add init perso guide by Nils.
git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2619 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
7d2ebb11c4
commit
090329c105
|
@ -3,8 +3,9 @@
|
|||
XSLTPROC = @XSLTPROC@
|
||||
SOURCE = opensc.xml opensc.xsl opensc-es.xml opensc.css opensc.xsl
|
||||
GENERATE = opensc.html opensc-es.html
|
||||
NILS = init_perso_guide.html init_perso_guide.txt
|
||||
|
||||
MAINTAINERCLEANFILES = Makefile.in $(GENERATE)
|
||||
|
||||
EXTRA_DIST = pkcs-15v1_1.asn $(SOURCE) $(GENERATE) doxygen.conf generate.sh
|
||||
EXTRA_DIST = pkcs-15v1_1.asn $(NILS) $(SOURCE) $(GENERATE) doxygen.conf generate.sh
|
||||
|
||||
|
|
|
@ -0,0 +1,466 @@
|
|||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html><head>
|
||||
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"><title>init_perso_guide</title></head>
|
||||
|
||||
<body>
|
||||
<h1>OpenSC card init and perso guide</h1>
|
||||
<h2>1. Introduction</h2>
|
||||
<div style="text-align: center;"><span style="font-style: italic;">Nothing
|
||||
is impossible for the man who doesn't</span><br style="font-style: italic;">
|
||||
|
||||
<span style="font-style: italic;">have
|
||||
to do it himself. -- A.H. Weiler</span><br>
|
||||
</div>
|
||||
<br>
|
||||
This guide is about initialising and personalising (no distinction
|
||||
made) cards with the OpenSC library and tools (mostly pkcs15-init).<br>
|
||||
<br>
|
||||
Some knowlegde about smart cards is assumed. Below is a short overview
|
||||
of some key words and concepts. For more info, see the opensc.html
|
||||
manual.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Filesystem - MF - DF - EF - FID</span><br>
|
||||
A smart cards has a non-volatile memory (EEPROM) in which usually
|
||||
a PC-like file system is implemented. The directories are called
|
||||
Dedicated Files (DF) and the files are called Elementary Files (EF).
|
||||
They are
|
||||
identified by a File ID (FID) on 2 bytes. For example, the root of
|
||||
the file system
|
||||
(called Master File or MF) has FID = 3F 00 (hex).<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Commands - APDUs</span><br>
|
||||
It is possible to send commands (APDUs) to the card to select, read,
|
||||
write, create, list, delete, ... EFs and DFs (not all cards allow all
|
||||
commands).<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Access control, PIN, PUK</span><br>
|
||||
The file system usually implements some sort of access control on EFs
|
||||
and DFs.<br>
|
||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
||||
knowledge of a key before you can perform some command on some EF/DF. A
|
||||
PIN is usually accompanied by a PUK (Pin Unblock Key), which can be
|
||||
used to
|
||||
reset (or unblock) that PIN.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Cryptographic keys</span><br>
|
||||
On crypto cards, it is also possible to sign, decrypt, key(pair)
|
||||
generation (what can be done exactly depends on the card). on some
|
||||
cards, key
|
||||
and/or PINs are files in the filesystem, on other cards, they don't
|
||||
exist in the filesystem but are referenced through an ID.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Reader - PC/SC - OpenCT - CT-API</span><br>
|
||||
Smart card readers come with a library that can be used on a PC to send
|
||||
APDUs to the card. Commonly used APIs for those libraries are PC/SC,
|
||||
OpenCT
|
||||
and CT-API.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">PKCS15</span><br>
|
||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to
|
||||
select, read, write, EFs and DFs, and how to sign, decrypt, login, ...<br>
|
||||
However, there is also a need to know which files contain what, or
|
||||
where the keys, PINs, .. can be found.<br>
|
||||
For crypto cards, PCKS15 adresses this need by defining some files that
|
||||
contain info on where to find keys, certificates, PINs, and other data.
|
||||
For
|
||||
example, there is a PrKDF (Private Key Directory File) that contains
|
||||
the EFs or
|
||||
ID of the private keys, what those keys can be used for, by which PINs
|
||||
they
|
||||
are protected, ... So a "PCKS15 card" is nothing but any other card on
|
||||
which the right set
|
||||
of files has been added.<br>
|
||||
In short: PKCS15 allows you to describe where to find PINS, keys,
|
||||
certificates and data on a card, plus all the info that is needed to
|
||||
use them.<br>
|
||||
<h3>A little PKCS15 example:</h3>
|
||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
||||
(Certificate Directory File) that contain info on resp. the PINs,
|
||||
private keys and certificates. Each of them contains 1 entry.<br>
|
||||
<br>
|
||||
AODF:
|
||||
<pre> Com. Flags : private, modifiable<br> Auth ID : 01<br> Flags : [0x32], local, initialized, needs-padding<br> Length : min_len:4, max_len:8, stored_len:8<br> Pad char : 0x00<br> Reference : 1<br> Encoding : ASCII-numeric<br> Path : 3F005015<br></pre>
|
||||
PrKDF:
|
||||
<pre> Com. Flags : private, modifiable<br> Com. Auth ID: 01<br> Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep<br> Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local<br> ModLength : 1024<br> Key ref : 0<br> Native : yes<br> Path : 3F00501530450012<br> ID : 45<br></pre>
|
||||
X.509 Certificate [/C=BE/ST=...]
