Page History

• eTokenOnLinux.org
• Linux Smart Card FAQ
• GnuPG Smart Card HOWTO
• OpenCard.org
• Project Ägypten2
• Mozilla.org Security Projects
  • Mozilla Network Security Services (NSS)
    • Overview
  • PSM: Personal Security Manager (PSM)
  • PKCS #11 Conformance Testing
• OpenSC.Project

OpenCT

OpenCT provides drivers for smart card readers and makes them available via the CT-API or as a PC/SC-Lite ifdhandler. You don't really need this to use the eToken on Linux and build instructions are included here just for completeness.

OpenCT 0.6.14 on Mandriva 2006

• OpenCT
• Make sure pkg-config --libs libpcsclite works.
• LIBUSB_CFLAGS=`libusb-config --cflags` LIBUSB_LIBS=`libusb-config --libs` PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/openct-0.6.14 --with-bundle-dir=/usr/local/pcsc/drivers

• Panel
  title config status
  OpenCT has been configured with the following options Version: 0.6.9 User binaries: /usr/local/depot/openct-0.6.9/bin Configuration files: /usr/local/depot/openct-0.6.9/etc Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -Wall -g -O2 Preprocessor flags: -I${top_builddir}/src/include -I${top_srcdir}/src/include Linker flags: Libraries: -lpthread PC/SC support: yes Libusb used: yes Without libusb coldplugging will not work. To use usb devices, your hotplugging needs to be configured and you need to plug in any device after the system has started (i.e. the init script ran)

• make
• make install

Testing/Use

• Note: To run OpenCT with the Aladdin eToken, don't start the Aladdin eToken services.
• Files
  • libopenctapi.so - a shared object in CT-API format, you can use this with every ct-api aware application.
  • openct-ifd.so – a shared obejct in Ifdhandler v2 format, to be used by pcsc-lite as reader.
• If you want Aladdin tokens supported by PCSC, remove Aladdin tokens from /usr/local/pcsc/drivers/openct-ifd.bundle/Contents/Info.plist

OpenSC

OpenSC provides an API to access smart cards. It can deal with both PCSC and OpenCT readers as well as PKCS#11 providers. For use with the eToken, pkcs11-tool and cardos-info are quite useful. OpenSC is also required for building other useful components of the OpenSC project.

OpenSC formatted cards use PKCS#15 and are widely supported on Unix. An eToken formatted with the FIPS option will not allow you to create the PKCS#15 application.

OpenSC 0.11.4 on Mandriva 2006

• OpenSC
• Note: Uses libassuan.
• Make sure pkg-config --libs libpcsclite openssl libopenct works.
• PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/opensc-0.11.4 --mandir=/usr/local/depot/opensc-0.11.4/man

• Panel
  title config summary
  Wiki Markup OpenSC has been configured with the following options Version: 0.11.4 User binaries: /usr/local/depot/opensc-0.11.4/bin Configuration files: /usr/local/depot/opensc-0.11.4/etc Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -Wall -fno-strict-aliasing -g -O2 Preprocessor flags: -I${top_builddir}/src/include Linker flags: Libraries: -lpthread -lz OpenSSL support: yes PC/SC support: yes OpenCT support: yes Assuan support: yes #PB: important for gpg NSPlugin support: yes

• Note: expects opensc.conf in /usr/local/depot/opensc-0.11.1/etc. Should probably be /usr/local/etc
• make
• make install

Testing/Use

• Comment out unused readers in opensc.conf if those readers generate error messages.

