Gemalto .NET on Linux

The Card

• Gemalto .NET v2.0
  • Windows and Mac downloads
  • Technical Documents
    • .NET PKCS#11 libraries for Linux User Guide
• ATR: 3b:16:96:41:73:74:72:69:64
• 1024 or 2048-bit RSA, MD5, SHA1, SHA256
• Device Administration Service (DAS) - The card can be managed with a web app.
  • User Administration - change pin, install and remove certs. This application requires a browser plugin.
• Reader: idVendor=08e6, idProduct=3437 ( CCID reader supported by ccid-1.4.0-2.fc14)

The Software

Test System

• Fedora 14
• Boost 1.46.1 installed from source
• Required: pcsc-lite, pcsc-lite-devel
• Useful: opensc (for pkcs11-tool), pkcs11-dump

Distribution

• Linux_P11DotNET.zip
  • General_Public_License_v21.txt
  • PKCS#11_Libs_.NET_Linux_User_Guide.pdf
  • Release_Notes_Linux.pdf
  • Gemalto.NET.PKCS11.v2.2.0.9.Linux.zip
    • libgtop11dotnet-2.2.0.9.tar.gz - this is the actual source
    • run_compile_Customer.sh - build script that was not used

Build

• Unzip/untar everything.
• Build directory: Linux_P11DotNET/Gemalto.NET.PKCS11.v2.2.0.9.Linux/libgtop11dotnet-2.2.0.9.
• ./configure include your usual options
• make
• make install
• The end result is the installation of libgtop11dotnet.so, the PKCS#11 provider.
• Note: In spite of the way run_compile_Customer.sh is written, the above procedure seemed to find the boost components it needed.
• Config: ~/.config/Gemalto/DotNet PKCS11/Gemalto.NET.PKCS11.ini
• Cache: ~/.cache/Gemalto/DotNet PKCS11/
• Log: /tmp/Gemalto/DotNet PKCS11/

Usage

• PKCS#11 pkcs11-tool --change-pin faled
• Did change pin with Firefox and SConnect plugin
• Create 2048-bit RSA key pair, login with SSH

# Syslog when the reader is connected
kernel: [6746106.503427] usb 1-4.3: New USB device found, idVendor=08e6, idProduct=3437
kernel: [6746106.503436] usb 1-4.3: New USB device strings: Mfr=1, Product=2, SerialNumber=0
kernel: [6746106.503440] usb 1-4.3: Product: USB SmartCard Reader
kernel: [6746106.503444] usb 1-4.3: Manufacturer: Gemplus

# Make sure the reader is seen.
$ opensc-tool  --list-readers
Readers known about:
Nr.    Driver     Name
0      pcsc       Gemalto GemPC Twin 00 00

# Make sure you can talk to the card
$ opensc-tool --atr
Using reader with a card: Gemalto GemPC Twin 00 00
3b:16:96:41:73:74:72:69:64

# Note: The light on the reader blinks when there is no card.
#       The light is on solid when the card is inserted.

# Note: There is no OpenSC driver for this card.  Beyond getting the ATR,
#       there is little you can do with opensc-tool.

# Generate a key pair for use with SSH
pkcs11-tool --module /usr/local/lib/pkcs11/libgtop11dotnet.so \
            --keypairgen --key-type rsa:2048  \
            --login \
            --label "benchoff-ssh-gemalto" --id 20111104

Questions

• OpenSC driver?
• Public link for source?
• Can an individual personalize his own card?
• Developer's forum?
• Marshaller? "Stub APIs that allows a direct access to the card."