|
||||
<pre> Com. Flags : modifiable<br> Authority : no<br> Path : 3f0050154545<br> ID : 45</pre>
|
||||
Some things to note:<br>
|
||||
<ul>
|
||||
<li>The Auth ID (01) of the private key is the same as the one of the
|
||||
PIN which
|
||||
means
|
||||
that you first have to do a login with this PIN before
|
||||
you can use this key.</li>
|
||||
<li>The key is in an EF with ID = 0012 in the DF with ID = 3045,
|
||||
which
|
||||
on it is turn is a DF with ID 5015, which on it is turn is a DF of
|
||||
the MF (3F00).</li>
|
||||
<li>The private key and certificates share the same ID (45), which
|
||||
means that they
|
||||
belong together.</li>
|
||||
<li>The certificate is in the EF with as path: 3F00\5015\3045
|
||||
and is no CA
|
||||
certificate.</li>
|
||||
</ul>
|
||||
Use the <span style="font-weight: bold;">tests/p15dump</span> tool to
|
||||
see yourself what pkcs15 data is on your card, or <span style="font-weight: bold;">tools/opensc-explorer</span> to browse
|
||||
through the files.<br>
|
||||
<br>
|
||||
Have the PKCS15 files a fixed place so everyone can find them? No,
|
||||
there's only one: the EF(DIR) in the MF and with ID 2F00. That's the
|
||||
starting
|
||||
place.<br>
|
||||
<br>
|
||||
<h2>2. The OpenSC pkcs15-init library and profiles</h2>
|
||||
Reading and writing files, PIN verification, signing and decryption
|
||||
happen in much the same way on all cards. Therefore, the "normal life"
|
||||
commands have been implemented in OpenSC for all supported cards.<br>
|
||||
<br>
|
||||
However, creating and deleting files, PINs and keys is very card
|
||||
specific and has not yet been implemented for all cards.
|
||||
Currently, pkcs15-init is implemented for: Cryptoflex, Cyberflex,
|
||||
CardOS (etoken), GPK, Miocos, Starcos JCOP and Oberthur. (Check
|
||||
src/pkcs15-init/pkcs15-*.c for possible updates). Because of this, and
|
||||
because
|
||||
pkcs15-init is not necessary for "normal life" operations, it has been
|
||||
put in a separate library and in a separate directory.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Profile</span><br>
|
||||
Because the initialisation/personalisation is so card-specific, it
|
||||
would be very hard to make a tool or API that accepts all parameters
|
||||
for all current and future cards.<br>
|
||||
Therefore, a profile file has been made in OpenSC that contains all the
|
||||
card-specific parameters. This card-specific profile is read by
|
||||
card-specific code in the pkcs15-init library each time this library is
|
||||
used on
|
||||
that card.<br>
|
||||
See the *.profile files in src/pkcs15-init/. There is one general file
|
||||
(pkcs15.profile) and one card-specific profile for each card.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Profile options</span><br>
|
||||
There are currently 3 options you can specify to modify a profile:<br>
|
||||
<ul>
|
||||
<li>default: creation/deletion/generation is controlled by the SO PIN
|
||||
(SO = Security Officer, different from the regular user of the card)</li>
|
||||
<li>onepin: creation/deletion/generation is controlled by the user
|
||||
PIN and thus by the user. As a result, only 1 user PIN is possible</li>
|
||||
<li>small: like default, but suitable for card with little memory</li>
|
||||
</ul>
|
||||
<h2>3. pkcs15-init tool</h2>
|
||||
This is a command-line tool that uses the pkcs15-init library. It
|
||||
allows you to do all the init/perso things, e.g. add/delete keys,
|
||||
certificates, PINs and data, generate keys, ... while specifying key
|
||||
usage, which PIN protects which key, ...<br>
|
||||
<br>
|
||||
As said before, not all cards are supported in the pkcs15-init library.