• Panel
  title OpenSC with PCSC reader and Aladin Middleware/Token
  # Be sure you can see the reader $ opensc-tool --list-readers Readers known about: Nr. Driver Name 0 pcsc AKS ifdh 00 00 # Read the token's ATR $ opensc-tool -v --atr Connecting to card in reader AKS ifdh 00 00... Using card driver Siemens CardOS. Card ATR: 3B E2 00 FF C1 10 31 FE 55 C8 02 9C ;.....1.U... # List files # Note: lots of output, only the start is shown. $ opensc-tool -v --list-files Connecting to card in reader AKS ifdh 00 00... Using card driver Siemens CardOS. 3f00 type: DF, size: 3896 select[N/A] lock[CHV9] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N/A] sec: 09:09:00:00:00:00:FF:00 prop: 01:04:00 3f006666 [AKS] type: DF, size: 3896 select[N/A] lock[CHV5] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:05:01:FF:FF:FF:FF:01 prop: 01:01:00 3f0066661000 type: DF, size: 3896 select[N/A] lock[CHV1] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:01:01:FF:FF:FF:FF:01 prop: 01:00:40 3f00666610000001 type: wEF, ef structure: transpnt, size: 11 read[NONE] update[NEVR] write[NEVR] erase[NEVR] rehab[NEVR] inval[NEVR] sec: 00 prop: 01

• Panel
  title cardos-info -v
  $ cardos-info -v Connecting to card in reader AKS ifdh 00 00... Using card driver Siemens CardOS. Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000) Chip type: 20 Serial number: 13 bb 97 0c 19 0e Full prom dump: 33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e...... 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.2 (that's CardOS M4.0) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 671 ATR Status: 0x0 ROM-ATR Packages installed: 01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................ C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................ 11 02 C8 02 .... Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61 Free eeprom memory: 3896 System keys: PackageLoadKey (version 0x01, retries 10) System keys: StartKey (version 0x01, retries 10) Path to current DF:

• Panel
  title pkcs11-tool, VT token title pkcs11-tool, VT token
  $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-slots Available slots: Slot 0 AKS ifdh 00 00 token state: uninitialized $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --show-info Cryptoki version 2.1 Manufacturer Aladdin Ltd. Library eToken PKCS#11 (ver 3.60) $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects Certificate Object, type = X.509 cert label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Public Key Object; RSA 1024 bits label: eTCAPI public key ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Usage: encrypt, verify, wrap $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects --login Please enter User PIN: Certificate Object, type = X.509 cert label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Public Key Object; RSA 1024 bits label: eTCAPI public key ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Usage: encrypt, verify, wrap Private Key Object; RSA label: eTCAPI private key ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Usage: decrypt, sign, unwrap # Copy certificate off of token pkcs11-tool --module=/usr/local/lib/libetpkcs11.so --type cert --id 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 --output-file phil.cert --read-object # Usage of PKCS11-spy $ PKCS11SPY=/usr/local/lib/libetpkcs11.so pkcs11-tool --module /usr/local/lib/pkcs11-spy.so --list-slots *************** OpenSC PKCS#11 spy ***************** Loaded: "/usr/local/lib/libetpkcs11.so" 0: C_GetFunctionList Returned: 0 CKR_OK 1: C_Initialize Returned: 0 CKR_OK 2: C_GetSlotList [in] tokenPresent = 0x0 [out] pSlotList: Count is 1 [out] *pulCount = 0x1 Returned: 0 CKR_OK 3: C_GetSlotList [in] tokenPresent = 0x0 [out] pSlotList: Slot 0 [out] *pulCount = 0x1 Returned: 0 CKR_OK Available slots: 4: C_GetSlotInfo [in] slotID = 0x0 [out] pInfo: slotDescription: 'AKS ifdh 00 00 ' ' ' manufacturerID: 'Aladdin Ltd. ' hardwareVersion: 0.0 firmwareVersion: 0.0 flags: 7 CKF_TOKEN_PRESENT CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK Slot 0 AKS ifdh 00 00 5: C_GetTokenInfo [in] slotID = 0x0 [out] pInfo: label: 'Phil-prod ' manufacturerID: 'Aladdin Knowledge Systems Ltd. ' model: 'eToken CardOS/M4' serialNumber: '13bb970c190e ' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 256 ulMinPinLen: 4 ulTotalPublicMemory: 16384 ulFreePublicMemory: 3896 ulTotalPrivateMemory: 16384 ulFreePrivateMemory: 3896 hardwareVersion: 3.0 firmwareVersion: 0.0 time: ' ' flags: d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED Returned: 0 CKR_OK token state: uninitialized 6: C_Finalize Returned: 0 CKR_OK

