Results 1 to 2 of 2

Thread: pkcs#11 example

  1. #1
    Join Date
    Dec 2009
    Posts
    65
    Thanks
    10
    Thanked 4 Times in 4 Posts
    Qt products
    Qt4 Qt5
    Platforms
    Unix/X11 Windows Android

    Default pkcs#11 example

    I am trying to use Private key from pkcs#11 dongle. In the qt documentation http://doc.qt.digia.com/qt-5.0/qtdoc...and-networking there is link to qsslkey example http://git.iksaif.net/?p=qsslkey-p11.git that shows web page not available. I couldn't find that example with google. Is there a clone of that project or similar example that anyone knows?

  2. #2
    Join Date
    Nov 2015
    Posts
    1
    Qt products
    Qt5
    Platforms
    MacOS X Unix/X11 Windows

    Default Re: pkcs#11 example

    I was more successful googling: https://github.com/iksaif/qsslkey-p11

    It was even possible to use PKCS#11 before, we're using it at SwissSign for the SuisseID since some years. It runs on Linux, Mac-OSX and Windows. There is a PKCS#11 enabled Qt Browser (originally started by myself as SwissSurfer, then renamed by our company as SwissBrowser , then taken back to OpenSource as SwissSurfer again, and will be renamed to simply Surfer in the near future). Project is now OpenSource and available from my private Homepage:

    The trick is to combine Qt with an OpenSSL Engine, as supported in my project C++ Library libpcscxx:
    1. Add a dummy private Key: https://dev.marc.waeckerlin.org/redm...3499b94702e27d
    2. Login to the SmartCard: https://dev.marc.waeckerlin.org/redm...34391129325501
    3. And finally sign: https://dev.marc.waeckerlin.org/redm...c60bf83f1ec6b7


    You can find binaries in my repository and instructions to setup the repository on my projects entrance page.

    I was more successful googling: https://github.com/iksaif/qsslkey-p11

    It was even possible to use PKCS#11 before, we're using it at SwissSign for the SuisseID since some years. It runs on Linux, Mac-OSX and Windows. There is a PKCS#11 enabled Qt Browser (originally started by myself as SwissSurfer, then renamed by our company as SwissBrowser , then taken back to OpenSource as SwissSurfer again, and will be renamed to simply Surfer in the near future). Project is now OpenSource and available from my private Homepage:

    The trick is to combine Qt with an OpenSSL Engine, as supported in my project C++ Library libpcscxx:
    1. Add a dummy private Key: https://dev.marc.waeckerlin.org/redm...3499b94702e27d
    2. Login to the SmartCard: https://dev.marc.waeckerlin.org/redm...34391129325501
    3. And finally sign: https://dev.marc.waeckerlin.org/redm...c60bf83f1ec6b7


    You can find binaries in my repository and instructions to setup the repository on my projects entrance page.


    Added after 18 minutes:


    After browsing the Qt5-QSslKey documentation, This is the new method that will simplify our life: QSslKey::QSslKey(Qt::HANDLE handle, QSsl::KeyType type = QSsl::PrivateKey). Up to now I had to abuse Qt::HANDLE QSslKey::handle() const for my purposes, see void qbrowserlib::CryptokiEngine::cert(cryptoki::Object &privateKey, const std::string &certVal). Now I can set my handle without tricks.

    Up to now, I did it as follows:
    Qt Code:
    1. void cert(cryptoki::Object& privateKey, const std::string& certVal) {
    2. TRC;
    3. _privateKey = std::auto_ptr<cryptoki::Object>
    4. (new cryptoki::Object(privateKey));
    5. try { // new
    6. QSslConfiguration sslConfig(QSslConfiguration::defaultConfiguration());
    7. QSslCertificate localcert(QByteArray(certVal.data(),
    8. certVal.size()),
    9. QSsl::Der);
    10. sslConfig.setLocalCertificate(localcert);
    11.  
    12. //RSA_set_default_method(ENGINE_get_RSA(_e));
    13. QByteArray pem // empty dummy key for qt object instantiation
    14. ("-----BEGIN RSA PRIVATE KEY-----\n"
    15. "MIIBOwIBAAJBAMH2yqAGeVNPdgeZ2GoHo31m9aUxZ7QfK2Go2qLTahLpQ3UL1C8G\n"
    16. "LkuMS8SNK0ZGfRMalIpIhv6bW5l3kjogOncCAwEAAQJABVGECtFCoGMsZFb2lSmy\n"
    17. "dOzOzYHGSy0TnnDn1dEgNnZ8sIljElPtUzm9dyXs2P3ICL1sOd7qjpzfJeyxknDL\n"
    18. "AQIhAO5iKdLmhyuW+EDEH19vDs1Pmqs3/ZnT5UgUiJnTJqz3AiEA0ExIfUOCnxq2\n"
    19. "a3Z46KEivcr8JB2P9VqouBbVryiq/oECIQDj8bPCejMoiEzMSX0iWWTTB9qC/KAg\n"
    20. "FtF4skHIrXKfEwIgPCs86Uo+Ch2aQjKHvJMHSRHAgeI0OmiEwiB+e0lhE4ECIQDd\n"
    21. "IbUmHIXt6oHLJmoGFX46bCcfil5eE5FXfiaw7Q9iPw==\n"
    22. "-----END RSA PRIVATE KEY-----\n");
    23. QSslKey privkey(pem, QSsl::Rsa, QSsl::Pem, QSsl::PrivateKey);
    24. RSA* rsa((RSA*)privkey.handle());
    25. if (!ENGINE_init(_e)) return;
    26. rsa->engine=_e;
    27. rsa->meth=ENGINE_get_RSA(_e);
    28. if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, rsa, &rsa->ex_data)) {
    29. ENGINE_finish(_e);
    30. return;
    31. }
    32. set(rsa->n, privateKey, CKA_MODULUS, "CKA_MODULUS");
    33. set(rsa->e, privateKey, CKA_PUBLIC_EXPONENT, "CKA_PUBLIC_EXPONENT");
    34. set(rsa->d, privateKey, CKA_PRIVATE_EXPONENT, "CKA_PRIVATE_EXPONENT");
    35. set(rsa->p, privateKey, CKA_PRIME_1, "CKA_PRIME_1");
    36. set(rsa->q, privateKey, CKA_PRIME_2, "CKA_PRIME_2");
    37. set(rsa->dmp1, privateKey, CKA_EXPONENT_1, "CKA_EXPONENT_1");
    38. set(rsa->dmq1, privateKey, CKA_EXPONENT_2, "CKA_EXPONENT_2");
    39. set(rsa->iqmp, privateKey, CKA_COEFFICIENT, "CKA_COEFFICIENT");
    40. rsa->flags |= RSA_FLAG_SIGN_VER; // don't emulate with encrypt/decrypt
    41. assert(!privkey.isNull());
    42. LOG<<"Setup RSA finished";
    43. sslConfig.setPrivateKey(privkey);
    44. QSslConfiguration::setDefaultConfiguration(sslConfig);
    45. } catch (const std::exception& e) {
    46. LOG<<"SETUP ERROR: "<<e.what();
    47. }
    48. }
    To copy to clipboard, switch view to plain text mode 

    Now, with this new method, I probably will not need the ugly dummy private key anymore.
    Last edited by mrw; 11th November 2015 at 10:11.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Digia, Qt and their respective logos are trademarks of Digia Plc in Finland and/or other countries worldwide.