|
||||
In
|
||||
that case, the pkcs15-init tool won't work (top 5 questions on the
|
||||
mailing list:-). To find out which card you have, try "<span style="font-style: italic;">opensc-tool -n</span>"<br>
|
||||
<br>
|
||||
Below is explained how to do the operations that are supported by
|
||||
pkcs15-tool.<br>
|
||||
Not all options are explained (run "<span style="font-style: italic;">pkcs15-tool
|
||||
-h</span>" to see them) because some are card-specific or obsolete (or
|
||||
we don't know about them). Feel free to experiment and explain them
|
||||
here.<br>
|
||||
<br>
|
||||
So the things in this section are fairly general but not guaranteed to
|
||||
work for all cards. See also the section on "card-specific issues".<br>
|
||||
<br>
|
||||
The --reader or -r can be given with any command. By default the first
|
||||
reader is used. Do "<span style="font-style: italic;">opensc-tool -l</span>"
|
||||
to see the list of available readers.<br>
|
||||
<br>
|
||||
To see the results of what you did, you can do one of the following:<br>
|
||||
<span style="font-style: italic;">pkcs15-tool --list-pins
|
||||
--list-public-keys -k -c -C</span><br>
|
||||
<span style="font-style: italic;">p15dump</span> (in the
|
||||
src/tests directory)<br>
|
||||
To see/dump the content of any file, use the <span style="font-style: italic;">opensc-explorer</span> tool.<br>
|
||||
<h3>* Create the PKCS15 files</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-C {-T} {-p <profile>} </span><span style="font-style: italic;">--so-pin
|
||||
<PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN>
|
||||
--puk <PUK><br>
|
||||
<br>
|
||||
</span>This will create the PKCS15 DF (5015) and all the PKCS15 files
|
||||
(some of which will be empty until a key, PIN, ... will be added). It
|
||||
must be done before you can do any of the operations below.<br>
|
||||
<ul>
|
||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
||||
will ask you for this key and propose the default one for that card.
|
||||
With -T, the default will be used without asking. NOTE: if you get a
|
||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
||||
wrong. Find this key and then try again, DO NOT try the default key
|
||||
again!</li>
|
||||
<li>If you want an SO PIN and PUK, do so with the --so-pin and
|
||||
--so-puk options, or specify --no-so-pin if you don't want to. If you
|
||||
use
|
||||
the onpin profile, there is no SO PIN so you should specify --pin and
|
||||
--puk instead. (So you get: pkcs15-init -CT -p pkcs15+onepin --pin
|
||||
<PIN> --puk <PUK>)</li>
|
||||
<li>To specify the profile file + option. The profile file can only
|
||||
be "pkcs15" for the moment, so you can have:<br>
|
||||
pkcs15+default : the default (not needed to
|
||||
specify it)<br>
|
||||
pkcs15+onepin: for the onepin profile
|
||||
option<br>
|
||||
pkcs15+small: for the small
|
||||
profile option</li>
|
||||
</ul>
|
||||
<h3>* Erase the card's content</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-E {-T}</span><br>
|
||||
<br>
|
||||
This will delete all keys, PINS, certificates, data that were listed in
|
||||
PKCS15
|
||||
files, along with the PKCS15 files themselves.<br>
|
||||
<ul>
|
||||
<li>This operation usually requires a 'transport' key. pkcs15-init
|
||||
will ask you for this key and propose the default one for that card.
|
||||
With -T, the default will be used without asking. NOTE: if you get a
|
||||
"Failed to erase card: PIN code or key incorrect", the transport key is
|
||||
wrong. Find this key and then try again, DO NOT try the default key
|
||||
again!</li>
|
||||
</ul>
|
||||
Note: you can combine erase/create (-E -C or -EC) to erase and then
|
||||
create<br>
|
||||
the card's contents, except when you change the profile option.<br>
|
||||
<h3>* Add a PIN (not possible with the onepin profile option)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l
|
||||
<label>}</span><br>
|
||||
<ul>
|
||||
<li>You can specify the AuthID with -a, if you don't do so, a value
|
||||
that didn't exist yet on the card will be chosen.</li>
|
||||
<li>Specify the PIN and PUK with --pin and --puk, if you don't do so,
|
||||
the tool will prompt you for one.</li>
|
||||
<li>Specify the label (name) of the PIN with -l, or accept the
|
||||
default label.</li>
|
||||
</ul>
|
||||
<h3>* Generate a key pair (on card or in software on the PC)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-G <keyspec> -a <AuthID> --insecure {-i <ID>}
|
||||
{--soft}{-u <keyusage>}{-l <privkeylabel>}
|
||||
{--public-key-label <pubkeylabel>}</span><br>
|
||||
<br>
|
||||
This will generate a public and private key pair.<br>
|
||||
<ul>
|
||||
<li>The keyspec consist of the key type, rsa or dsa (depends on what
|
||||
your cards supports), and optinally a slash followed by the keysize in
|
||||
bits. E.g. "rsa/1024" specifies a 1024 bit RSA key pair. Note: dsa is
|
||||
not
|
||||
fully supported.</li>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
||||
one.</li>
|
||||
<li>Specify --soft if you don't want the key pair to be generated
|
||||
on-chip.</li>
|
||||
<li>Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage. (Do
|
||||
"pkcs15-init -u help" for help).</li>
