danish
Crypto.sign with an engine stored private key
Hi All,
I am trying to sign a string with a an engine stored private key.
my engine loads fine, but I am getting an argument error on :crypto.sign.
code:
def digital_signature(string) do
refrenceKey = load_engine()
privKey = %{:engine => refrenceKey, :key_id => "3"}
signature = :crypto.sign(:rsa, :sha256, string, privKey)
end
def load_engine() do
{:ok, engine} = :crypto.engine_load(<<"dynamic">>,[{<<"SO_PATH">>,<<"/some/path/otp_test_engine.so">>},{<<"ID">>, <<"cloudhsm">>},<<"LOAD">>],[])
engine
end
error:
** (exit) an exception was raised:
** (ArgumentError) argument error
(crypto) :crypto.pkey_sign_nif(:rsa, :sha256, "{\"Username\":\"simon\",\"Timestamp\":\"2019-01-04T20:58:48.7840832Z\",\"MachineName\":\"DESKTOP-04VG111\"}", [%{:engine => #Reference<0.1907491504.29753345.12345>, :key_id => "3"}], [])
(crypto) crypto.erl:829: :crypto.sign/5
Most Liked
voltone
I think the password attribute is mandatory in the map describing the private key.
When I tried to use the :crypto engine API with a YubiKey in the past I got stuck on the OpenSC PKCS#11 driver asking for a PIN using stdin/stdout. The BEAM has its own I/O handling and doesn’t let me enter the PIN. It seems weird to have a library try and perform interactive I/O like that, and I guess it must be possible to pass the PIN through the API instead, but I haven’t found a way.
ericr3r
I hate to jump on an old post but I kept running into this post when trying to solve how to perform digital signatures with a YubiKey. I was not able to solve how to perform the signature using a certificate in slot 9c (cert #02) because it requires user input for every signature event but slot 9e (cert #04) allowed me to login using pin once and perform a signature.
Here is the related code for posterity’s sake:
def digital_signature(string, %{pin: _pin, slot: _slot} = opts) do
{:ok, engine} = load_engine()
privKey = private_key(engine, opts)
signature = :crypto.sign(:ecdsa, :sha256, string, privKey)
end
def load_engine() do
:crypto.engine_load(
"dynamic",
[{"SO_PATH", libpkcs}, {"ID", "pkcs11"}, {"LOAD", ""}],
[{"MODULE_PATH", "/usr/lib/libykcs11.so"}]
)
end
def private_key(engine, %{pin: pin, slot: slot}) do
%{
engine: engine,
key_id:
"pkcs11:object=X.509%20Certificate%20for%20Digital%20Signature;pin-value=#{pin};id=%#{
slot
}"
}
end
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








