Unix Core Tools (old)

Drivers, tools, and libraries for Unix.

• eTokenOnLinux.org
• Linux Smart Card FAQ
• GnuPG Smart Card HOWTO
• OpenCard.org
• Project Ägypten2
• Mozilla.org Security Projects
  • Mozilla Network Security Services (NSS)
    • Overview
  • PSM: Personal Security Manager (PSM)
  • PKCS #11 Conformance Testing
• OpenSC.Project

OpenCT

OpenCT provides drivers for smart card readers and makes them available via the CT-API or as a PC/SC-Lite ifdhandler. You don't really need this to use the eToken on Linux and build instructions are included here just for completeness.

OpenCT 0.6.14 on Mandriva 2006

• OpenCT
• Make sure pkg-config --libs libpcsclite works.
• LIBUSB_CFLAGS=`libusb-config --cflags` LIBUSB_LIBS=`libusb-config --libs` PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/openct-0.6.14 --with-bundle-dir=/usr/local/pcsc/drivers
• config status

  OpenCT has been configured with the following options

  Version: 0.6.9
  User binaries: /usr/local/depot/openct-0.6.9/bin
  Configuration files: /usr/local/depot/openct-0.6.9/etc

  Host: i686-pc-linux-gnu
  Compiler: gcc
  Compiler flags: -Wall -g -O2
  Preprocessor flags: -I${top_builddir}/src/include -I${top_srcdir}/src/include
  Linker flags:
  Libraries: -lpthread

  PC/SC support: yes
  Libusb used: yes

  Without libusb coldplugging will not work.
  To use usb devices, your hotplugging needs to be
  configured and you need to plug in any device
  after the system has started (i.e. the init script ran)

• make
• make install

Testing/Use

• Note: To run OpenCT with the Aladdin eToken, don't start the Aladdin eToken services.
• Files
  • libopenctapi.so - a shared object in CT-API format, you can use this with every ct-api aware application.
  • openct-ifd.so – a shared obejct in Ifdhandler v2 format, to be used by pcsc-lite as reader.
• If you want Aladdin tokens supported by PCSC, remove Aladdin tokens from /usr/local/pcsc/drivers/openct-ifd.bundle/Contents/Info.plist

OpenSC

OpenSC provides an API to access smart cards. It can deal with both PCSC and OpenCT readers as well as PKCS#11 providers. For use with the eToken, pkcs11-tool and cardos-info are quite useful. OpenSC is also required for building other useful components of the OpenSC project.

OpenSC formatted cards use PKCS#15 and are widely supported on Unix. An eToken formatted with the FIPS option will not allow you to create the PKCS#15 application.

OpenSC 0.11.4 on Mandriva 2006

• OpenSC
• Note: Uses libassuan.
• Make sure pkg-config --libs libpcsclite openssl libopenct works.
• PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/opensc-0.11.4 --mandir=/usr/local/depot/opensc-0.11.4/man
• config summary

  OpenSC has been configured with the following options

  Version: 0.11.4
  User binaries: /usr/local/depot/opensc-0.11.4/bin
  Configuration files: /usr/local/depot/opensc-0.11.4/etc

  Host: i686-pc-linux-gnu
  Compiler: gcc
  Compiler flags: -Wall -fno-strict-aliasing -g -O2
  Preprocessor flags: -I$

  Unknown macro: {top_builddir}

  /src/include
  Linker flags:
  Libraries: -lpthread -lz

  OpenSSL support: yes
  PC/SC support: yes
  OpenCT support: yes
  Assuan support: yes #PB: important for gpg
  NSPlugin support: yes

• Note: expects opensc.conf in /usr/local/depot/opensc-0.11.1/etc. Should probably be /usr/local/etc
• make
• make install

Testing/Use

• Comment out unused readers in opensc.conf if those readers generate error messages.