|
||||
<li>Specify the label (name) of the private key with -l, or accept
|
||||
the default label.</li>
|
||||
<li>Specify the label (name) of the public key with
|
||||
--public-key-label, or accept the default label if you don't do so.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
NOTE: see the SSL engines (below) on how to make a certificate request
|
||||
with the key you generated.<br>
|
||||
<h3>* Add a private key</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
||||
{-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The keyfile should be in DER (binary) or PEM format.</li>
|
||||
<li>The keyformat should be PEM (default) or DER.</li>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key with -i</li>
|
||||
<>Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage. (Do
|
||||
"pkcs15-init -u help" for help). <li>Specify the label (name) of
|
||||
the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a private key + certificate(s) (in a pkcs12 file)</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i
|
||||
<ID>} {-u <keyusage>} {--passphrase <password>} {-l
|
||||
<privkeylabel>} {--cert-label <usercertlabel>}</span><br>
|
||||
<br>
|
||||
This adds the private key and certificate chain to the card. If a
|
||||
certificate already exists on the card, it won't be added again.<br>
|
||||
<ul>
|
||||
<li>Specify the AuthID of the PIN that protects this key (from being
|
||||
used in a signature or decryption operation) with -a; or specify
|
||||
--insecure if you want the private key to be used without first
|
||||
providing a PIN.</li>
|
||||
<li>Specify the ID of the key and the corresponding certificate with
|
||||
-i,
|
||||
otherwise the tool with choose one; only the 'user cert' will get the
|
||||
same ID as the key, the other certificates will get 'authority' status
|
||||
and
|
||||
another ID.</li>
|
||||
<li>You can specify the key-usage, but it is not advised to do this
|
||||
so the key usage from the certificate is used.</li>
|
||||
<li>Specify the password of the pkcs12 key file if you don't want to
|
||||
be prompted for one.</li>
|
||||
<li>Specify the label (name) of the private key with -l, or accept
|
||||
the default label.</li>
|
||||
<li>Specify the label (name) of the user certificate with
|
||||
--cert-label, or accept the default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to provide your SO PIN and/or PIN; if you don't want to be prompted,
|
||||
add them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a certificate</h3>
|
||||
<span style="font-style: italic;">
|
||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>}
|
||||
{--authority}</span><br>
|
||||
<ul>
|
||||
<li>The certfile should be in DER (binary) or PEM format</li>
|
||||
<li>The certformat should be PEM (default) or DER</li>
|
||||
<li>Specify the ID of the certificate with -i, otherwise the tool
|
||||
with
|
||||
choose one; if the certificate corresponds to a private and/or public
|
||||
key, you
|
||||
should specify the same ID as that key.</li>
|
||||
<li>Specify --authority if it is a CA certificate.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add a public key</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
--store-public-key <keyfile> {-f <keyformat>} {-i
|
||||
<ID>} {-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The keyfile should be in DER (binary) or PEM format</li>
|
||||
<li>The keyformat should be PEM (default) or DER</li>
|
||||
<li>Specify the ID of the key with -i, otherwise the tool with choose
|
||||
one; if the key corresponds to a private key and/or certificate, you
|
||||
should
|
||||
specify the same ID as that private key and/or certificate.</li>
|
||||
<li>Specify the label (name) of the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h3>* Add data</h3>
|
||||
<span style="font-style: italic;">pkcs15-init
|
||||
-W <datafile> {-i <ID>} {-l <label>}</span><br>
|
||||
<ul>
|
||||
<li>The datafile is stored "as is" onto the card.</li>
|
||||
<li>Specify the ID of the data with -i, or accept the default ID.</li>
|
||||
<li>Specify the label (name) of the with -l, or accept the
|
||||
default label.</li>
|
||||
<li>Depending on your card and profile option, you will be prompted
|
||||
to
|
||||
provide your SO PIN and/or PIN; if you don't want to be prompted, add
|
||||
them to the command line with --so-pin <SOPIN> and/or --pin
|
||||
<PIN>.</li>
|
||||
</ul>
|
||||
<h2>4. Other tools</h2>
|
||||
<h3>* SSL-engines</h3>
|
||||
These libraries can be loaded in OpenSSL so you can do a certificate
|
||||
request with the openssl tool; the signature on the certificate request
|
||||
will
|
||||
then be made with the smart card. The result can then be sent to a CA
|
||||
for certification, the resulting certificate can be put on the card
|
||||
with
|
||||
pkcs15-init or pkcs11-tool.<br>
|
||||
<ul>
|
||||
<li>Run openssl</li>
|
||||
<li>On the openssl command prompt, type<br>
|
||||
<span style="font-style: italic;">engine dynamic
|
||||
-pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD</span><br>
|
||||
or<br>
|
||||
<span style="font-style: italic;">engine dynamic
|
||||
-pre
|
||||
SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD</span><br>
