View Source

Drivers, tools, and libraries for Unix.

Most of these tools do not have to be built from source on current Linux distributions.

OpenCT

OpenCT provides drivers for smart card readers and makes them available via the CT-API or as a PC/SC-Lite ifdhandler. You don't really need this to use the eToken on Linux and build instructions are included here just for completeness.

OpenCT 0.6.14 on Mandriva 2006

OpenCT
Make sure pkg-config --libs libpcsclite works.
LIBUSB_CFLAGS=`libusb-config --cflags` LIBUSB_LIBS=`libusb-config --libs` PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/openct-0.6.14 --with-bundle-dir=/usr/local/pcsc/drivers

OpenCT has been configured with the following options

Version: 0.6.9
User binaries: /usr/local/depot/openct-0.6.9/bin
Configuration files: /usr/local/depot/openct-0.6.9/etc

Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -Wall -g -O2
Preprocessor flags: -I${top_builddir}/src/include -I${top_srcdir}/src/include
Linker flags:
Libraries: -lpthread

PC/SC support: yes
Libusb used: yes

Without libusb coldplugging will not work.
To use usb devices, your hotplugging needs to be
configured and you need to plug in any device
after the system has started (i.e. the init script ran)

make
make install

Testing/Use

Note: To run OpenCT with the Aladdin eToken, don't start the Aladdin eToken services.
Files
- libopenctapi.so - a shared object in CT-API format, you can use this with every ct-api aware application.
- openct-ifd.so – a shared obejct in Ifdhandler v2 format, to be used by pcsc-lite as reader.
If you want Aladdin tokens supported by PCSC, remove Aladdin tokens from /usr/local/pcsc/drivers/openct-ifd.bundle/Contents/Info.plist

OpenSC

OpenSC provides an API to access smart cards. It can deal with both PCSC and OpenCT readers as well as PKCS#11 providers. For use with the eToken, pkcs11-tool and cardos-info are quite useful. OpenSC is also required for building other useful components of the OpenSC project.

OpenSC formatted cards use PKCS#15 and are widely supported on Unix. An eToken formatted with the FIPS option will not allow you to create the PKCS#15 application.

OpenSC 0.11.4 on Mandriva 2006

OpenSC
Note: Uses libassuan.
Make sure pkg-config --libs libpcsclite openssl libopenct works.
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/opensc-0.11.4 --mandir=/usr/local/depot/opensc-0.11.4/man

OpenSC has been configured with the following options

Version:             0.11.4
User binaries:       /usr/local/depot/opensc-0.11.4/bin
Configuration files: /usr/local/depot/opensc-0.11.4/etc

Host:                i686-pc-linux-gnu
Compiler:            gcc
Compiler flags:      -Wall -fno-strict-aliasing -g -O2
Preprocessor flags:  -I${top_builddir}/src/include
Linker flags:
Libraries:           -lpthread  -lz

OpenSSL support:          yes
PC/SC support:            yes
OpenCT support:           yes
Assuan support:           yes    #PB: important for gpg
NSPlugin support:         yes

Note: expects opensc.conf in /usr/local/depot/opensc-0.11.1/etc. Should probably be /usr/local/etc
make
make install

Testing/Use

Comment out unused readers in opensc.conf if those readers generate error messages.

# Be sure you can see the reader
$ opensc-tool --list-readers
Readers known about:
Nr. Driver Name
0 pcsc AKS ifdh 00 00

# Read the token's ATR
$ opensc-tool -v --atr
Connecting to card in reader AKS ifdh 00 00...
Using card driver Siemens CardOS.
Card ATR:
3B E2 00 FF C1 10 31 FE 55 C8 02 9C ;.....1.U...