• OpenSC with PCSC reader and Aladin Middleware/Token

  # Be sure you can see the reader
  $ opensc-tool --list-readers
  Readers known about:
  Nr. Driver Name
  0 pcsc AKS ifdh 00 00

  # Read the token's ATR
  $ opensc-tool -v --atr
  Connecting to card in reader AKS ifdh 00 00...
  Using card driver Siemens CardOS.
  Card ATR:
  3B E2 00 FF C1 10 31 FE 55 C8 02 9C ;.....1.U...

  # List files
  # Note: lots of output, only the start is shown.
  $ opensc-tool -v --list-files
  Connecting to card in reader AKS ifdh 00 00...
  Using card driver Siemens CardOS.
  3f00 type: DF, size: 3896
  select[N/A] lock[CHV9] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N/A] sec: 09:09:00:00:00:00:FF:00
  prop: 01:04:00

  3f006666 [AKS] type: DF, size: 3896
  select[N/A] lock[CHV5] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:05:01:FF:FF:FF:FF:01
  prop: 01:01:00

  3f0066661000 type: DF, size: 3896
  select[N/A] lock[CHV1] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:01:01:FF:FF:FF:FF:01
  prop: 01:00:40

  3f00666610000001 type: wEF, ef structure: transpnt, size: 11
  read[NONE] update[NEVR] write[NEVR] erase[NEVR] rehab[NEVR] inval[NEVR] sec: 00
  prop: 01

• cardos-info -v

  $ cardos-info -v
  Connecting to card in reader AKS ifdh 00 00...
  Using card driver Siemens CardOS.
  Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000)
  Chip type: 20
  Serial number: 13 bb 97 0c 19 0e
  Full prom dump:
  33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e......
  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
  OS Version: 200.2 (that's CardOS M4.0)
  Current life cycle: 16 (operational)
  Security Status of current DF:
  Free memory : 671
  ATR Status: 0x0 ROM-ATR
  Packages installed:
  01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................
  C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................
  11 02 C8 02 ....
  Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61
  Free eeprom memory: 3896
  System keys: PackageLoadKey (version 0x01, retries 10)
  System keys: StartKey (version 0x01, retries 10)
  Path to current DF:

• $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-slots
  Available slots:
  Slot 0 AKS ifdh 00 00
  token state: uninitialized

  $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --show-info
  Cryptoki version 2.1
  Manufacturer Aladdin Ltd.
  Library eToken PKCS#11 (ver 3.60)

  $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects
  Certificate Object, type = X.509 cert
  label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID
  ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Public Key Object; RSA 1024 bits
  label: eTCAPI public key
  ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Usage: encrypt, verify, wrap

  $ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects --login
  Please enter User PIN:
  Certificate Object, type = X.509 cert
  label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID
  ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Public Key Object; RSA 1024 bits
  label: eTCAPI public key
  ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Usage: encrypt, verify, wrap
  Private Key Object; RSA
  label: eTCAPI private key
  ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Usage: decrypt, sign, unwrap

  # Copy certificate off of token
  pkcs11-tool --module=/usr/local/lib/libetpkcs11.so --type cert --id 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 --output-file phil.cert --read-object

  # Usage of PKCS11-spy
  $ PKCS11SPY=/usr/local/lib/libetpkcs11.so pkcs11-tool --module /usr/local/lib/pkcs11-spy.so --list-slots

  *************** OpenSC PKCS#11 spy *****************
  Loaded: "/usr/local/lib/libetpkcs11.so"

  0: C_GetFunctionList
  Returned: 0 CKR_OK

  1: C_Initialize
  Returned: 0 CKR_OK

  2: C_GetSlotList
  [in] tokenPresent = 0x0
  [out] pSlotList:
  Count is 1
  [out] *pulCount = 0x1
  Returned: 0 CKR_OK

  3: C_GetSlotList
  [in] tokenPresent = 0x0
  [out] pSlotList:
  Slot 0
  [out] *pulCount = 0x1
  Returned: 0 CKR_OK
  Available slots:

