 5 years ago

I made a patch for pyca/cryptography to allow such things, but it got rejected: https://github.com/pyca/cryptography/issues/3136 Looks like they never got around to implement pkcs#11 which would be a saner option than my patch.

This limitation in pyca/cryptography is one of the reasons I started my cryptokey library.

Your best option might be to fix the bug in crlbuilder.

ftbarata commented 5 years ago

Hello. You're a great guru. It's too advanced for me, this patch you've wrote.

So, I already tried to find where is the bug. The way I use to try to find it is using PyCharm, and CTRL+ mouse click to jump over the classes. But even doing this, I did not get anywhere. If you could take a very little look or could give me any tip, I'd be happy. I've sent an email to William Bond a couple days ago, but I didn't get any response yet. Currently I'm trying to hardcode the cryptography.io source to adapt to that code you helped me before.

Fellipe

Em sáb, 9 de mar de 2019 às 21:01, Jörn Heissler notifications@github.com escreveu:

I made a patch for pyca/cryptography to allow such things, but it got rejected: pyca/cryptography#3136 https://github.com/pyca/cryptography/issues/3136 Looks like they never got around to implement pkcs#11 which would be a saner option than my patch.

This limitation in pyca/cryptography is one of the reasons I started my cryptokey library.

Your best option might be to fix the bug in crlbuilder.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/joernheissler/cryptokey/issues/1#issuecomment-471233548, or mute the thread https://github.com/notifications/unsubscribe-auth/ATrNPABJVE54aOiZQRsPbZ_UT5s-graaks5vVEtZgaJpZM4bSXQO .