Wednesday, March 24, 2010

Using pure OpenSC formatted smart cards with EJBCA and FireFox

OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.

This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.

You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.

On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i

Format:
>cardos-tool -f

Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01

Now pkcs11-tool list a slot:
>pkcs11-tool -L

Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01

Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"

CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45

To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so

1 comment:

tomas said...

A good guide for doing the same with Yubico:
https://developers.yubico.com/YubiHSM2/Usage_Guides/OpenSSL_with_pkcs11_engine.html