  4: C_GetSlotInfo
  [in] slotID = 0x0
  [out] pInfo:
  slotDescription: 'AKS ifdh 00 00 '
  ' '
  manufacturerID: 'Aladdin Ltd. '
  hardwareVersion: 0.0
  firmwareVersion: 0.0
  flags: 7
  CKF_TOKEN_PRESENT
  CKF_REMOVABLE_DEVICE
  CKF_HW_SLOT
  Returned: 0 CKR_OK
  Slot 0 AKS ifdh 00 00

  5: C_GetTokenInfo
  [in] slotID = 0x0
  [out] pInfo:
  label: 'Phil-prod '
  manufacturerID: 'Aladdin Knowledge Systems Ltd. '
  model: 'eToken CardOS/M4'
  serialNumber: '13bb970c190e '
  ulMaxSessionCount: 0
  ulSessionCount: 0
  ulMaxRwSessionCount: 0
  ulRwSessionCount: 0
  ulMaxPinLen: 256
  ulMinPinLen: 4
  ulTotalPublicMemory: 16384
  ulFreePublicMemory: 3896
  ulTotalPrivateMemory: 16384
  ulFreePrivateMemory: 3896
  hardwareVersion: 3.0
  firmwareVersion: 0.0
  time: ' '
  flags: d
  CKF_RNG
  CKF_LOGIN_REQUIRED
  CKF_USER_PIN_INITIALIZED
  Returned: 0 CKR_OK
  token state: uninitialized

  6: C_Finalize
  Returned: 0 CKR_OK

CardOS-info

• Info on pkcs15-init problem

• $ cardos-info
  # VT token that can't have PKCS15 added
  Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000)
  Chip type: 20
  Serial number: 13 bb 97 0c 19 0e
  Full prom dump:
  33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e......
  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
  OS Version: 200.2 (that's CardOS M4.0)
  Current life cycle: 16 (operational)
  Security Status of current DF:
  Free memory : 64
  ATR Status: 0x0 ROM-ATR
  Packages installed:
  01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................
  C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................
  11 02 C8 02                                     ....
  Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61
  Free eeprom memory: 3896
  System keys: PackageLoadKey (version 0x01, retries 10)
  System keys: StartKey (version 0x01, retries 10)
  Path to current DF:
  66 66 10 00 ff..
  
  # Token formated without FIPS.  Works with pkcs15-init
  $ cardos-info
  Info : CardOS/M4.01 (C) Siemens AG 1994-2001
  Chip type: 96
  Serial number: 26 13 bd 17 10 23
  Full prom dump:
  33 66 00 45 FF FF FF FF 60 FF 26 13 BD 17 10 23 3f.E....`.&....#
  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
  OS Version: 200.3 (that's CardOS M4.01)
  Current life cycle: 32 (administration)
  Security Status of current DF:
  Free memory : 64
  ATR Status: 0x0 ROM-ATR
  Packages installed:
  Ram size: 2, Eeprom size: 32, cpu type: 66, chip config: 63
  Free eeprom memory: 18909
  System keys: PackageLoadKey (version 0x00, retries 10)
  System keys: StartKey (version 0xff, retries 10)
  Path to current DF:
  66 66 10 00 ff..
  

PKCS#15

Libp11

Libp11 is a library implementing a small layer on top of PKCS#11 API to make using PKCS#11 implementations easier. It is required by Engine_PKCS#11 and pkcs11-helper.

• Part of OpenSC
• Required for engine_pkcs#11
• ./configure --prefix=/usr/local/depot/libp11-0.2.3
• make
• make install

Engine_PKCS#11

Engine_pkcs11 is an implementation of an engine for OpenSSL. It allows a PKCS#11 provider to be used make a smartcard usable from OpenSSL.

• Part of OpenSC
• Allows SSL to use smart cards with a PKCS#11 interface.
• Make sure pkg-config --libs libp11 works.
• PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/engine_pkcs11-0.1.4
• config results

  Engine_pkcs11 has been configured with the following options

  OpenSSL support: yes
  with engine: yes
  with sslhack: no

• make
• make install

pkcs11-helper

Pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API. It is required to use eTokens with gnupg-pkcs11-scd and ssh. It is one of the most important tools for using the eToken with unix applications.