CardOS-info

• Info on pkcs15-init problem

• No Format

  $ cardos-info # VT token that can't have PKCS15 added Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000) Chip type: 20 Serial number: 13 bb 97 0c 19 0e Full prom dump: 33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e...... 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.2 (that's CardOS M4.0) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 64 ATR Status: 0x0 ROM-ATR Packages installed: 01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................ C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................ 11 02 C8 02 .... Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61 Free eeprom memory: 3896 System keys: PackageLoadKey (version 0x01, retries 10) System keys: StartKey (version 0x01, retries 10) Path to current DF: 66 66 10 00 ff.. # Token formated without FIPS. Works with pkcs15-init $ cardos-info Info : CardOS/M4.01 (C) Siemens AG 1994-2001 Chip type: 96 Serial number: 26 13 bd 17 10 23 Full prom dump: 33 66 00 45 FF FF FF FF 60 FF 26 13 BD 17 10 23 3f.E....`.&....# 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ OS Version: 200.3 (that's CardOS M4.01) Current life cycle: 32 (administration) Security Status of current DF: Free memory : 64 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 2, Eeprom size: 32, cpu type: 66, chip config: 63 Free eeprom memory: 18909 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: 66 66 10 00 ff..

PKCS#15

Libp11

Libp11 is a library implementing a small layer on top of PKCS#11 API to make using PKCS#11 implementations easier. It is required by Engine_PKCS#11 and pkcs11-helper.

• Part of OpenSC
• Required for engine_pkcs#11
• ./configure --prefix=/usr/local/depot/libp11-0.2.3
• make
• make install

Engine_PKCS#11

Engine_pkcs11 is an implementation of an engine for OpenSSL. It allows a PKCS#11 provider to be used make a smartcard usable from OpenSSL.

• Part of OpenSC
• Allows SSL to use smart cards with a PKCS#11 interface.
• Make sure pkg-config --libs libp11 works.
• PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/engine_pkcs11-0.1.4

• Panel
  title config results
  Engine_pkcs11 has been configured with the following options OpenSSL support: yes with engine: yes with sslhack: no

• make
• make install

pkcs11-helper

Pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API. It is required to use eTokens with gnupg-pkcs11-scd and ssh. It is one of the most important tools for using the eToken with unix applications.

• pkcs11-helper
• Used by gnupg-pkcs11
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so --with-test-log-level=5
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.05 --enable-docs --with-test-provider=/usr/lib/libeTPkcs11.so --with-test-log-level=5

• No Format

  # With 4.55 RTE, tests pass Making check in tests make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests' Making check in test-basic make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic' make check-TESTS make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic' Version: 00010500 Features: 000003f9 Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/lib/libeTPkcs11.so' Terminating pkcs11-helper PASS: test-basic ================== All 1 tests passed ================== make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic' make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic' Making check in test-certificate make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate' make check-TESTS make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate' Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/lib/libeTPkcs11.so' Please remove all tokens, press <Enter>: Enumerating token certificate (list should be empty, no prompt) Please insert token, press <Enter>: Getting certificate cache, should be available certificates Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod Please remove token, press <Enter>: Getting certificate cache, should be similar to last Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod Creating certificate context Perforing signature #1 (you should be prompt for token and PIN) Please insert token 'Phil-Prod' 'ok' or 'cancel': ok Please enter 'Phil-Prod' PIN or 'cancel': Perforing signature #2 (you should NOT be prompt for anything) Please remove and insert token, press <Enter>: Perforing signature #3 (you should be prompt only for PIN) Please enter 'Phil-Prod' PIN or 'cancel': Perforing signature #4 (you should NOT be prompt for anything) Terminating pkcs11-helper PASS: test-certificate ================== All 1 tests passed ================== make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate' make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate' Making check in test-slotevent make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent' make check-TESTS make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent' Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/lib/libeTPkcs11.so' as auto slotevent Please remove and insert tokens (pause for 30 seconds) slotevent slotevent Adding provider '/usr/lib/libeTPkcs11.so' as trigger Please remove and insert tokens (pause for 30 seconds) slotevent slotevent Adding provider '/usr/lib/libeTPkcs11.so' as poll Please remove and insert tokens (pause for 30 seconds) slotevent Adding provider '/usr/lib/libeTPkcs11.so' as fetch Please remove and insert tokens (pause for 30 seconds) slotevent slotevent slotevent Terminating pkcs11-helper Terminating pkcs11-helper PASS: test-slotevent ================== All 1 tests passed ================== make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent' make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent' make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests' make[2]: Nothing to be done for `check-am'. make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests' make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests' make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05' make[1]: Nothing to be done for `check-am'. make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05' analon:/usr/local/src/Aladdin/pkcs11-helper-1.05 (2) $

