Difference between revisions of "PKCS11 token usage with opensc"
Jump to navigation
Jump to search
m (Mtausig moved page PKCS to PKCS11 token usage with opensc without leaving a redirect) |
(Explain token initialization and opensc update) |
||
| Line 6: | Line 6: | ||
* Operating system: Ubuntu 18.04 bionic amd64 | * Operating system: Ubuntu 18.04 bionic amd64 | ||
* Packages: opensc opensc-pkcs11 | * Packages: opensc >= 0.18 opensc-pkcs11 | ||
== Description == | == Description == | ||
| Line 16: | Line 16: | ||
* Default User PIN: 12345678 | * Default User PIN: 12345678 | ||
* Default SO PIN: entersafe | * Default SO PIN: entersafe | ||
=== Install opensc-0.18 === | |||
To install opensc-0.18 on Ubuntu 18.04 download the three source package files from https://packages.ubuntu.com/cosmic/opensc and store them in a build folder. Then run | |||
$ dpkg-source -x opensc_0.18.0-3ubuntu2.dsc | |||
gpgv: Signature made Tue 10 Jul 2018 14:45:55 CEST | |||
gpgv: using RSA key 92978A6E195E4921825F7FF0F34F09744E9F5DD9 | |||
gpgv: Can't check signature: No public key | |||
dpkg-source: warning: failed to verify signature on ./opensc_0.18.0-3ubuntu2.dsc | |||
dpkg-source: info: extracting opensc in opensc-0.18.0 | |||
dpkg-source: info: unpacking opensc_0.18.0.orig.tar.gz | |||
dpkg-source: info: unpacking opensc_0.18.0-3ubuntu2.debian.tar.xz | |||
dpkg-source: info: applying ppc64el-fix.patch | |||
$ cd opensc-0.18.0 | |||
$ dpkg-buildpackage | |||
dpkg-buildpackage: info: source package opensc | |||
dpkg-buildpackage: info: source version 0.18.0-3ubuntu2 | |||
[...] | |||
dpkg-deb: building package 'opensc-pkcs11' in '../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb'. | |||
dpkg-deb: building package 'opensc' in '../opensc_0.18.0-3ubuntu2_amd64.deb'. | |||
dpkg-deb: building package 'opensc-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc/opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb'. | |||
dpkg-deb: building package 'opensc-pkcs11-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc-pkcs11/opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb'. | |||
Renaming opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-dbgsym_0.18.0-3ubuntu2_amd64.ddeb | |||
Renaming opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.ddeb | |||
dpkg-genbuildinfo | |||
dpkg-genchanges >../opensc_0.18.0-3ubuntu2_amd64.changes | |||
dpkg-genchanges: info: not including original source code in upload | |||
dpkg-source --after-build opensc-0.18.0 | |||
dpkg-buildpackage: info: binary and diff upload (original source NOT included) | |||
signfile opensc_0.18.0-3ubuntu2.dsc | |||
gpg: skipped "Gianfranco Costamagna <locutusofborg@debian.org>": No secret key | |||
gpg: dpkg-sign.HSiUXvK2/opensc_0.18.0-3ubuntu2.dsc: clear-sign failed: No secret key | |||
dpkg-buildpackage: error: failed to sign .dsc file | |||
$ sudo dpkg --install ../opensc_0.18.0-3ubuntu2_amd64.deb ../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb | |||
(Reading database ... 526489 files and directories currently installed.) | |||
Preparing to unpack .../opensc_0.18.0-3ubuntu2_amd64.deb ... | |||
[...] | |||
=== Basic information gathering === | === Basic information gathering === | ||
| Line 30: | Line 72: | ||
(empty) | (empty) | ||
Initialise the token for usage with opensc: | |||
$ pkcs15-init --erase-card --reader "Feitian ePass2003 00 00" | |||
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "myToken" --pin 123456 --puk 12345678 --reader "Feitian ePass2003 00 00" | |||
$ pkcs15-tool --dump --reader "Feitian ePass2003 00 00" | |||
PKCS#15 Card [myToken]: | |||
Version : 0 | |||
Serial number : 213C3C500003003D | |||
Manufacturer ID: EnterSafe | |||
Last update : 20190415150218Z | |||
Flags : EID compliant | |||
PIN [User PIN] | |||
Object Flags : [0x3], private, modifiable | |||
ID : 01 | |||
Flags : [0x32], local, initialized, needs-padding | |||
Length : min_len:4, max_len:16, stored_len:16 | |||
Pad char : 0x00 | |||
Reference : 1 (0x01) | |||
Type : ascii-numeric | |||
Path : 3f005015 | |||
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L | |||
Available slots: | |||
Slot 0 (0x0): Feitian ePass2003 00 00 | |||
token label : User PIN (myToken) | |||
token manufacturer : EnterSafe | |||
token model : PKCS#15 | |||
token flags : login required, rng, token initialized, PIN initialized | |||
hardware version : 0.0 | |||
firmware version : 0.0 | |||
serial num : 213C3C500003003D | |||
pin min/max : 4/16 | |||
== Used Hardware == | == Used Hardware == | ||
| Line 43: | Line 119: | ||
* https://github.com/OpenSC/OpenSC | * https://github.com/OpenSC/OpenSC | ||
* https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass2003 | |||
* https://linux.die.net/man/1/pkcs11-tool | * https://linux.die.net/man/1/pkcs11-tool | ||
* https://www.ftsafe.com/Products/PKI/Standard/Specification | |||
[[Category:Documentation]] | [[Category:Documentation]] | ||
Revision as of 15:05, 15 April 2019
Summary
Basic command line usage of a PKCS#11 token
Requirements
- Operating system: Ubuntu 18.04 bionic amd64
- Packages: opensc >= 0.18 opensc-pkcs11
Description
The documentation uses the Feitian ePass 2003 FIPS 140-2 Level 2 tokens which can be used with the open source project OpenSC.