|
||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to
|
||||
use.</li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li>Then type (on the openssl command prompt)<br>
|
||||
<span style="font-style: italic;">req -engine
|
||||
pkcs11 -new -key <ID> -keyform engine -out <cert_req></span><br>
|
||||
or<span style="font-style: italic;"><br>
|
||||
</span><span style="font-style: italic;">
|
||||
req -engine opensc -new -key <ID> -keyform engine -out
|
||||
<cert_req></span><br>
|
||||
in which ID is the slot+ID in the following format:<br>
|
||||
<span style="font-style: italic;">[slot_<slotID>][-][id_<ID>]</span>,
|
||||
e.g. <span style="font-style: italic;">id_45</span> or <span style="font-style: italic;">slot_0-id_45</span><br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>* pkcs11-tool and Mozilla/Netscape</h3>
|
||||
You can use the OpenSC pkcs11 library to generate a keypair in Mozilla
|
||||
or Netscape, and let the browser generate a certificate request that
|
||||
is sent to an on-line CA to issue and send you a certificate that is
|
||||
then added to the card.<br>
|
||||
<br>
|
||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their
|
||||
guidelines. Because such a request either costs you or at least
|
||||
requires you to provide a valid mail address, it is advisable to first
|
||||
try you card with "<span style="font-weight: bold;">pkcs11-tool
|
||||
--moz-cert
|
||||
<cert_file_in_der_format> --login</span>".<br>
|
||||
<br>
|
||||
NOTE: This can only be done with the onepin profile option (because the
|
||||
browser won't ask for an SO PIN, only for the user PIN).<br>
|
||||
<br>
|
||||
<h2>5. Card-specific issues</h2>
|
||||
<div style="text-align: center;"><span style="font-style: italic;">Experience
|
||||
is that marvelous thing that enables you to recognize</span><br style="font-style: italic;">
|
||||
<span style="font-style: italic;">a mistake when you make it again. --
|
||||
Franklin P. Jones</span><br>
|
||||
</div>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Cryptoflex:</span><br>
|
||||
<ul>
|
||||
<li>DFs and EFs in a DF have to be deleted in reverse order of
|
||||
creation.<br>
|
||||
OpenSC relies on this fact for security, but also has some downsides.
|
||||
For example, if you did a "pkcs15-init -C" and then added some EFs or
|
||||
DFs in the MF, you won't be able to do a "pkcs15-init -E" afterwards to
|
||||
remove the PKCS15 DF (5015). So you'll first have to manually remove
|
||||
all EFs/DFs you created in the MF before being able remove the pkcs15
|
||||
DF.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<span style="font-weight: bold;">Starcos SPK 2.3:</span><br>
|
||||
<ul>
|
||||
<li>Due to the way Starcos SPK 2.3 manages access rights it is
|
||||
necessary to manually call "pkcs15-init --finalize" after card
|
||||
personalization if no SO-PIN has been specified. Once the card has been
|
||||
finalized it is no possible to add new private/secrets keys or PINs. If
|
||||
a SO-PIN is used the card will automatically be finalized after the
|
||||
SO-PIN has been stored.</li>
|
||||
<li>If an SO-PIN is used and if there is enough space in the key file
|
||||
left, then the owner of the SO-PIN can access/use every protected item
|
||||
by creating a PIN for the necessary state.</li>
|
||||
</ul>
|
||||
<br>
|
||||
</body></html>
|
|
@ -0,0 +1,380 @@
|
|||
1. Introduction
|
||||
===============
|
||||
|
||||
Nothing is impossible for the man who doesn't
|
||||
have to do it himself. -- A.H. Weiler
|
||||
|
||||
This guide is about initialising and personalising (no distinction made) cards
|
||||
with the OpenSC library and tools (mostly pkcs15-init).
|
||||
|
||||
Some knowlegde about smart cards is assumed. Below is a short overview of some
|
||||
key words and concepts. For more info, see the opensc.html manual.
|
||||
|
||||
Filesystem - MF - DF - EF - FID
|
||||
A smart cards has a non-volatile memory (EEPROM) in which usually a
|
||||
PC-like file system is implemented. The directories are called Dedicated Files
|
||||
(DF) and the files are called Elementary Files (EF). They are identified by a
|
||||
a File ID (FID) on 2 bytes. For example, the root of the file system (called
|
||||
Master File or MF) has FID = 3F 00 (hex).
|
||||
|
||||
Commands - APDUs
|
||||
It is possible to send commands (APDUs) to the card to select, read, write,
|
||||
create, list, delete, ... EFs and DFs (not all cards allow all commands).
|
||||
|
||||
Access control, PIN, PUK
|
||||
The file system usually implements some sort of access control on EFs and DFs.
|
||||
This is usually done by PINs or Keys: you have to provide a PIN or show
|
||||
knowledge of a key before you can perform some command on some EF/DF. A PIN
|
||||
is usually accompanied by a PUK (Pin Unblock Key), which can be used to reset
|
||||
(or unblock) that PIN.
|
||||
|
||||
Cryptographic keys
|
||||
On crypto cards, it is also possible to sign, decrypt, generate a key pair
|
||||
(what can be done exactly depends on the card). on some cards, key and/or PINs
|
||||
are files in the filesystem, on other cards, they don't exist in the
|
||||
filesystem but are referenced through an ID.
|
||||
|
||||
Reader - PC/SC - OpenCT - CT-API
|
||||
Smart card readers come with a library that can be used on a PC to send APDUs
|
||||
to the card. Commonly used APIs for those libraries are PC/SC, OpenCT and
|
||||
CT-API.
|
||||
|
||||
PKCS15
|
||||
There are standards (e.g. ISO7816, parts 4-...) that specify how to select,
|
||||
read, write, EFs and DFs, and how to sign, decrypt, login, ...
|
||||
However, there is also a need to know which files contain what, or where the
|
||||
keys, PINs, .. can be found.
|
||||
For crypto cards, PCKS15 adresses this need by defining some files that contain
|
||||
info on where to find keys, certificates, PINs, and other data. For example,
|
||||
there is a PrKDF (Private Key Directory File) that contains the EFs or ID of
|
||||
the private keys, what those keys can be used for, by which PINs they are
|
||||
protected, ...
|
||||
So a "PCKS15 card" is nothing but any other card on which the right set of
|
||||
files has been added.
|
||||
In short: PKCS15 allows you to describe where to find PINs, keys, certificates
|
||||
and data on a card, plus all the info that is needed to use them.
|
||||
|
||||
A little PKCS15 example:
|
||||
|
||||
Here's the textual contents of 3 PKCS15 files: the AODF (Authentication
|
||||
Object Directory File), PrKDF (Private Key Directory File) and CDF
|
||||
(Certificate Directory File) that contain info on resp. the PINs, private
|
||||
keys and certificates. Each of them contains 1 entry.
|
||||
|
||||
AODF:
|
||||
Com. Flags : private, modifiable
|
||||
Auth ID : 01
|
||||
Flags : [0x32], local, initialized, needs-padding
|
||||
Length : min_len:4, max_len:8, stored_len:8
|
||||
Pad char : 0x00
|
||||
Reference : 1
|
||||
Encoding : ASCII-numeric
|
||||
Path : 3F005015
|
||||
|
||||
PrKDF:
|
||||
Com. Flags : private, modifiable
|
||||
Com. Auth ID: 01
|
||||
Usage : [0x32E], decrypt, sign, signRecover, unwrap, derive, nonRep
|
||||
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
|
||||
ModLength : 1024
|
||||
Key ref : 0
|
||||
Native : yes
|
||||
Path : 3F00501530450012
|
||||
ID : 45
|
||||
|
||||
X.509 Certificate [/C=BE/ST=...]
|
||||
Com. Flags : modifiable
|
||||
Authority : no
|
||||
Path : 3f0050154545
|
||||
ID : 45
|
||||
|
||||
Some things to note:
|
||||
- The Auth ID (01) of the private key is the same as the one of the PIN which
|
||||
means that you first have to do a login with this PIN before you can use
|
||||
this key.
|
||||
- The key is in an EF with ID = 0012 in the DF with ID = 3045, which on its
|
||||
turn is a DF with ID = 5015, which on its turn is a DF of the MF (3F00).
|
||||
- The private key and certificate share the same ID (45), which means that they
|
||||
belong together.
|
||||
- The cert is in the EF with as path: 3F00\5015\4545 and is no CA cert.
|
||||
|
||||
Use the tests/p15dump tool to see yourself what pkcs15 data is on
|
||||
your card, or tools/opensc-explorer to browse through the files.
|
||||
|
||||
Have the PKCS15 files a fixed place so everyone can find them? No, there's
|
||||
only one: the EF(DIR) in the MF and with ID 2F00. That's the starting place.
|
||||
|
||||
|
||||
2. The OpenSC pkcs15-init library and profiles
|
||||
==============================================
|
||||
|
||||
Reading and writing files, PIN verification, signing and decryption happen in
|
||||
much the same way on all cards. Therefore, the "normal life" commands have
|
||||
been implemented in OpenSC for all supported cards.
|
||||
|
||||
However, creating and deleting files, PINs and keys is very card specific and
|
||||
has not yet been implemented for all cards. Currently, pkcs15-init is
|
||||
implemented for: Cryptoflex, Cyberflex, CardOS (etoken), GPK, Miocos, Starcos
|
||||
JCOP and Oberthur. (Check src/pkcs15init/pkcs15-*.c for possible updates).
|
||||
Because of this, and because pkcs15-init is not necessary for "normal life"
|
||||
operations, it has been put in a separate library and in a separate directory.
|
||||
|
||||
Profile
|
||||
Because the initialisation/personalisation is so card-specific, it would be
|
||||
very hard to make a tool or API that accepts all parameters for all current
|
||||
and future cards. Therefore, a profile file has been made in OpenSC that
|
||||
contains all the card-specific parameters. This card-specific profile is read
|
||||
by card-specific code in the pkcs15-init library each time this library is
|
||||
used on that card.
|
||||
See the *.profile files in src/pkcs15init/. There is one general file
|
||||
(pkcs15.profile) and one card-specific profile for each card.