# List files
# Note: lots of output, only the start is shown.
$ opensc-tool -v --list-files
Connecting to card in reader AKS ifdh 00 00...
Using card driver Siemens CardOS.
3f00 type: DF, size: 3896
select[N/A] lock[CHV9] delete[NONE] create[NONE] rehab[NONE] inval[NONE] list[N/A] sec: 09:09:00:00:00:00:FF:00
prop: 01:04:00

3f006666 [AKS] type: DF, size: 3896
select[N/A] lock[CHV5] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:05:01:FF:FF:FF:FF:01
prop: 01:01:00

3f0066661000 type: DF, size: 3896
select[N/A] lock[CHV1] delete[NEVR] create[CHV1] rehab[NEVR] inval[NEVR] list[N/A] sec: FF:01:01:FF:FF:FF:FF:01
prop: 01:00:40

3f00666610000001 type: wEF, ef structure: transpnt, size: 11
read[NONE] update[NEVR] write[NEVR] erase[NEVR] rehab[NEVR] inval[NEVR] sec: 00
prop: 01

$ cardos-info -v
Connecting to card in reader AKS ifdh 00 00...
Using card driver Siemens CardOS.
Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000)
Chip type: 20
Serial number: 13 bb 97 0c 19 0e
Full prom dump:
33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e......
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.2 (that's CardOS M4.0)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 671
ATR Status: 0x0 ROM-ATR
Packages installed:
01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................
C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................
11 02 C8 02 ....
Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61
Free eeprom memory: 3896
System keys: PackageLoadKey (version 0x01, retries 10)
System keys: StartKey (version 0x01, retries 10)
Path to current DF:

$ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-slots
Available slots:
Slot 0 AKS ifdh 00 00
token state: uninitialized

$ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --show-info
Cryptoki version 2.1
Manufacturer Aladdin Ltd.
Library eToken PKCS#11 (ver 3.60)

$ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects
Certificate Object, type = X.509 cert
label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Public Key Object; RSA 1024 bits
label: eTCAPI public key
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Usage: encrypt, verify, wrap

$ pkcs11-tool --module /usr/local/lib/libetpkcs11.so --list-objects --login
Please enter User PIN:
Certificate Object, type = X.509 cert
label: (eTCAPI) Phillip E Benchoff's Virginia Polytechnic Institute and State University ID
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Public Key Object; RSA 1024 bits
label: eTCAPI public key
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: eTCAPI private key
ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Usage: decrypt, sign, unwrap

# Copy certificate off of token
pkcs11-tool --module=/usr/local/lib/libetpkcs11.so --type cert --id 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 --output-file phil.cert --read-object

# Usage of PKCS11-spy
$ PKCS11SPY=/usr/local/lib/libetpkcs11.so pkcs11-tool --module /usr/local/lib/pkcs11-spy.so --list-slots

*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/local/lib/libetpkcs11.so"

0: C_GetFunctionList
Returned: 0 CKR_OK

1: C_Initialize
Returned: 0 CKR_OK

2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK

3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot 0
[out] *pulCount = 0x1
Returned: 0 CKR_OK
Available slots:

4: C_GetSlotInfo
[in] slotID = 0x0
[out] pInfo:
slotDescription: 'AKS ifdh 00 00 '
' '
manufacturerID: 'Aladdin Ltd. '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
Slot 0 AKS ifdh 00 00

5: C_GetTokenInfo
[in] slotID = 0x0
[out] pInfo:
label: 'Phil-prod '
manufacturerID: 'Aladdin Knowledge Systems Ltd. '
model: 'eToken CardOS/M4'
serialNumber: '13bb970c190e '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 256
ulMinPinLen: 4
ulTotalPublicMemory: 16384
ulFreePublicMemory: 3896
ulTotalPrivateMemory: 16384
ulFreePrivateMemory: 3896
hardwareVersion: 3.0
firmwareVersion: 0.0
time: ' '
flags: d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
Returned: 0 CKR_OK
token state: uninitialized