The default configuration of the tokens, according to the manufacturer, is as follows:
- Default User PIN: 12345678
- Default SO PIN: entersafe
Install opensc-0.18
To install opensc-0.18 on Ubuntu 18.04 download the three source package files from https://packages.ubuntu.com/cosmic/opensc and store them in a build folder. Then run
$ dpkg-source -x opensc_0.18.0-3ubuntu2.dsc
gpgv: Signature made Tue 10 Jul 2018 14:45:55 CEST
gpgv: using RSA key 92978A6E195E4921825F7FF0F34F09744E9F5DD9
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./opensc_0.18.0-3ubuntu2.dsc
dpkg-source: info: extracting opensc in opensc-0.18.0
dpkg-source: info: unpacking opensc_0.18.0.orig.tar.gz
dpkg-source: info: unpacking opensc_0.18.0-3ubuntu2.debian.tar.xz
dpkg-source: info: applying ppc64el-fix.patch
$ cd opensc-0.18.0
$ dpkg-buildpackage
dpkg-buildpackage: info: source package opensc
dpkg-buildpackage: info: source version 0.18.0-3ubuntu2
[...]
dpkg-deb: building package 'opensc-pkcs11' in '../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc' in '../opensc_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc/opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc-pkcs11-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc-pkcs11/opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb'.
Renaming opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-dbgsym_0.18.0-3ubuntu2_amd64.ddeb
Renaming opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.ddeb
dpkg-genbuildinfo
dpkg-genchanges >../opensc_0.18.0-3ubuntu2_amd64.changes
dpkg-genchanges: info: not including original source code in upload
dpkg-source --after-build opensc-0.18.0
dpkg-buildpackage: info: binary and diff upload (original source NOT included)
signfile opensc_0.18.0-3ubuntu2.dsc
gpg: skipped "Gianfranco Costamagna <locutusofborg@debian.org>": No secret key
gpg: dpkg-sign.HSiUXvK2/opensc_0.18.0-3ubuntu2.dsc: clear-sign failed: No secret key
dpkg-buildpackage: error: failed to sign .dsc file
$ sudo dpkg --install ../opensc_0.18.0-3ubuntu2_amd64.deb ../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb
(Reading database ... 526489 files and directories currently installed.)
Preparing to unpack .../opensc_0.18.0-3ubuntu2_amd64.deb ...
[...]
Basic information gathering
We are going to get some basic informations using the command line tool pkcs11-tool
List the number of available tokens:
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L Available slots: Slot 0 (0x0): Feitian ePass2003 00 00 C_GetTokenInfo() failed: rv = CKR_TOKEN_NOT_PRESENT Slot 1 (0x4): Alcor Micro AU9560 01 00 (empty)
Initialise the token for usage with opensc:
$ pkcs15-init --erase-card --reader "Feitian ePass2003 00 00"
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "myToken" --pin 123456 --puk 12345678 --reader "Feitian ePass2003 00 00"
$ pkcs15-tool --dump --reader "Feitian ePass2003 00 00"
PKCS#15 Card [myToken]:
Version : 0
Serial number : 213C3C500003003D
Manufacturer ID: EnterSafe
Last update : 20190415150218Z
Flags : EID compliant
PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1 (0x01)
Type : ascii-numeric
Path : 3f005015
$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
Available slots:
Slot 0 (0x0): Feitian ePass2003 00 00
token label : User PIN (myToken)
token manufacturer : EnterSafe
token model : PKCS#15
token flags : login required, rng, token initialized, PIN initialized
hardware version : 0.0
firmware version : 0.0
serial num : 213C3C500003003D
pin min/max : 4/16
Used Hardware
Feitian ePass 2003 FIPS 140-2 Level 2
Courses
None yet