• No Format

  > make check make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic' Version: 00010000 Features: 000001fd Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/local/lib/libetpkcs11.so' Terminating pkcs11-helper PASS: test-basic ================== All 1 tests passed ================== make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic' make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic' Making check in test-certificate make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate' make check-TESTS make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate' Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/local/lib/libetpkcs11.so' Please remove all tokens, press <Enter>: Enumerating token certificate (list should be empty, no prompt) Please insert token, press <Enter>: Getting certificate cache, should be available certificates Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod Please remove token, press <Enter>: Getting certificate cache, should be similar to last Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod Creating certificate context Perforing signature #1 (you should be prompt for token and PIN) Please insert token 'Phil-Prod' 'ok' or 'cancel': ok Please enter 'Phil-Prod' PIN or 'cancel': Perforing signature #2 (you should NOT be prompt for anything) Please remove and insert token, press <Enter>: Perforing signature #3 (you should be prompt only for PIN) Perforing signature #4 (you should NOT be prompt for anything) Terminating pkcs11-helper PASS: test-certificate ================== All 1 tests passed ================== make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate' make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate' Making check in test-slotevent make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent' if gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../../include -g -O2 -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -MT test-slotevent.o -MD -MP -MF ".deps/test-slotevent.Tpo" -c -o test-slotevent.o test-slotevent.c; \ then mv -f ".deps/test-slotevent.Tpo" ".deps/test-slotevent.Po"; else rm -f ".deps/test-slotevent.Tpo"; exit 1; fi /bin/sh ../../libtool --tag=CC --mode=link gcc -g -O2 -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -o test-slotevent test-slotevent.o ../../lib/libpkcs11-helper.la -lpthread -ldl -lssl -lcrypto -ldl mkdir .libs gcc -g -O2 -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -o .libs/test-slotevent test-slotevent.o ../../lib/.libs/libpkcs11-helper.so -lpthread -lssl -lcrypto -ldl -Wl,--rpath -Wl,/usr/local/depot/pkcs11-helper-1.02/lib creating test-slotevent make check-TESTS make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent' Initializing pkcs11-helper Registering pkcs11-helper hooks Adding provider '/usr/local/lib/libetpkcs11.so' as trigger slotevent Please remove and insert tokens (pause for 30 seconds) slotevent slotevent # This test hangs here.

• The problem with test-slotevent is that the pkcs11h_removeProvider (TEST_PROVIDER)) after the trigger test never returns.
• Seems to work with ssh if you compile with --disable-threads --disable-slotevent.
• --with-test-log-level=5 enables max debugging from tests.
• Debugging with pkcs11-spy
  • ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/pkcs11-spy.so --with-test-log-level=5
  • PKCS11SPY=/usr/local/lib/libetpkcs11.so ./test-slotevent

OpenSSL

• See README.ENGINE in the OpenSSL distribution
• Specify key: key, id_key
• (engine_pkcs11.c) supported formats: <id>, <slot>:<id>, id_<id>, slot_<slot>-id_<id>
• Aladdin PKCS#11 module and pkcs11 engine:

