What to do when you are alone with a smartcard? [January 2006] Intro ===== First, you need some packages : libusb-dev, libusb-0.1-4, pcsc-lite, opensc, libpam-opensc, libopensc1, libccid I won't tell you how to install this packages. Use your distrib, Luke. How to initialize your smartcard ? ================================== I work with Cryptoflex 32K W2K/XP and the first step is to dial with the card. Feel free to update this file with your Vendor Id : /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist. You need to modify opensc.conf but you need your ATR[1]. $ opensc-tool -a -c flex 3B 95 18 40 FF 62 04 01 01 05 ;..@.b.... You can execute this line without -c flex but you will have problem later. Now, your opensc.conf have to be like that : [...] card_driver flex { atr = 3B:95:15:40:FF:; } Then, each time you use opensc-tool or pkcs15-init you won't have to tell drivers name. After this step, you still can't initalize your smart card. Axalto don't give you blank card, you need to erase some data, but never forget that you can block a card, *definitively*. Axalto give you a transport key 2c:15:e5:26:e9:3e:8a:19 $ opensc-explorer OpenSC Explorer version 0.9.6 OpenSC [3F00]> verify AUT1 2c:15:e5:26:e9:3e:8a:19 Code correct. OpenSC [3F00]> ls FileID Type Size 0011 wEF 38 0002 wEF 8 0000 wEF 23 0005 wEF 40 0015 wEF 1744 [3F11] DF 0 2F01 wEF 10 [5015] DF 5288 2F00 wEF 128 OpenSC [3F00]> delete 2f00 OpenSC [3F00]> delete 5015 OpenSC [3F00]> delete 2f01 OpenSC [3F00]> delete 3f11 OpenSC [3F00]> delete 0015 OpenSC [3F00]> delete 0005 OpenSC [3F00]> delete 0000 OpenSC [3F00]> quit *Please, never delete 0011 and 0002!* Now, it's time to erase and initialize your card. Wonderful. :) phau@bree:~$ pkcs15-init -ET card.c:836:sc_card_ctl: returning with: No default (transport) key available Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc). To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key: 2c:15:e5:26:e9:3e:8a:19 phau@bree:~$ pkcs15-init -CT New Security Officer PIN (Optional - press return for no PIN). Please enter Security Officer PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: card.c:836:sc_card_ctl: returning with: No default (transport) key available Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc). To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key: 2c:15:e5:26:e9:3e:8a:19 If you don't have any errors, you can create a pin user. $ pkcs15-init -T -P -a 01 -l test New User PIN. Please enter User PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Security officer PIN required. Please enter Security officer PIN: Transport key (External authentication key #1) required. Please enter key in hexadecimal notation (e.g. 00:11:22:aa:bb:cc). To use the default transport keys without being prompted, specify the --use-default-transport-keys option on the command line (or -T for short), or press Ctrl-C to abort. Please enter key: 2c:15:e5:26:e9:3e:8a:19 Time to generate a key ====================== I don't want to have a self-signed certificate, but a CA. $ cd /usr/lib/ssl/ $ ./misc/CA.sh -newca [...] Ok, it's done. Now it's time to generate a certificate and to put it on the smartcard $ openssl req -newkey rsa:1024 -config openssl.cnf -keyout test.key -out test.req $ openssl rsa -in test.key -out test.key $ openssl ca -config openssl.cnf -in test.req -out test.crt $ openssl pkcs12 -export -in test.crt -inkey test.key -out test.p12 -name "Test" $ pkcs15-init -S test.p12 -f PKCS12 -a 1 -l test You can watch what contains he smartcard : $ pkcs15-tool --list-pins -c -C -k --list-public-keys X.509 Certificate [Certificate] Flags : 2 Authority: no Path : 3F0050154545 ID : 45 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x22E], decrypt, sign, signRecover, unwrap, nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 0 Native : yes Path : 3F0050154B0130450012 Auth ID : 01 ID : 45 [...] But, it's not the end! ====================== Maybe, you want to use your smartcard to identify a user when logging. If you have install libpam-opensc, insert : auth sufficient /lib/security/pam_opensc.so in the file /etc/pam.d/[whatyouwant] (login, gdm ...) Remember the line ID in the last pkcs15-tool command and then: $ mkdir ~/.eid/ $ pkcs15-tool -r -o ~/.eid/authorized_certificates Now you can try to login with the smartcard. The required passowrd is the pin. Hmmm. Apache with a smartcard? ============================== It's possible to identify a user for apache with a smartcard. I won't explain apache or apache-ssl, but you can add this lines: $ cat /etc/apache/httpd.conf [...] SSLEngine on SSLCertificateFile /etc/apache-ssl/apache.pem SSLCACertificateFile /usr/lib/ssl/demoCA/cacert.pem SSLCACertificatePath /usr/lib/ssl/demoCA/certs/ SSLLog /var/log/apache/ssl.log SSLLogLevel warn SSLVerifyClient none SSLVerifyClient require SSLVerifyDepth 5 SSLRequireSSL SSLOptions +FakeBasicAuth SSLOptions +StdEnvVars SSLRequire %{SSL_CLIENT_S_DN_CN} eq "test" In this example, only the user test will access to the directory /var/www/secure. You can read this how-to[2] ---- [1] ATR is a sequence of bytes returned from a smart card when it is turned on. These bytes are used to identify the card to the system. More details : http://www.citi.umich.edu/projects/smartcard/atr.html [2] http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple Philippe Audeoud