Token Configuration
To interact with the token the program use a simple pkcs11 library (libp11), provided by the OpenSC Team: this library communicates with the token hardware through some specific drivers. The scenario we're moving in is something similar to this
Application PKCS11 lib, e.g. OpenSC OpenCT / PCSC Lite Linux Kernel
The pkcs11 library stays above the driver layer and so first of all you need to install the drivers. You can choose either the OpenCT or the PCSC Lite option. Both of them work properly with OpenSC. Usually those packages should already be into your package manager, otherwise you can find them searching in some site as ATrpms or RPMfind, if you are looking for RPMs for instance. Anyway both OpenSC and OpenCT can be found at OpenSC Project Site.
If you decide to install OpenSC manually by downloading and compiling the sources pay particolar attention to enable the OpenCT and/or the PCSC support correctly, by looking at the report shown to you at the end of the OpenSC configuration script.
Check the token detection
Connect the token and check with lsusb that it has been detected. You should see something like this
# lsusb Bus 001 Device 003: ID 0529:0600 Aladdin Knowledge Systems
If you configured OpenSC and OpenCT / PCSC correctly giving the command opensc-tool -l you would be able to see the list of the connected reader(s)
# opensc-tool -l Readers known about: Nr. Driver Name 0 openct Aladdin eToken PRO 64k 1 openct OpenCT reader (detached) 2 openct OpenCT reader (detached) 3 openct OpenCT reader (detached) 4 openct OpenCT reader (detached)
and some more informations about a specific reader
# opensc-tool -r 0 -avn Connecting to card in reader Aladdin eToken PRO 64k... Using card driver Siemens CardOS. Card ATR: 3B F2 18 00 FF C1 0A 31 FE 55 C8 06 8A ;......1.U... Card name: CardOS M4
Initialization of the token
If the token has been detected you can now go ahead with the inizialization procedure. First of all format the card with a PKCS15 filesystem and create a New Security Officer
# pkcs15-init -EC New Security Officer PIN (Optional - press return for no PIN). Please enter Security Officer PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify:
then create a PIN for a new user
# pkcs15-init --store-pin --auth-id 01 --label "matteo" New User PIN. Please enter User PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Security officer PIN required. Please enter Security officer PIN:
Check that the PINs have been created giving the command
# pkcs15-tool --list-pins PIN [Security Officer PIN] Com. Flags: 0x3 ID : ff Flags : [0xB2], local, initialized, needs-padding, soPin Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 PIN [matteo] Com. Flags: 0x3 ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 3 Type : ascii-numeric Path : 3f005015
Now you can create a private key directly on the token and associate it to your user.
# pkcs15-init --generate-key rsa/1024 --auth-id 01 --split-key -u sign,decrypt Security officer PIN required. Please enter Security officer PIN: User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:
For security reasons you are not allowed to use the same private key both for signing and decryption so you must specify the --split-key -u sign,decrypt option. With the command pkcs15-tool -k you can see the list of the private keys stored on the token. Now it's time to create a certificate for the private key generated before. The difference here is that the private key is on the device and cannot leave it. In order to have OpenSSL to work with the token you must install the engine-pkcs11 for OpenSSL, which you can find here or in you package manager. The engine will enable OpenSSL to generate a certificate request for the private key stored on the token. For an easy use of the engine it's recommended that you put the following lines on the top of your openssl.cnf file
# For the pkcs11 engine
openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = /usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0
[req]
distinguished_name = req_distinguished_name
[req_distinguished_name]
now you can generate a certificate request with the command
# openssl req -engine pkcs11 -new -key id_45 -keyform engine -out newreq.pem
An output like the following should appear to you
engine "pkcs11" set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IT]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Testlab Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:matteo Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
If you want you can have the request signed by a Certification Authority by the command
# /usr/lib/ssl/misc/CA.pl -sign
Maybe the path of the CA script could be different onto your Linux distro but it does the same thing: it take a cert request, signs it with the CA signature and create a new certificate. Now you are able to store the cert on the token and associate it to your user
# pkcs15-init --store-certificate newcert.pem --auth-id 01 --id 45 User PIn't be the sameN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:
You can also add the CA cert to the certs store of the token, telling opensc that this cert is an authority's one.
# pkcs15-init --store-certificate demoCA/cacert.pem --authority User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:
You can check that the certs have been correctly stored with the command
# pkcs15-tool -c X.509 Certificate [Certificate] Flags : 2 Authority: no Path : 3f0050153149 ID : 45 X.509 Certificate [Certificate] Flags : 2 Authority: yes Path : 3f005015314a ID : 46
Taking the keys and the certs from a file
Instead of generating the key directly on the card, an existing X.509 certificate can be imported using the command
pkcs15-init -r 1 --store-private-key /root/cert/matteo.key --id 45 --auth-id 01 --key-usage sign,decrypt
The corresponding certificate (the public key object has already created alongside the private key object) can be loaded to the card with
pkcs15-init -r 1 --store-certificate /root/cert/matteo.pem --id 45 --auth-id 01
Alternatively, a PKCS12 file (which contains both the certificate and the private key) can be imported with
pkcs15-init -r 1 --store-private-key /root/cert/matteo.p12 --format PKCS12 --id 45 --auth-id 01 --split-keys -u sign,decrypt
which will ask for the passphrase the PKCS#12 file was created with.
