perjantai 26. lokakuuta 2012

Smartcards (HST) and Ubuntu 12.04 Linux

This summarizes a partial success with using a smartcard under Linux

Ubuntu workarounds:

I had problems in getting the reader to be found in the system. In the end running the pcscd in the foreground in the debug mode at least seemed to work (as root): 
bash> sudo pcscd -f -d
As a first check, try listing the readers:
bash> opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             SCM SCR 3310 [CCID Interface] 00 00
Then check the supported algorithms:
bash> opensc-tool --list-algorithms
Using reader with a card: SCM SCR 3310 [CCID Interface] 00 00
Algorithm: rsa
Key length: 1024
Flags: padding ( pkcs1 ) hashes ( sha1 )

Algorithm: rsa
Key length: 2048
Flags: padding ( pkcs1 ) hashes ( sha1 )

Certificates:

First check the available certificates: 


bash> pkcs15-tool -c



Then extract, e.g., the certificate with ID=48
(Root CA in my case)


bash> pkcs15-tool -r 48 > vrkrootca.pem

Transform from PEM/Base64 to plain binary,



bash> grep -v "CERTIFICATE" vrkrootca.pem |base64 -d >vrkrootca.crt


To cross-check that everything is as it should, the same certificate can be downloaded from the
Internet. Certificate is installed to Firefox simply by opening the file.





Public keys:

Available keys can be listed with:


bash> pkcs15-tool --list-keys


My HST-card had two private RSA-keys, which can be extracted in SSH format:


bash> pkcs15-tool --read-ssh-key 45 
bash> pkcs15-tool --read-ssh-key 46


Public key can be set for SSH as follows:

    

  •  Extract the public SSH key (see above)

    • 

  •  Add it to ~/.ssh/authorized_keys at the destination host
     with correct prefix, e.g.,

    from="*" ssh-rsa AAA...

    

    • 

  •   Log in to the remove host with the smartcard: 
    

    bash> ssh -I /usr/lib/opensc-pkcs11.so user@remote.host.org
    

    

    • 


Note that ssh-add did not seem to work currently under Ubuntu,
at least not for me.  


Cryptographic Mechanisms:


bash> pkcs11-tool -M --module /usr/lib/opensc-pkcs11.so
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-X-509, keySize={1024,2048}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={1024,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={1024,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={1024,2048}, sign, verify
  MD5-RSA-PKCS, keySize={1024,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={1024,2048}, sign, verify 



Computing a hash (digest):



bash> pkcs11-tool --module /usr/lib/opensc-pkcs11.so -hash -m MD5 \


       --input-file readme --output-file readme.md5 

The 16 bytes long result can be compared to output of the md5sum utility with



 > od -x -t x1 readme.md5
 > md5sum readme



Signing a hash:


bash> for i in RSA-X-509 RSA-PKCS SHA1-RSA-PKCS SHA256-RSA-PKCS \
           MD5-RSA-PKCS RIPEMD160-RSA-PKCS ; do
       pkcs11-tool --module /usr/lib/opensc-pkcs11.so -sign -m $i \
         --input-file readme --output-file readme.sign-$i
      done

Note that all except RSA-X-509 seemed to work (2012-10-26/Ubuntu 12.04).



Others and Links



    

  •  pkcs15-tool --list-pins  lists PIN-codes

    • 

  •  HST pages at linux.fi can be useful
    • 

  •  Similarly, www.fineid.fi
    • 











Lähettänyt



klo





Ei kommentteja:
  


































        

      









Tilaa:
Kommentit (Atom)