I also try another way (using openssl + engine instead of pkcs11-tool) for the decrypt step.
This is how the signature mecanism works (u-boot, sw-update, RZG2UL bootloaders…)
But unfortunately it’s also asking me the “PIN” even if we have “User PIN authenticated (9000)” in Smart Card Shell.
NOTE: The experiment is to check if we can “connect with PIN” in Smart Card Shell and THEN use the key’s externally with openSSL without “login”. (To verify that we can “attach” to an existing session)
- Create a file
/tmp/openssl.conf:
cat > /tmp/openssl.conf << EOF
openssl_conf = openssl_init
[openssl_init]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
MODULE_PATH = /usr/local/lib/libsc-hsm-pkcs11.so
init = 0
EOF
- Try to decode the message (with login):
$ OPENSSL_CONF=/tmp/openssl.conf openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey 'pkcs11:object=TEST;type=private;id=%01;pin-value=000000' -in /tmp/msg.enc -out /tmp/msg.dec
Engine "pkcs11" set.
$ cat /tmp/msg.dec
Message secret
$
-
Start Smart Card Shell, type Ctrl + M, Login using “PIN”. Wait for “User PIN authenticated (9000)”
-
Try to decode the message (without login):
$ OPENSSL_CONF=/tmp/openssl.conf openssl pkeyutl -engine pkcs11 -keyform engine -decrypt -inkey 'pkcs11:object=TEST;type=private;id=%01' -in /tmp/msg.enc -out /tmp/msg.dec
Engine "pkcs11" set.
Enter PKCS#11 token PIN for SmartCard-HSM: