PKCS # 11 Cryptographic Tokens: Managing and Accessing Token Objects (Continued)

Cryptographic tokens / smartcards have become quite commonplace today. More and more people go to the Certifying Centers (CAs) and are asked to issue a key and an electronic signature to access various sites for receiving certain services. Attempting to explain that they will be given a certificate by analogy with a passport, and they will put the electronic signature themselves using their private key , few people and what convinces them.

There is a magic word - a key, and there is something on it that will allow you to send data to the tax, to participate in tenders, etc. And CAs give citizens and organizations "keys" with certificates and private keys. Today in absolute majority these keys are tokens. One would like to say cryptographic tokens with the support of Russian cryptography and the PKCS # 11 interface. Unfortunately this is far from the case. Despite the fact that both manufacturers and the volume of tokens is growing, they are still used in most cases as an ordinary flash drive, but with access to it using a PIN code.

But still PKCS # 11 tokens with the support of GOST-cryptography are increasingly gaining popularity among certificate holders. And the more portals , electronic platforms will work not through the MS CSP interface, but through PKCS # 11, then, strangely enough, import substitution will be faster.

And so, there are PKCS # 11 tokens that store certificates, private keys, which for security have PIN codes, which, unlike flash drives, can not only store data, but also perform cryptographic operations.
')
Each owner of a token / smart card, naturally, seeks to protect itself from the point of view of access to the private key. To do this, it must change not only the user PIN, but also the SO-PIN. Natural desire to know which objects (public / private keys, certificates and other objects) are stored on the token. Moreover, if you receive a certificate and keys in the CA, then it would be good to see for yourself what you ended up on the token: nothing superfluous appeared there or, God forbid, it did not disappear. Thus, it would be nice to have a simple utility that could manage tokens (initialize, change PIN codes, etc.), view objects, etc. And now the export operation from the certificate token is also very much in demand, not to close the key, namely the certificate.

This utility is the p11conf utility, which can be downloaded for various platforms here :

bash-4.3$ /usr/local/bin64/p11conf usage: /usr/local/bin64/p11conf [-hitsmIupPredf] -A APIpath [-c slotID -U userPin -S SOPin -n newPin -L label] -h display usage -i display PKCS#11 library info -s display slot(s) info (-c slotID is optional) -t display token(s) info (-c slotID is optional) Others must use -c slotID -m display mechanism list -I initialize token -u initialize user PIN -p set the user PIN -P set the SO PIN -e enumerate objects -d dump all object attributes (additional to -e and to -f) -r remove all objects -e -r remove enumerated objects with prompt -f enumerate certificates and write them to DER-files with promp t Version 5.7 Copyright(C) 2011-2018 bash-4.3$ 

A distinctive feature of this utility is the presence of a graphical shell, which is also available here :



After selecting the PKCS # 11 library, information about the library (the most valuable here is the version of the supported PKCS # 11 standard) and the token (token label, slot where it is located) will be displayed in the information window, if it is present:



Having at least one of these utilities (p11conf, GUITKP11Conf) in hand, the user has a handy tool for managing and viewing PKCS # 11 tokens / smartcards. So, looking through the mechanisms supported by the token, you can choose a token with the cryptographic mechanisms you need, for example, with the support of GOST R 34.10-2012:



You can see not only the list of objects located on the token, but also detailed information (attributes, flags, values ​​of each object):



After entering the PIN-code, you will receive complete information about each object:



Of particular note is the export certificate function. And, if from the command line, the certificate is exported only in the DER format (the certificate storage format on PKCS # 11 tokens), the graphical shell allows you to export the certificate both in the DER format itself and in the PEM format:



But what about viewing the certificate? Do not overload the utility. To view the certificates, you can use the openssl utility or the elegant print utility pp from the Network Security System package ( NSS :



And it is recommended to start work with the PKCS # 11 token after its acquisition with its initialization and installation of PIN codes in order to be sure that no one knows these codes:



In my opinion, it is a very convenient and useful utility, which can be used by both corporate administrators, leading distribution of tokens in the enterprise, and in certification centers, and, of course, ordinary but advanced users. Although tomorrow there will be no advanced users.