6: C_Finalize
Returned: 0 CKR_OK

CardOS-info

Info on pkcs15-init problem

$ cardos-info
# VT token that can't have PKCS15 added
Info : CardOS/M4.0 (C) Siemens AG 1994-1999 (Feb 15 2000)
Chip type: 20
Serial number: 13 bb 97 0c 19 0e
Full prom dump:
33 FF EB 31 FF FF FF FF 14 65 13 BB 97 0C 19 0E 3..1.....e......
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.2 (that's CardOS M4.0)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 64
ATR Status: 0x0 ROM-ATR
Packages installed:
01 04 0C 02 C8 02 01 04 01 01 C8 02 01 04 08 02 ................
C8 02 01 04 03 01 C8 02 01 04 0B 01 C8 02 01 04 ................
11 02 C8 02                                     ....
Ram size: 1024, Eeprom size: 16384, cpu type: 66, chip config: 61
Free eeprom memory: 3896
System keys: PackageLoadKey (version 0x01, retries 10)
System keys: StartKey (version 0x01, retries 10)
Path to current DF:
66 66 10 00 ff..

# Token formated without FIPS.  Works with pkcs15-init
$ cardos-info
Info : CardOS/M4.01 (C) Siemens AG 1994-2001
Chip type: 96
Serial number: 26 13 bd 17 10 23
Full prom dump:
33 66 00 45 FF FF FF FF 60 FF 26 13 BD 17 10 23 3f.E....`.&....#
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.3 (that's CardOS M4.01)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 64
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 2, Eeprom size: 32, cpu type: 66, chip config: 63
Free eeprom memory: 18909
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:
66 66 10 00 ff..

PKCS#15

pkcs15-init --pin 3333 --create-pkcs15 --profile pkcs15+onepin
# Did not enter a PUK when prompted.

$ pkcs15-tool --dump
PKCS#15 Card OpenSC Card:
Version : 1
Serial number : 2613BD171023
Manufacturer ID: OpenSC Project
Last update : 20061018165432Z
Flags : EID compliant

PIN User PIN
Com. Flags: 0x3
ID : 01
Flags : 0x3A, local, unblock-disabled, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8

$ pkcs15-init --generate-key "rsa/1024" --auth-id 01 --pin 3333

$ pkcs15-tool --dump
PKCS#15 Card OpenSC Card:
Version : 1
Serial number : 2613BD171023
Manufacturer ID: OpenSC Project
Last update : 20061018184537Z
Flags : EID compliant

PIN User PIN
Com. Flags: 0x3
ID : 01
Flags : 0x3A, local, unblock-disabled, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

Private RSA Key Private Key
Com. Flags : 3
Usage : 0x4, sign
Access Flags: 0x1D, sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 16
Native : yes
Path : 3f005015
Auth ID : 01
ID : 45

Public RSA Key Public Key
Com. Flags : 2
Usage : 0x4, sign
Access Flags: 0x0
ModLength : 1024
Key ref : 0
Native : no
Path : 3f0050153048
Auth ID :
ID : 45

$ pkcs15-init --store-private-key thawte-vt-20060914.p12 --format PKCS12 --auth-id 01 --key-usage sign
error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
Please enter passphrase to unlock secret key:
Importing 3 certificates:
0: /SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@bev.net
1: /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte Personal Freemail Issuing CA
2: /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting/OU=Certification Services Division/CN=Thawte Personal Freemail CA/emailAddress=personal-freemail@thawte.com
Warning: requested key usage incompatible with key usage specified by X.509 certificate
User PIN required.
Please enter User PIN:
User PIN required.
Please enter User PIN:
User PIN required.
Please enter User PIN:
User PIN required.
Please enter User PIN:
User PIN required.
Please enter User PIN:

Libp11

Libp11 is a library implementing a small layer on top of PKCS#11 API to make using PKCS#11 implementations easier. It is required by Engine_PKCS#11 and pkcs11-helper.

Part of OpenSC
Required for engine_pkcs#11
./configure --prefix=/usr/local/depot/libp11-0.2.3
make
make install

Engine_PKCS#11

Engine_pkcs11 is an implementation of an engine for OpenSSL. It allows a PKCS#11 provider to be used make a smartcard usable from OpenSSL.