• pkcs11-helper
• Used by gnupg-pkcs11
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so --with-test-log-level=5
• ./configure --prefix=/usr/local/depot/pkcs11-helper-1.05 --enable-docs --with-test-provider=/usr/lib/libeTPkcs11.so --with-test-log-level=5

• # With 4.55 RTE, tests pass
  Making check in tests
  make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
  Making check in test-basic
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
  make  check-TESTS
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
  Version: 00010500
  Features: 000003f9
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/lib/libeTPkcs11.so'
  Terminating pkcs11-helper
  PASS: test-basic
  ==================
  All 1 tests passed
  ==================
  make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
  Making check in test-certificate
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
  make  check-TESTS
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/lib/libeTPkcs11.so'
  Please remove all tokens, press <Enter>:
  Enumerating token certificate (list should be empty, no prompt)
  Please insert token, press <Enter>:
  Getting certificate cache, should be available certificates
  Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod
  Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod
  Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
  Please remove token, press <Enter>:
  Getting certificate cache, should be similar to last
  Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod
  Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod
  Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
  Creating certificate context
  Perforing signature #1 (you should be prompt for token and PIN)
  Please insert token 'Phil-Prod' 'ok' or 'cancel': ok
  Please enter 'Phil-Prod' PIN or 'cancel':
  Perforing signature #2 (you should NOT be prompt for anything)
  Please remove and insert token, press <Enter>:
  Perforing signature #3 (you should be prompt only for PIN)
  Please enter 'Phil-Prod' PIN or 'cancel':
  Perforing signature #4 (you should NOT be prompt for anything)
  Terminating pkcs11-helper
  PASS: test-certificate
  ==================
  All 1 tests passed
  ==================
  make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
  Making check in test-slotevent
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
  make  check-TESTS
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/lib/libeTPkcs11.so' as auto
  slotevent
  Please remove and insert tokens (pause for 30 seconds)
  slotevent
  slotevent
  Adding provider '/usr/lib/libeTPkcs11.so' as trigger
  Please remove and insert tokens (pause for 30 seconds)
  slotevent
  slotevent
  Adding provider '/usr/lib/libeTPkcs11.so' as poll
  Please remove and insert tokens (pause for 30 seconds)
  slotevent
  Adding provider '/usr/lib/libeTPkcs11.so' as fetch
  Please remove and insert tokens (pause for 30 seconds)
  slotevent
  slotevent
  slotevent
  Terminating pkcs11-helper
  Terminating pkcs11-helper
  PASS: test-slotevent
  ==================
  All 1 tests passed
  ==================
  make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
  make[2]: Nothing to be done for `check-am'.
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
  make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
  make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05'
  make[1]: Nothing to be done for `check-am'.
  make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05'
  
