我需要创建 PKCS7 signedData 结构并在智能卡上执行签名。这几乎是 openssl 函数 PKCS7_sign 所做的,除了签名。也许有人可以为这个问题提供一些建议,即如何使用 openssl 或任何其他 c/c++ 跨平台库来做到这一点。至于 openssl,PKCS7_sign 函数的标志 PKCS7_PARTIAL 或 PKCS7_STREAM 似乎很有用。如果我使用这些标志中的任何一个,我可以获得几乎完整的 PKCS7 结构。在这种情况下,结构是完整的,只是它不包含“数据”和“符号”。所以我只需要添加这些元素。但我没有找到如何做到这一点的方法。有人知道吗?
1 回答
You generally do not want (or are technically blocked) from extracting the private key from a smartcard. As this is sort of the very point of a smartcard - a tamper proof bit of crypto memory and connected CPU that will never divulge your private key.
So instead you need to ask the chipcard nicely to do the signing for you.
OpenSSL can do this - but needs to know how to talk to the chipcard. That is generally done with an 'engine'. Most commonly a pkcs#11 of #15 is used for this - in conjunction with the vendors chipcard (reader) driver.
You then typically need to get the slot and key identifiers:
# Extracting slot, auth ids and key id's for later use/reference
#
set `pkcs11-tool --module /usr/lib/opensc-pkcs11.so --list-slots | grep Slot | grep SCM`
SLOT=$2
set `pkcs15-tool --list-keys | grep ID`
AID=$4
KID=$7
After which you can do 'things' on the card:
/usr/bin/openssl << EOM
engine dynamic -pre SO_PATH:/Library/OpenSC/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
XXX -engine pkcs11 -b-key slot_$SLOT-id_$KID -keyform engine ....
EOM
One such thing can be signing a pkcs7. From code - pretty much do the same thing. I usually use the app/util convenience stuf from openssl it's apps directory to make live a bit easier.