Part of OpenSC
Allows SSL to use smart cards with a PKCS#11 interface.
Make sure pkg-config --libs libp11 works.
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/engine_pkcs11-0.1.4
Engine_pkcs11 has been configured with the following options

OpenSSL support: yes
with engine: yes
with sslhack: no
make
make install

pkcs11-helper

Pkcs11-helper is a library that simplifies the interaction with PKCS#11 providers for end-user applications using a simple API. It is required to use eTokens with gnupg-pkcs11-scd and ssh. It is one of the most important tools for using the eToken with unix applications.

pkcs11-helper
Used by gnupg-pkcs11
./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so
./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/libetpkcs11.so --with-test-log-level=5
./configure --prefix=/usr/local/depot/pkcs11-helper-1.05 --enable-docs --with-test-provider=/usr/lib/libeTPkcs11.so --with-test-log-level=5

# With 4.55 RTE, tests pass
Making check in tests
make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
Making check in test-basic
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
make  check-TESTS
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
Version: 00010500
Features: 000003f9
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/lib/libeTPkcs11.so'
Terminating pkcs11-helper
PASS: test-basic
==================
All 1 tests passed
==================
make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-basic'
Making check in test-certificate
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
make  check-TESTS
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/lib/libeTPkcs11.so'
Please remove all tokens, press <Enter>:
Enumerating token certificate (list should be empty, no prompt)
Please insert token, press <Enter>:
Getting certificate cache, should be available certificates
Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod
Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod
Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
Please remove token, press <Enter>:
Getting certificate cache, should be similar to last
Issuer: /C=US/ST=Virginia/L=Blacksburg/O=Virginia Tech Root CA on Phil-Prod
Issuer: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Virginia Tech User CA on Phil-Prod
Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
Creating certificate context
Perforing signature #1 (you should be prompt for token and PIN)
Please insert token 'Phil-Prod' 'ok' or 'cancel': ok
Please enter 'Phil-Prod' PIN or 'cancel':
Perforing signature #2 (you should NOT be prompt for anything)
Please remove and insert token, press <Enter>:
Perforing signature #3 (you should be prompt only for PIN)
Please enter 'Phil-Prod' PIN or 'cancel':
Perforing signature #4 (you should NOT be prompt for anything)
Terminating pkcs11-helper
PASS: test-certificate
==================
All 1 tests passed
==================
make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-certificate'
Making check in test-slotevent
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
make  check-TESTS
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/lib/libeTPkcs11.so' as auto
slotevent
Please remove and insert tokens (pause for 30 seconds)
slotevent
slotevent
Adding provider '/usr/lib/libeTPkcs11.so' as trigger
Please remove and insert tokens (pause for 30 seconds)
slotevent
slotevent
Adding provider '/usr/lib/libeTPkcs11.so' as poll
Please remove and insert tokens (pause for 30 seconds)
slotevent
Adding provider '/usr/lib/libeTPkcs11.so' as fetch
Please remove and insert tokens (pause for 30 seconds)
slotevent
slotevent
slotevent
Terminating pkcs11-helper
Terminating pkcs11-helper
PASS: test-slotevent
==================
All 1 tests passed
==================
make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests/test-slotevent'
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
make[2]: Nothing to be done for `check-am'.
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05/tests'
make[1]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05'
make[1]: Nothing to be done for `check-am'.
make[1]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.05'