  analon:/usr/local/src/Aladdin/pkcs11-helper-1.05 (2)
  $ 
  

• > make check
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
  Version: 00010000
  Features: 000001fd
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/local/lib/libetpkcs11.so'
  Terminating pkcs11-helper
  PASS: test-basic
  ==================
  All 1 tests passed
  ==================
  make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
  Making check in test-certificate
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
  make  check-TESTS
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/local/lib/libetpkcs11.so'
  Please remove all tokens, press <Enter>:
  Enumerating token certificate (list should be empty, no prompt)
  Please insert token, press <Enter>:
  Getting certificate cache, should be available certificates
  Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
  Please remove token, press <Enter>:
  Getting certificate cache, should be similar to last
  Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
  Creating certificate context
  Perforing signature #1 (you should be prompt for token and PIN)
  Please insert token 'Phil-Prod' 'ok' or 'cancel': ok
  Please enter 'Phil-Prod' PIN or 'cancel':
  Perforing signature #2 (you should NOT be prompt for anything)
  Please remove and insert token, press <Enter>:
  Perforing signature #3 (you should be prompt only for PIN)
  Perforing signature #4 (you should NOT be prompt for anything)
  Terminating pkcs11-helper
  PASS: test-certificate
  ==================
  All 1 tests passed
  ==================
  make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
  make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
  Making check in test-slotevent
  make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent'
  if gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../../include    -g -O2   -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -MT test-slotevent.o -MD -MP -MF ".deps/test-slotevent.Tpo" -c -o test-slotevent.o test-slotevent.c; \
  then mv -f ".deps/test-slotevent.Tpo" ".deps/test-slotevent.Po"; else rm -f ".deps/test-slotevent.Tpo"; exit 1; fi
  /bin/sh ../../libtool --tag=CC --mode=link gcc  -g -O2   -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function   -o test-slotevent  test-slotevent.o ../../lib/libpkcs11-helper.la -lpthread -ldl  -lssl -lcrypto -ldl
  mkdir .libs
  gcc -g -O2 -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -o .libs/test-slotevent test-slotevent.o  ../../lib/.libs/libpkcs11-helper.so -lpthread -lssl -lcrypto -ldl -Wl,--rpath -Wl,/usr/local/depot/pkcs11-helper-1.02/lib
  creating test-slotevent
  make  check-TESTS
  make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent'
  Initializing pkcs11-helper
  Registering pkcs11-helper hooks
  Adding provider '/usr/local/lib/libetpkcs11.so' as trigger
  slotevent
  Please remove and insert tokens (pause for 30 seconds)
  slotevent
  slotevent
  # This test hangs here.
  

• The problem with test-slotevent is that the pkcs11h_removeProvider (TEST_PROVIDER)) after the trigger test never returns.
• Seems to work with ssh if you compile with --disable-threads --disable-slotevent.
• --with-test-log-level=5 enables max debugging from tests.
• Debugging with pkcs11-spy
  • ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/pkcs11-spy.so --with-test-log-level=5
  • PKCS11SPY=/usr/local/lib/libetpkcs11.so ./test-slotevent

OpenSSL

• See README.ENGINE in the OpenSSL distribution
• Specify key: key, id_key
• (engine_pkcs11.c) supported formats: <id>, <slot>:<id>, id_<id>, slot_<slot>-id_<id>
• Aladdin PKCS#11 module and pkcs11 engine:

  # Removed -pre PIN:1111 since the user will be prompted.
  # Note: key ID obtained with pkcs11-tool --list-objects --module=/usr/local/lib/libetpkcs11.so
  #
  $ openssl
  OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libetpkcs11.so -pre VERBOSE
  (dynamic) Dynamic engine loading support
  [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
  [Success]: ID:pkcs11
  [Success]: LIST_ADD:1
  [Success]: LOAD
  [Success]: MODULE_PATH:/usr/local/lib/libetpkcs11.so
  [Success]: VERBOSE
  Loaded: (pkcs11) pkcs11 engine
  OpenSSL>

  # Verify that the engine is available
  OpenSSL> engine pkcs11 -t
  (pkcs11) pkcs11 engine
  initializing engine
  [ available ]
  OpenSSL>

  # Show engine capabilities
  OpenSSL> engine -vvvv -c pkcs11
  (pkcs11) pkcs11 engine
  [RSA, DSA, DH, RAND]
  SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
  (input flags): STRING
  MODULE_PATH: Specifies the path to the pkcs11 module shared library
  (input flags): STRING
  PIN: Specifies the pin code
  (input flags): STRING
  VERBOSE: Print additional details
  (input flags): NO_INPUT
  QUIET: Remove additional details
  (input flags): NO_INPUT
  LOAD_CERT_CTRL: Get the certificate from card
  (input flags): [Internal]

  OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"
  engine "pkcs11" set.
  Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Found 1 slot
  0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11)
  Found slot: AKS ifdh 00 00
  Found token: Phil PKCS#11
  Found 1 certificate:
  1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu)
  PKCS#11 token PIN:
  Found 1 key:
  1 P eTCAPI private key
  Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number:
  ef:2a:cf:e3:96:98:d6:c6
  Signature Algorithm: sha1WithRSAEncryption
  Issuer: CN=Phil
  Validity
  Not Before: Sep 30 15:00:09 2006 GMT
  Not After : Oct 30 15:00:09 2006 GMT
  Subject: CN=Phil
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (1024 bit)
  Modulus (1024 bit):
  00:d0:07:5a:a0:77:de:a4:54:d0:6b:8a:00:ec:57:
  60:04:a4:7e:f1:dc:3c:33:c7:27:52:94:1d:d6:c4:
  df:b0:5d:23:fa:99:44:f7:fa:92:6b:16:bc:f7:de:
  8d:9f:b8:83:f6:a8:12:fd:23:bc:19:0e:ef:7d:f0:
  5e:e1:a1:f7:29:ac:8e:c8:37:7f:fa:4c:ee:b1:71:
  9f:20:69:0f:c3:8a:2b:3a:45:78:7f:df:ae:19:26:
  d8:89:53:8d:c8:f6:40:ae:d2:13:c5:55:ec:e9:99:
  d4:bc:ae:25:a6:92:76:6b:9a:fc:5b:1c:94:e9:4a:
  9c:9c:fb:50:95:89:24:76:f1
  Exponent: 65537 (0x10001)
  X509v3 extensions:
  X509v3 Subject Key Identifier:
  1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF
  X509v3 Authority Key Identifier:
  keyid:1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF
  DirName:/CN=Phil
  serial:EF:2A:CF:E3:96:98:D6:C6

  X509v3 Basic Constraints:
  CA:TRUE
  Signature Algorithm: sha1WithRSAEncryption
  02:23:7a:a4:7d:fd:c7:7e:19:1d:06:66:99:72:0f:dc:b9:d3:
  15:a8:6f:de:ed:98:da:5e:68:98:05:a2:9f:28:b4:37:92:8c:
  5c:9d:05:ad:7b:3b:7b:aa:7a:6f:4d:cf:c4:ee:93:e6:f5:59:
  a7:00:29:9f:a1:74:77:fe:88:8b:ab:d6:3a:cb:b0:c0:01:c9:
  f4:b0:ea:da:28:6c:61:af:aa:7d:6f:18:bf:0b:63:4b:50:44:
  ee:f1:fa:50:96:a6:34:ae:42:b2:60:7d:fc:97:de:43:ac:8f:
  38:8d:7b:05:3b:b0:7a:60:18:8b:97:1e:08:3d:b0:8f:bd:aa:
  fb:b1
  ----BEGIN CERTIFICATE----
  MIICDDCCAXWgAwIBAgIJAO8qz+OWmNbGMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
  BAMTBFBoaWwwHhcNMDYwOTMwMTUwMDA5WhcNMDYxMDMwMTUwMDA5WjAPMQ0wCwYD
  VQQDEwRQaGlsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQB1qgd96kVNBr
  igDsV2AEpH7x3DwzxydSlB3WxN+wXSP6mUT3+pJrFrz33o2fuIP2qBL9I7wZDu99
  8F7hofcprI7IN3/6TO6xcZ8gaQ/Diis6RXh/364ZJtiJU43I9kCu0hPFVezpmdS8
  riWmknZrmvxbHJTpSpyc+1CViSR28QIDAQABo3AwbjAdBgNVHQ4EFgQUGjQx8LG/
  YrkBGoWspPQ4z1T97b8wPwYDVR0jBDgwNoAUGjQx8LG/YrkBGoWspPQ4z1T97b+h
  E6QRMA8xDTALBgNVBAMTBFBoaWyCCQDvKs/jlpjWxjAMBgNVHRMEBTADAQH/MA0G
  CSqGSIb3DQEBBQUAA4GBAAIjeqR9/cd+GR0GZplyD9y50xWob97tmNpeaJgFop8o
  tDeSjFydBa17O3uqem9Nz8Tuk+b1WacAKZ+hdHf+iIur1jrLsMAByfSw6toobGGv
  qn1vGL8LY0tQRO7x+lCWpjSuQrJgffyX3kOsjziNewU7sHpgGIuXHgg9sI+9qvux
  ----END CERTIFICATE---

