PKCS11 token usage with opensc

From Embedded Lab Vienna for IoT & Security
Revision as of 13:38, 16 April 2019 by Mtausig (talk | contribs) (Describe RSA signature creation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Summary

Basic command line usage of a PKCS#11 token

Requirements

  • Operating system: Ubuntu 18.04 bionic amd64
  • Packages: opensc >= 0.18 opensc-pkcs11

Description

The documentation uses the Feitian ePass 2003 FIPS 140-2 Level 2 tokens which can be used with the open source project OpenSC.

The default configuration of the tokens, according to the manufacturer, is as follows:

  • Default User PIN: 12345678
  • Default SO PIN: entersafe

Install opensc-0.18

To install opensc-0.18 on Ubuntu 18.04 download the three source package files from https://packages.ubuntu.com/cosmic/opensc and store them in a build folder. Then run 

$ dpkg-source -x opensc_0.18.0-3ubuntu2.dsc                                                                                                                                                             
gpgv: Signature made Tue 10 Jul 2018 14:45:55 CEST
gpgv:                using RSA key 92978A6E195E4921825F7FF0F34F09744E9F5DD9
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on ./opensc_0.18.0-3ubuntu2.dsc
dpkg-source: info: extracting opensc in opensc-0.18.0
dpkg-source: info: unpacking opensc_0.18.0.orig.tar.gz
dpkg-source: info: unpacking opensc_0.18.0-3ubuntu2.debian.tar.xz
dpkg-source: info: applying ppc64el-fix.patch
                                                                                                                                                                                                          
$ cd opensc-0.18.0

$ dpkg-buildpackage                                                                                                                                                                                     
dpkg-buildpackage: info: source package opensc
dpkg-buildpackage: info: source version 0.18.0-3ubuntu2
[...]
dpkg-deb: building package 'opensc-pkcs11' in '../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc' in '../opensc_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc/opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb'.
dpkg-deb: building package 'opensc-pkcs11-dbgsym' in 'debian/.debhelper/scratch-space/build-opensc-pkcs11/opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb'.
      Renaming opensc-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-dbgsym_0.18.0-3ubuntu2_amd64.ddeb
      Renaming opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.deb to opensc-pkcs11-dbgsym_0.18.0-3ubuntu2_amd64.ddeb
 dpkg-genbuildinfo
 dpkg-genchanges  >../opensc_0.18.0-3ubuntu2_amd64.changes
dpkg-genchanges: info: not including original source code in upload
dpkg-source --after-build opensc-0.18.0
dpkg-buildpackage: info: binary and diff upload (original source NOT included)
signfile opensc_0.18.0-3ubuntu2.dsc
gpg: skipped "Gianfranco Costamagna <locutusofborg@debian.org>": No secret key
gpg: dpkg-sign.HSiUXvK2/opensc_0.18.0-3ubuntu2.dsc: clear-sign failed: No secret key

dpkg-buildpackage: error: failed to sign .dsc file
 
$ sudo dpkg --install ../opensc_0.18.0-3ubuntu2_amd64.deb ../opensc-pkcs11_0.18.0-3ubuntu2_amd64.deb
(Reading database ... 526489 files and directories currently installed.)
Preparing to unpack .../opensc_0.18.0-3ubuntu2_amd64.deb ...
[...]

First steps

We are going to get some basic informations using the command line tool pkcs11-tool

List the number of available tokens: 

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L
Available slots:
Slot 0 (0x0): Feitian ePass2003 00 00
C_GetTokenInfo() failed: rv = CKR_TOKEN_NOT_PRESENT
Slot 1 (0x4): Alcor Micro AU9560 01 00
  (empty)

Initialise the token for usage with opensc: 

$ pkcs15-init --erase-card --reader "Feitian ePass2003 00 00" 

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "myToken" --pin 123456 --puk 12345678 --reader "Feitian ePass2003 00 00"

$ pkcs15-tool --dump  --reader "Feitian ePass2003 00 00"

PKCS#15 Card [myToken]:
       Version        : 0
       Serial number  : 213C3C500003003D
       Manufacturer ID: EnterSafe
       Last update    : 20190415150218Z
       Flags          : EID compliant
PIN [User PIN]
       Object Flags   : [0x3], private, modifiable
       ID             : 01
       Flags          : [0x32], local, initialized, needs-padding
       Length         : min_len:4, max_len:16, stored_len:16
       Pad char       : 0x00
       Reference      : 1 (0x01)
       Type           : ascii-numeric
       Path           : 3f005015

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L 
Available slots:
Slot 0 (0x0): Feitian ePass2003 00 00
 token label        : User PIN (myToken)
 token manufacturer : EnterSafe
 token model        : PKCS#15
 token flags        : login required, rng, token initialized, PIN initialized
 hardware version   : 0.0
 firmware version   : 0.0
 serial num         : 213C3C500003003D
 pin min/max        : 4/16

Erase the token: 

$ pkcs15-init --erase-card --reader "Feitian ePass2003 00 00"

Key Generation

 $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --list-mechanisms
Supported mechanisms:
 SHA-1, digest
 SHA256, digest
 SHA384, digest
 SHA512, digest
 MD5, digest
 RIPEMD160, digest
 GOSTR3411, digest
 ECDSA, keySize={256,256}, hw, sign
 ECDSA-SHA1, keySize={256,256}, hw, sign
 ECDSA-KEY-PAIR-GEN, keySize={256,256}, hw, generate_key_pair
 RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
 RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
 SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
 SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
 SHA384-RSA-PKCS, keySize={512,2048}, sign, verify
 SHA512-RSA-PKCS, keySize={512,2048}, sign, verify
 MD5-RSA-PKCS, keySize={512,2048}, sign, verify
 RIPEMD160-RSA-PKCS, keySize={512,2048}, sign, verify
 RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --keypairgen --key-type rsa:2048 --label "my RSA key" --id 42 --login
Logging in to "User PIN (myToken)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      my RSA key
  ID:         42
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      my RSA key
  ID:         42
  Usage:      encrypt, verify, wrap

Sign Data

First we export the public key 

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --read-object --id 42 --type pubkey --output-file pubkey.der

Sign a file: 

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --sign --id 42 --mechanism SHA256-RSA-PKCS --input-file test.dat --output-file test.dat.sig --login                                                     
Logging in to "User PIN (myToken)".
Please enter User PIN: 
Using signature algorithm SHA256-RSA-PKCS

And verify the signature: 

$ openssl pkeyutl -pubin -inkey pubkey.der -keyform der -verifyrecover -in test.dat.sig -pkeyopt rsa_padding_mode:pkcs1 -pkeyopt digest:SHA256|xxd                                                                                 
00000000: b5bb 9d80 14a0 f9b1 d61e 21e7 96d7 8dcc  ..........!.....
00000010: df13 52f2 3cd3 2812 f485 0b87 8ae4 944c  ..R.<.(........L

$ sha256sum test.dat                                                                                                                                                                                                               
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  test.dat


Used Hardware

Feitian ePass 2003 FIPS 140-2 Level 2

Courses

None yet

References

Retrieved from "https://wiki.elvis.science/index.php?title=PKCS11_token_usage_with_opensc&oldid=1379"