|
||||
|
||||
Profile options
|
||||
There are currently 3 options you can specify to modify a profile:
|
||||
- default: creation/deletion/generation is controlled by the SO PIN (SO =
|
||||
Security Officer, different from the regular user of the card)
|
||||
- onepin: creation/deletion/generation is controlled by the user PIN and thus
|
||||
by the user. As a result, only 1 user PIN is possible
|
||||
- small: like default, but suitable for card with little memory
|
||||
|
||||
|
||||
3. pkcs15-init tool
|
||||
===================
|
||||
|
||||
This is a command-line tool that uses the pkcs15-init library. It allows you
|
||||
to do all the init/perso things, e.g. add/delete keys, certificates, PINs and
|
||||
data, generate keys, ... while specifying key usage, which PIN protects
|
||||
which key, ...
|
||||
|
||||
As said before, not all cards are supported in the pkcs15-init library. In that
|
||||
case, the pkcs15-init tool won't work (top 5 questions on the mailing list :-).
|
||||
To find out which card you have, try "opensc-tool -n"
|
||||
|
||||
Below is explained how to do the operations that are supported by pkcs15-tool.
|
||||
Not all options are explained (run "pkcs15-tool -h" to see them) because some
|
||||
are card-specific or obsolete (or we don't know about them). Feel free to
|
||||
experiment and explain them here.
|
||||
|
||||
So the things in this section are fairly general but not guaranteed to work
|
||||
for all cards. See also the section on "card-specific issues".
|
||||
|
||||
The --reader or -r can be given with any command. By default the first reader
|
||||
is used. Do "opensc-tool -l" to see the list of available readers.
|
||||
|
||||
To see the results of what you did, you can do one of the following:
|
||||
pkcs15-tool --list-pins --list-public-keys -k -c -C
|
||||
p15dump (in the src/tests directory)
|
||||
To see/dump the content of any file, use the opensc-explorer tool.
|
||||
|
||||
* Create the PKCS15 files
|
||||
pkcs15-init -C {-T} {-p <profile>}
|
||||
--so-pin <PIN> --so-puk <PUK> | --no-so-pin | --pin <PIN> --puk <PUK>
|
||||
This will create the PKCS15 DF (5015) and all the PKCS15 files (some of which
|
||||
will be empty until a key, PIN, ... will be added). It must be done before you
|
||||
can do any of the operations below.
|
||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
||||
for this key and propose the default one for that card. With -T, the default
|
||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
||||
then try again, DO NOT try with the default key again!
|
||||
- If you want an SO PIN and PUK, do so with the --so-pin and --so-puk options,
|
||||
or specify --no-so-pin if you don't want them. If you use the onepin profile,
|
||||
there is no SO PIN so you should specify --pin and --puk instead.
|
||||
(So you get: pkcs15-init -CT -p pkcs15+onepin --pin <PIN> --puk <PUK>)
|
||||
- To specify the profile file + option. The profile file can only be "pkcs15"
|
||||
for the moment, so you can have:
|
||||
pkcs15+default : the default (not needed to specify it)
|
||||
pkcs15+onepin : for the onepin profile option
|
||||
pkcs15+small : for the small profile option
|
||||
|
||||
* Erase the card's content
|
||||
pkcs15-init -E {-T}
|
||||
This will delete all keys, PINs, certificates, data that were listed in PKCS15
|
||||
files, along with the PKCS15 files themselves.
|
||||
- This operation usually requires a 'transport' key. pkcs15-init will ask you
|
||||
for this key and propose the default one for that card. With -T, the default
|
||||
key will be used without asking. NOTE: if you get a "Failed to erase card:
|
||||
PIN code or key incorrect", the transport key is wrong. Find this key and
|
||||
then try again, DO NOT try the default key again!
|
||||
|
||||
Note: you can combine erase/create (-E -C or -EC) to erase and then create
|
||||
the card's contents, except when you change the profile option.
|
||||
|
||||
* Add a PIN (not possible with the onepin profile option)
|
||||
pkcs15-init -P {-a <AuthID>} {--pin <PIN>} {--puk <PUK>} {-l <label>}
|
||||
- You can specify the AuthID with -a, if you don't do so, a value that didn't
|
||||
exist yet on the card will be used.
|
||||
- Specify the PIN and PUK with --pin and --puk, if you don't do so, the tool
|
||||
will prompt you for one.
|
||||
- Specify the label (name) of the PIN with -l, or accept the default label.
|
||||
|
||||
* Generate a key pair (on card or in software on the PC)
|
||||
pkcs15-init -G <keyspec> -a <AuthID> --insecure {-i <ID>} {--soft}
|
||||
{-u <keyusage>}
|
||||
{-l <privkeylabel>} {--public-key-label <pubkeylabel>}
|
||||
This will generate a public and private key pair.
|
||||
- The keyspec consist of the key type, rsa or dsa (depends on what your card
|
||||
supports), and optinally a slash followed by the keysize in bits. E.g.