analon:/usr/local/src/Aladdin/pkcs11-helper-1.05 (2)
$

> make check
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
Version: 00010000
Features: 000001fd
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/local/lib/libetpkcs11.so'
Terminating pkcs11-helper
PASS: test-basic
==================
All 1 tests passed
==================
make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-basic'
Making check in test-certificate
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
make  check-TESTS
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/local/lib/libetpkcs11.so'
Please remove all tokens, press <Enter>:
Enumerating token certificate (list should be empty, no prompt)
Please insert token, press <Enter>:
Getting certificate cache, should be available certificates
Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
Please remove token, press <Enter>:
Getting certificate cache, should be similar to last
Certificate: /DC=edu/DC=vt/C=US/O=Virginia Polytechnic Institute and State University/CN=Phillip E Benchoff/UID=817397/serialNumber=379 on Phil-Prod
Creating certificate context
Perforing signature #1 (you should be prompt for token and PIN)
Please insert token 'Phil-Prod' 'ok' or 'cancel': ok
Please enter 'Phil-Prod' PIN or 'cancel':
Perforing signature #2 (you should NOT be prompt for anything)
Please remove and insert token, press <Enter>:
Perforing signature #3 (you should be prompt only for PIN)
Perforing signature #4 (you should NOT be prompt for anything)
Terminating pkcs11-helper
PASS: test-certificate
==================
All 1 tests passed
==================
make[3]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
make[2]: Leaving directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-certificate'
Making check in test-slotevent
make[2]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent'
if gcc -DHAVE_CONFIG_H -I. -I. -I../.. -I../../include    -g -O2   -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -MT test-slotevent.o -MD -MP -MF ".deps/test-slotevent.Tpo" -c -o test-slotevent.o test-slotevent.c; \
then mv -f ".deps/test-slotevent.Tpo" ".deps/test-slotevent.Po"; else rm -f ".deps/test-slotevent.Tpo"; exit 1; fi
/bin/sh ../../libtool --tag=CC --mode=link gcc  -g -O2   -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function   -o test-slotevent  test-slotevent.o ../../lib/libpkcs11-helper.la -lpthread -ldl  -lssl -lcrypto -ldl
mkdir .libs
gcc -g -O2 -Wall -Wpointer-arith -Wsign-compare -Wno-unused-parameter -Wno-unused-function -o .libs/test-slotevent test-slotevent.o  ../../lib/.libs/libpkcs11-helper.so -lpthread -lssl -lcrypto -ldl -Wl,--rpath -Wl,/usr/local/depot/pkcs11-helper-1.02/lib
creating test-slotevent
make  check-TESTS
make[3]: Entering directory `/usr2/local/src/Aladdin/pkcs11-helper-1.02/tests/test-slotevent'
Initializing pkcs11-helper
Registering pkcs11-helper hooks
Adding provider '/usr/local/lib/libetpkcs11.so' as trigger
slotevent
Please remove and insert tokens (pause for 30 seconds)
slotevent
slotevent
# This test hangs here.

The problem with test-slotevent is that the pkcs11h_removeProvider (TEST_PROVIDER)) after the trigger test never returns.
Seems to work with ssh if you compile with --disable-threads --disable-slotevent.
--with-test-log-level=5 enables max debugging from tests.
Debugging with pkcs11-spy
- ./configure --prefix=/usr/local/depot/pkcs11-helper-1.03 --enable-docs --with-test-provider=/usr/local/lib/pkcs11-spy.so --with-test-log-level=5
- PKCS11SPY=/usr/local/lib/libetpkcs11.so ./test-slotevent

OpenSSL

See README.ENGINE in the OpenSSL distribution
Specify key: key, id_key
(engine_pkcs11.c) supported formats: <id>, <slot>:<id>, id_<id>, slot_<slot>-id_<id>

Aladdin PKCS#11 module and pkcs11 engine:

# Removed -pre PIN:1111 since the user will be prompted.
# Note: key ID obtained with pkcs11-tool --list-objects --module=/usr/local/lib/libetpkcs11.so
#
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libetpkcs11.so -pre VERBOSE
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/libetpkcs11.so
[Success]: VERBOSE
Loaded: (pkcs11) pkcs11 engine
OpenSSL>

# Verify that the engine is available
OpenSSL> engine pkcs11 -t
(pkcs11) pkcs11 engine
initializing engine
[ available ]
OpenSSL>

# Show engine capabilities
OpenSSL> engine -vvvv -c pkcs11
(pkcs11) pkcs11 engine
[RSA, DSA, DH, RAND]
SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
(input flags): STRING
MODULE_PATH: Specifies the path to the pkcs11 module shared library
(input flags): STRING
PIN: Specifies the pin code
(input flags): STRING
VERBOSE: Print additional details
(input flags): NO_INPUT
QUIET: Remove additional details
(input flags): NO_INPUT
LOAD_CERT_CTRL: Get the certificate from card
(input flags): [Internal]

OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"
engine "pkcs11" set.
Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Found 1 slot
0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11)
Found slot: AKS ifdh 00 00
Found token: Phil PKCS#11
Found 1 certificate:
1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu)
PKCS#11 token PIN:
Found 1 key:
1 P eTCAPI private key
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ef:2a:cf:e3:96:98:d6:c6
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Phil
Validity
Not Before: Sep 30 15:00:09 2006 GMT
Not After : Oct 30 15:00:09 2006 GMT
Subject: CN=Phil
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:d0:07:5a:a0:77:de:a4:54:d0:6b:8a:00:ec:57:
60:04:a4:7e:f1:dc:3c:33:c7:27:52:94:1d:d6:c4:
df:b0:5d:23:fa:99:44:f7:fa:92:6b:16:bc:f7:de:
8d:9f:b8:83:f6:a8:12:fd:23:bc:19:0e:ef:7d:f0:
5e:e1:a1:f7:29:ac:8e:c8:37:7f:fa:4c:ee:b1:71:
9f:20:69:0f:c3:8a:2b:3a:45:78:7f:df:ae:19:26:
d8:89:53:8d:c8:f6:40:ae:d2:13:c5:55:ec:e9:99:
d4:bc:ae:25:a6:92:76:6b:9a:fc:5b:1c:94:e9:4a:
9c:9c:fb:50:95:89:24:76:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF
X509v3 Authority Key Identifier:
keyid:1A:34:31:F0:B1:BF:62:B9:01:1A:85:AC:A4:F4:38:CF:54:FD:ED:BF
DirName:/CN=Phil
serial:EF:2A:CF:E3:96:98:D6:C6

X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
02:23:7a:a4:7d:fd:c7:7e:19:1d:06:66:99:72:0f:dc:b9:d3:
15:a8:6f:de:ed:98:da:5e:68:98:05:a2:9f:28:b4:37:92:8c:
5c:9d:05:ad:7b:3b:7b:aa:7a:6f:4d:cf:c4:ee:93:e6:f5:59:
a7:00:29:9f:a1:74:77:fe:88:8b:ab:d6:3a:cb:b0:c0:01:c9:
f4:b0:ea:da:28:6c:61:af:aa:7d:6f:18:bf:0b:63:4b:50:44:
ee:f1:fa:50:96:a6:34:ae:42:b2:60:7d:fc:97:de:43:ac:8f:
38:8d:7b:05:3b:b0:7a:60:18:8b:97:1e:08:3d:b0:8f:bd:aa:
fb:b1
----BEGIN CERTIFICATE----
MIICDDCCAXWgAwIBAgIJAO8qz+OWmNbGMA0GCSqGSIb3DQEBBQUAMA8xDTALBgNV
BAMTBFBoaWwwHhcNMDYwOTMwMTUwMDA5WhcNMDYxMDMwMTUwMDA5WjAPMQ0wCwYD
VQQDEwRQaGlsMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQB1qgd96kVNBr
igDsV2AEpH7x3DwzxydSlB3WxN+wXSP6mUT3+pJrFrz33o2fuIP2qBL9I7wZDu99
8F7hofcprI7IN3/6TO6xcZ8gaQ/Diis6RXh/364ZJtiJU43I9kCu0hPFVezpmdS8
riWmknZrmvxbHJTpSpyc+1CViSR28QIDAQABo3AwbjAdBgNVHQ4EFgQUGjQx8LG/
YrkBGoWspPQ4z1T97b8wPwYDVR0jBDgwNoAUGjQx8LG/YrkBGoWspPQ4z1T97b+h
E6QRMA8xDTALBgNVBAMTBFBoaWyCCQDvKs/jlpjWxjAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4GBAAIjeqR9/cd+GR0GZplyD9y50xWob97tmNpeaJgFop8o
tDeSjFydBa17O3uqem9Nz8Tuk+b1WacAKZ+hdHf+iIur1jrLsMAByfSw6toobGGv
qn1vGL8LY0tQRO7x+lCWpjSuQrJgffyX3kOsjziNewU7sHpgGIuXHgg9sI+9qvux
----END CERTIFICATE---

