software pkcs11 implementation
soft-pkcs11 is a software only pkcs11 implementation. The main idea is to be able to turn your phone into secure keychain. But you can use this module as you wish.
It is inspired by soft-pkcs11(http://people.su.se/~lha/soft-pkcs11/README) implementation by Love Hörnquist Åstrand(http://people.su.se/~lha/) and includes it as an example.
It only handles RSA, this is because I use it for ssh-agent.
It is not production-ready yet but I'am using it every day.
I'am using it with my android phone to make it my keychain. All keys stored on my phone in encrypted form(openssl/enfs/md-crypt). They are mounted to local folder with fuse sshfs. And they are accessible only for my user(even root can't access mounted fs). After mouting encrypted keys they mounts through another fuse module encfs to another folder and makes unencrypted. But you still must use RSA private key encryption. So I can use my phone with ssh or ssh-agent.
This is very easy:
eval `ssh-agent`
ssh-add -s `pwd`/./libsoft-pkcs.so
#use ssh-agent forwarding
ssh -A jerry@somedomain
ssh user@anotherdomain
Well done.
SOFTPKCS11RC enviroment variable or $HOME/.soft-token.rc used to configure module. All drivers are stacked in order as they appeared in config.
[fs any label]
#simple filesystem driver so you already can use soft-pkcs11 to expose keys is folder
driver=fs
path=/home/jerry/devel/soft-pkcs/keys
[openssl encryption]
driver=crypt
#%PIN% substituted when token logged in with pin
decrypt=/usr/bin/openssl enc -d -base64 -aes-256-cbc -k '%PIN%'
encrypt=/usr/bin/openssl enc -base64 -aes-256-cbc -k '%PIN%'
With this config key files stored in /home/jerry/devel/soft-pkcs/keys
encrypted as specified in [openssl encryption]
block. Pin used as password for encryption.
[android fs]
driver=fuse
#this is simple password to access my phone through ssh. It is simple because SFTP server is not always run.
mount=echo "123123123" | sshfs -o password_stdin root@android:/mnt/sdcard/keys /home/jerry/.soft-pkcs11/sshfs &> /dev/null
umount=fusermount -u /home/jerry/.soft-pkcs11/sshfs &> /dev/null
#if you don't want to use encryption you can use module already.
path=/home/jerry/.soft-pkcs11/sshfs
[encryption layer]
driver=fuse
#password(pin) ALWAYS written to stdin with 'fuse' driver
#setting up encfs(.encfs6.xml) is made by hand
mount=encfs -S /home/jerry/.soft-pkcs11/sshfs /home/jerry/.soft-pkcs11/keys &> /dev/null
umount=fusermount -u /home/jerry/.soft-pkcs11/keys &> /dev/null
path=/home/jerry/.soft-pkcs11/keys
You can combine driver layers.
To manage keys through soft-pkcs11 module you can use pkcs11-tool
from opensc
package:
jerry@jerry ~/devel/soft-pkcs/build $ pkcs11-tool --module ./libsoft-pkcs.so -O -l -p 123123123
Using slot 0 with a present token (0x1)
Public Key Object; RSA 0 bits
label: SSH ssh-private.key.pub
ID: 32303834333137323432393530393938333731
Usage: encrypt, verify
Private Key Object; RSA
label: ssh-private.key
ID: 3130383437353832373236323639373335323836
Usage: decrypt, sign, unwrap
Access: always authenticate
Private Key Object; RSA
label: ssl-private.key
ID: 3133313438313534303736313735313537333832
Usage: decrypt, sign, unwrap
Access: always authenticate
Public Key Object; RSA 0 bits
label: ssh-private.key.pub
ID: 3130383437353832373236323639373335323836
Usage: encrypt, verify
# get contents of private key
pkcs11-tool --module ./libsoft-pkcs.so -l -p 123123123 -r -y privkey -a ssh-private.key
# add private key to container
pkcs11-tool --module ./libsoft-pkcs.so -O -l -p 123123123 -w ../keys/ssh-private.key --label ssh-private.key --type data
# add public key to container
pkcs11-tool --module ./libsoft-pkcs.so -O -l -p 123123123 -w ../keys/ssh-private.key.pub --label ssh-private.key.pub --type data
To use it with ssh:
jerry@jerry ~/devel/soft-pkcs/build $ eval `ssh-agent`
Agent pid 12930
jerry@jerry ~/devel/soft-pkcs/build $ ssh-add -s `pwd`/libsoft-pkcs.so
Enter passphrase for PKCS#11: <123123123>
Card added: /home/jerry/devel/soft-pkcs/build/./libsoft-pkcs.so
jerry@jerry ~/devel/soft-pkcs/build $ ssh jerry@localhost
jerry@jerry ~ SSH
read
key/data contents or use sign/encrypt
which are implemeted through OpenSsl.