  # The second attempt fails
  OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"
  engine "pkcs11" set.
  Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
  Found 1 slot
  0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11)
  Found slot: AKS ifdh 00 00
  Found token: Phil PKCS#11
  Found 1 certificate:
  1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu)
  Login failed
  PKCS11_get_private_key returned NULL
  unable to load Private Key
  1497:error:80005100:Vendor defined:PKCS11_login:User already logged in:p11_slot.c:143:
  1497:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:117:
  error in req
  OpenSSL>

  ##################################################
  # Thiings that don't work yet
  ##################################################
  #
  # Token does not blink, works with or without the token.
  OpenSSL> rand -engine pkcs11 -base64 25
  engine "pkcs11" set.
  +9kYy0ESW0uDK437BPTnV3G76u3/L/q10g==
  OpenSSL>

  # Just testing
  x509 -engine pkcs11 -in id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -noout -text

  req -engine pkcs11 -new -key id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"

  req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"

  OpenSSL> x509 -engine pkcs11 -noout -text
  OpenSSL> x509 -engine pkcs11 -in 1 -inform engine -text -noout

• engine_pkcs11 and opensc pkcs11 module

  $ openssl
  OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so -pre VERBOSE
  (dynamic) Dynamic engine loading support
  [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
  [Success]: ID:pkcs11
  [Success]: LIST_ADD:1
  [Success]: LOAD
  [Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
  [Success]: VERBOSE
  Loaded: (pkcs11) pkcs11 engine
  #
  #
  #
  OpenSSL> engine pkcs11 -t
  (pkcs11) pkcs11 engine
  initializing engine
  card-cardos.c:225:cardos_check_sw: file not found
  iso7816.c:458:iso7816_select_ returning with: File not found
  card-cardos.c:401:cardos_select_ returning with: File not found
  card.c:563:sc_select_ returning with: File not found
  pkcs15-postecert.c:336:sc_pkcs15emu_postecert_init: Failed to initialize Postecert and Cnipa emulation: Unsupported card
  card-cardos.c:225:cardos_check_sw: file not found
  iso7816.c:458:iso7816_select_ returning with: File not found
  card-cardos.c:401:cardos_select_ returning with: File not found
  card.c:563:sc_select_ returning with: File not found
  card-cardos.c:225:cardos_check_sw: file not found
  iso7816.c:463:iso7816_select_ returning with: File not found
  card-cardos.c:401:cardos_select_ returning with: File not found
  card.c:563:sc_select_ returning with: File not found
  [ available ]
  #
  #
  #
  OpenSSL> engine -vvvv -c pkcs11
  (pkcs11) pkcs11 engine
  RSA, DSA, DH, RAND
  SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
  (input flags): STRING
  MODULE_PATH: Specifies the path to the pkcs11 module shared library
  (input flags): STRING
  PIN: Specifies the pin code
  (input flags): STRING
  VERBOSE: Print additional details
  (input flags): NO_INPUT
  QUIET: Remove additional details
  (input flags): NO_INPUT
  LOAD_CERT_CTRL: Get the certificate from card
  (input flags): Internal
  OpenSSL>
  #
  #
  #
  #
  # Token does blink, works with or without the token though.
  OpenSSL> rand -engine pkcs11 -base64 25
  engine "pkcs11" set.
  #
  #
  # Just testing
  #
  x509 -engine pkcs11 -in id_45 -keyform engine -noout -text
  # similar results to aladdin middleware

Global Platform

Global Platform Library

• http://sourceforge.net/projects/globalplatform/
• Make sure pkg-config --libs libpcsclite works.
• ./configure --prefix=/usr/local/depot/globalplatform-3.0.2
• make
• {{make install}

gpshell

http://sourceforge.net/projects/globalplatform/

• Make sure pkg-config --libs libpcsclite works.
• ./configure --prefix=/usr/local/depot/gpshell-1.3.1
• make
• {{make install}

Sectok

• Sectok-