  Panel

  # Removed -pre PIN:1111 since the user will be prompted. # Note: key ID obtained with pkcs11-tool --list-objects --module=/usr/local/lib/libetpkcs11.so # $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libetpkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/libetpkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine OpenSSL> # Verify that the engine is available OpenSSL> engine pkcs11 -t (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL> # Show engine capabilities OpenSSL> engine -vvvv -c pkcs11 (pkcs11) pkcs11 engine [RSA, DSA, DH, RAND] SO_PATH: Specifies the path to the 'pkcs11-engine' shared library (input flags): STRING MODULE_PATH: Specifies the path to the pkcs11 module shared library (input flags): STRING PIN: Specifies the pin code (input flags): STRING VERBOSE: Print additional details (input flags): NO_INPUT QUIET: Remove additional details (input flags): NO_INPUT LOAD_CERT_CTRL: Get the certificate from card (input flags): [Internal] OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil" engine "pkcs11" set. Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Found 1 slot 0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11) Found slot: AKS ifdh 00 00 Found token: Phil PKCS#11 Found 1 certificate: 1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu) PKCS#11 token PIN: Found 1 key: 1 P eTCAPI private key Certificate: Data: Version: 3 (0x2) Serial Number: ef:2a:cf:e3:96:98:d6:c6 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Phil Validity Not Before: Sep 30 15:00:09 2006 GMT Not After : Oct 30 15:00:09 2006 GMT Subject: CN=Phil Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:d0:07:5a:a0:77:de:a4:54:d0:6b:8a:00:ec:57: 60:04:a4:7e:f1:dc:3c:33:c7:27:52:94:1d:d6:c4: df:b0:5d:23:fa:99:44:f7:fa:92:6b:16:bc:f7:de: 8d:9f:b8:83:f6:a8:12:fd:23:bc:19:0e:ef:7d:f0: 5e:e1:a1:f7:29:ac:8e:c8:37:7f:fa:4c:ee:b1:71: 9f:20:69:0f:c3:8a:2b:3a:45:78:7f:df:ae:19:26: d8:89:53:8d:c8:f6:40:ae:d2:13:c5:55:ec:e9:99: d4:bc:ae:25:a6:92:76:6b:9a:fc:5b:1c:94:e9:4a: 9c:9c:fb:50:95:89:24:76:f1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF X509v3 Authority Key Identifier: keyid:1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF DirName:/CN=Phil serial:EF:2A:CF:E3:96:98:D6:C6 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption 02:23:7a:a4:7d:fd:c7:7e:19:1d:06:66:99:72:0f:dc:b9:d3: 15:a8:6f:de:ed:98:da:5e:68:98:05:a2:9f:28:b4:37:92:8c: 5c:9d:05:ad:7b:3b:7b:aa:7a:6f:4d:cf:c4:ee:93:e6:f5:59: a7:00:29:9f:a1:74:77:fe:88:8b:ab:d6:3a:cb:b0:c0:01:c9: f4:b0:ea:da:28:6c:61:af:aa:7d:6f:18:bf:0b:63:4b:50:44: ee:f1:fa:50:96:a6:34:ae:42:b2:60:7d:fc:97:de:43:ac:8f: 38:8d:7b:05:3b:b0:7a:60:18:8b:97:1e:08:3d:b0:8f:bd:aa: fb:b1 ----BEGIN CERTIFICATE---- MIICDDCCAXWgAwIBAgIJAO8qz+OWmNbGMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV BAMTBFBoaWwwHhcNMDYwOTMwMTUwMDA5WhcNMDYxMDMwMTUwMDA5WjAPMQ0wCwYD VQQDEwRQaGlsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQB1qgd96kVNBr igDsV2AEpH7x3DwzxydSlB3WxN+wXSP6mUT3+pJrFrz33o2fuIP2qBL9I7wZDu99 8F7hofcprI7IN3/6TO6xcZ8gaQ/Diis6RXh/364ZJtiJU43I9kCu0hPFVezpmdS8 riWmknZrmvxbHJTpSpyc+1CViSR28QIDAQABo3AwbjAdBgNVHQ4EFgQUGjQx8LG/ YrkBGoWspPQ4z1T97b8wPwYDVR0jBDgwNoAUGjQx8LG/YrkBGoWspPQ4z1T97b+h E6QRMA8xDTALBgNVBAMTBFBoaWyCCQDvKs/jlpjWxjAMBgNVHRMEBTADAQH/MA0G CSqGSIb3DQEBBQUAA4GBAAIjeqR9/cd+GR0GZplyD9y50xWob97tmNpeaJgFop8o tDeSjFydBa17O3uqem9Nz8Tuk+b1WacAKZ+hdHf+iIur1jrLsMAByfSw6toobGGv qn1vGL8LY0tQRO7x+lCWpjSuQrJgffyX3kOsjziNewU7sHpgGIuXHgg9sI+9qvux ----END CERTIFICATE--- # The second attempt fails OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil" engine "pkcs11" set. Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Found 1 slot 0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11) Found slot: AKS ifdh 00 00 Found token: Phil PKCS#11 Found 1 certificate: 1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu) Login failed PKCS11_get_private_key returned NULL unable to load Private Key 1497:error:80005100:Vendor defined:PKCS11_login:User already logged in:p11_slot.c:143: 1497:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:117: error in req OpenSSL> ################################################## # Thiings that don't work yet ################################################## # # Token does not blink, works with or without the token. OpenSSL> rand -engine pkcs11 -base64 25 engine "pkcs11" set. +9kYy0ESW0uDK437BPTnV3G76u3/L/q10g== OpenSSL> # Just testing x509 -engine pkcs11 -in id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -noout -text req -engine pkcs11 -new -key id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil" req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil" OpenSSL> x509 -engine pkcs11 -noout -text OpenSSL> x509 -engine pkcs11 -in 1 -inform engine -text -noout

