Tuesday, February 8, 2011

Smart cards working with OpenSC/Linux/Firefox

I just tested the Aventra MyEID smart card with the latest opensc (trunk). Works like a charm.

You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.
sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./configure --prefix=/usr
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F

After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.

With this test we now know about three cards that works well to do browser enrollment with FireFox.

Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.


Unknown said...

Thanks for the info!
Is the trunk version of opensc necessary or is it possible to get it to work with a packaged version (like the one packaged in Ubuntu 10.04)?

tomas said...

Depends on which cards. For MyEID opensc 0.12 is needed (not in Ubuntu). For Feitian it at least works with Ubuntu 10.10, haven't tried 10.04.

tomas said...

Extended APDU is often an issue when using 2048 bit keys on your card. See Ludovic Rousseau's blog post on the topic, http://ludovicrousseau.blogspot.com/2011/05/extended-apdu-status-per-reader.html

tomas said...

To build you may have to:
sudo apt-get install autoconf libtool pkg-config

tomas said...

sudo apt-get install libpcsclite-dev

tomas said...

The link to the other article, describing command line enrolment. http://blog.ejbca.org/2010/03/using-pure-opensc-formatted-smart-cards.html

tomas said...

Signing with a MyEID card.
pkcs11-tool --login --sign --slot-label MyEID --id
9b741d74012280abc7ce3b1ea81d6165c1b925c9 --module /usr/lib/opensc-pkcs11.so
-i test.txt --mechanism SHA1-RSA-PKCS

tomas said...

MyEID using clientToolBox, meaning it should work as an HSM with EJBCA.
./ejbcaClientToolBox.sh pkcs11hsmkeytool test /usr/lib/opensc-pkcs11.so 1