# The second attempt fails
OpenSSL> req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"
engine "pkcs11" set.
Looking in slot 0 for key: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30
Found 1 slot
0 AKS ifdh 00 00 uninitialized, login (Phil PKCS#11)
Found slot: AKS ifdh 00 00
Found token: Phil PKCS#11
Found 1 certificate:
1 (eTCAPI) Phillip E Benchoff's Thawte Consulting (Pty) Ltd. ID (/SN=Benchoff/GN=Phillip E/CN=Phillip E Benchoff/emailAddress=benchoff@vt.edu)
Login failed
PKCS11_get_private_key returned NULL
unable to load Private Key
1497:error:80005100:Vendor defined:PKCS11_login:User already logged in:p11_slot.c:143:
1497:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:117:
error in req
OpenSSL>

##################################################
# Thiings that don't work yet
##################################################
#
# Token does not blink, works with or without the token.
OpenSSL> rand -engine pkcs11 -base64 25
engine "pkcs11" set.
+9kYy0ESW0uDK437BPTnV3G76u3/L/q10g==
OpenSSL>

# Just testing
x509 -engine pkcs11 -in id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -noout -text

req -engine pkcs11 -new -key id_39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"

req -engine pkcs11 -new -key 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 -keyform engine -text -x509 -subj "/CN=Phil"

OpenSSL> x509 -engine pkcs11 -noout -text
OpenSSL> x509 -engine pkcs11 -in 1 -inform engine -text -noout

engine_pkcs11 and opensc pkcs11 module

$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so -pre VERBOSE
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
[Success]: VERBOSE
Loaded: (pkcs11) pkcs11 engine
#
#
#
OpenSSL> engine pkcs11 -t
(pkcs11) pkcs11 engine
initializing engine
card-cardos.c:225:cardos_check_sw: file not found
iso7816.c:458:iso7816_select_ returning with: File not found
card-cardos.c:401:cardos_select_ returning with: File not found
card.c:563:sc_select_ returning with: File not found
pkcs15-postecert.c:336:sc_pkcs15emu_postecert_init: Failed to initialize Postecert and Cnipa emulation: Unsupported card
card-cardos.c:225:cardos_check_sw: file not found
iso7816.c:458:iso7816_select_ returning with: File not found
card-cardos.c:401:cardos_select_ returning with: File not found
card.c:563:sc_select_ returning with: File not found
card-cardos.c:225:cardos_check_sw: file not found
iso7816.c:463:iso7816_select_ returning with: File not found
card-cardos.c:401:cardos_select_ returning with: File not found
card.c:563:sc_select_ returning with: File not found
[ available ]
#
#
#
OpenSSL> engine -vvvv -c pkcs11
(pkcs11) pkcs11 engine
RSA, DSA, DH, RAND
SO_PATH: Specifies the path to the 'pkcs11-engine' shared library
(input flags): STRING
MODULE_PATH: Specifies the path to the pkcs11 module shared library
(input flags): STRING
PIN: Specifies the pin code
(input flags): STRING
VERBOSE: Print additional details
(input flags): NO_INPUT
QUIET: Remove additional details
(input flags): NO_INPUT
LOAD_CERT_CTRL: Get the certificate from card
(input flags): Internal
OpenSSL>
#
#
#
#
# Token does blink, works with or without the token though.
OpenSSL> rand -engine pkcs11 -base64 25
engine "pkcs11" set.
#
#
# Just testing
#
x509 -engine pkcs11 -in id_45 -keyform engine -noout -text
# similar results to aladdin middleware

Global Platform

Global Platform Library

http://sourceforge.net/projects/globalplatform/
Make sure pkg-config --libs libpcsclite works.
./configure --prefix=/usr/local/depot/globalplatform-3.0.2
make
{{make install}

gpshell

http://sourceforge.net/projects/globalplatform/

Make sure pkg-config --libs libpcsclite works.
./configure --prefix=/usr/local/depot/gpshell-1.3.1
make
{{make install}

Sectok

Sectok-