• engine_pkcs11 and opensc pkcs11 module

  Panel

  $ openssl OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so -pre VERBOSE (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so [Success]: VERBOSE Loaded: (pkcs11) pkcs11 engine # # # OpenSSL> engine pkcs11 -t (pkcs11) pkcs11 engine initializing engine card-cardos.c:225:cardos_check_sw: file not found iso7816.c:458:iso7816_select_ returning with: File not found card-cardos.c:401:cardos_select_ returning with: File not found card.c:563:sc_select_ returning with: File not found pkcs15-postecert.c:336:sc_pkcs15emu_postecert_init: Failed to initialize Postecert and Cnipa emulation: Unsupported card card-cardos.c:225:cardos_check_sw: file not found iso7816.c:458:iso7816_select_ returning with: File not found card-cardos.c:401:cardos_select_ returning with: File not found card.c:563:sc_select_ returning with: File not found card-cardos.c:225:cardos_check_sw: file not found iso7816.c:463:iso7816_select_ returning with: File not found card-cardos.c:401:cardos_select_ returning with: File not found card.c:563:sc_select_ returning with: File not found [ available ] # # # OpenSSL> engine -vvvv -c pkcs11 (pkcs11) pkcs11 engine RSA, DSA, DH, RAND SO_PATH: Specifies the path to the 'pkcs11-engine' shared library (input flags): STRING MODULE_PATH: Specifies the path to the pkcs11 module shared library (input flags): STRING PIN: Specifies the pin code (input flags): STRING VERBOSE: Print additional details (input flags): NO_INPUT QUIET: Remove additional details (input flags): NO_INPUT LOAD_CERT_CTRL: Get the certificate from card (input flags): Internal OpenSSL> # # # # # Token does blink, works with or without the token though. OpenSSL> rand -engine pkcs11 -base64 25 engine "pkcs11" set. # # # Just testing # x509 -engine pkcs11 -in id_45 -keyform engine -noout -text # similar results to aladdin middleware

Global Platform

Global Platform Library

• http://sourceforge.net/projects/globalplatform/
• Make sure pkg-config --libs libpcsclite works.
• ./configure --prefix=/usr/local/depot/globalplatform-3.0.2
• make
• {{make install}

gpshell

http://sourceforge.net/projects/globalplatform/

• Make sure pkg-config --libs libpcsclite works.
• ./configure --prefix=/usr/local/depot/gpshell-1.3.1
• make
• {{make install}

Sectok

• Sectok-