|
||||
"rsa/1024" specifies a 1024-bit RSA key pair. Note: dsa is not fully
|
||||
supported.
|
||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
||||
used in a signature or decryption operation) with -a; or specify --insecure
|
||||
if you want the private key to be used without first providing a PIN.
|
||||
- Specify the ID of the key with -i, otherwise the tool will choose one.
|
||||
- Specify --soft if you don't want the key pair to be generated on card.
|
||||
- Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage.
|
||||
(Do "pkcs15-init -u help" for help).
|
||||
- Specify the label (name) of the private key with -l, or accept the default
|
||||
label.
|
||||
- Specify the label (name) of the public key with --public-key-label, or
|
||||
accept the default label.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
NOTE: see the SSL engines (below) on how to make a certificate request with
|
||||
the key you generated.
|
||||
|
||||
* Add a private key
|
||||
pkcs15-init -S <keyfile> {-f <keyformat>} -a <AuthID> --insecure
|
||||
{-i <ID>} {-u <keyusage>} {--passphrase <password>}
|
||||
{-l <label>}
|
||||
- The keyfile should be in DER (binary) or PEM format.
|
||||
- The keyformat should be PEM (default) or DER.
|
||||
- Specify the AuthID of the PIN that protects the private key (from being used
|
||||
in a signature or decryption operation) with -a; or specify --insecure if
|
||||
you want the private key to be used without first providing a PIN
|
||||
- Specify the ID of the key with -i
|
||||
- Specify the usage of the private key with -u; if you add a
|
||||
corresponding certificate later, it should have the same key usage.
|
||||
(Do "pkcs15-init -u help" for help).
|
||||
- Specify the label (name) of the with -l, or accept the default label if
|
||||
you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a private key + certificate(s) (in a pkcs12 file)
|
||||
pkcs15-init -S <pkcs12file> -f PKCS12 -a <AuthID> {--insecure} {-i <ID>}
|
||||
{-u <keyusage>} {--passphrase <password>}
|
||||
{-l <privkeylabel>} {--cert-label <usercertlabel>}
|
||||
This adds the private key and certificate chain to the card. If a certificate
|
||||
already exists in the card, it won't be added again.
|
||||
- Specify the AuthID of the PIN that protects this key (protect from being
|
||||
used in a signature or decryption operation) with -a; or specify --insecure
|
||||
if you want the private key to be used without first providing a PIN.
|
||||
- Specify the ID of the key and the corresponding certificate with -i,
|
||||
otherwise the tool with choose one; only the 'user cert' will get the same
|
||||
ID as the key,
|
||||
the other certificates will get 'authority' status and another ID.
|
||||
- You can specify the key-usage, but it is advised not to do this so the key
|
||||
usage is fetched from the certificate.
|
||||
- Specify the password of the pkcs12 key file if you don't want to be prompted
|
||||
for one.
|
||||
- Specify the label (name) of the private key with -l, or accept the default
|
||||
label if you don't do so.
|
||||
- Specify the label (name) of the user certificate with --cert-label, or
|
||||
accept the default label if you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a certificate
|
||||
pkcs15-init -W <certfile> {-f <certformat>} {-i <ID>} {--authority}
|
||||
- The certfile should be in DER (binary) or PEM format
|
||||
- The certformat should be PEM (default) or DER
|
||||
- Specify the ID of the certificate with -i, otherwise the tool with choose
|
||||
one; if the certificate corresponds to a private and/or public key, you
|
||||
should specify the same ID as that key.
|
||||
- Specify --authority if it is a CA certificate.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add a public key
|
||||
pkcs15-init --store-public-key <keyfile> {-f <keyformat>} {-i <ID>}
|
||||
{-l <label>}
|
||||
- The keyfile should be in DER (binary) or PEM format
|
||||
- The keyformat should be PEM (default) or DER
|
||||
- Specify the ID of the key with -i, otherwise the tool with choose one;
|
||||
if the key corresponds to a private key and/or certificate, you should
|
||||
specify the same ID as that private key and/or certificate.
|
||||
- Specify the label (name) of the with -l, or accept the default label if
|
||||
you don't do so.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
* Add data
|
||||
pkcs15-init -W <datafile> {-i <ID>} {-l <label>}
|
||||
- The datafile is stored "as is" onto the card.
|
||||
- Specify the ID of the data with -i, or accept the default ID.
|
||||
- Specify the label (name) of the data with -l, or accept the default label.
|
||||
- Depending on your card and profile option, you will be prompted to provide
|
||||
your SO PIN and/or PIN; if you don't want to be prompted, add them to the
|
||||
command line with --so-pin <SOPIN> and/or --pin <PIN>.
|
||||
|
||||
|
||||
4. Other tools
|
||||
==============
|
||||
|
||||
* SSL-engines
|
||||
|
||||
These libraries can be loaded in OpenSSL so you can do a certificate request
|
||||
with the openssl tool; the signature of the certificate request will then be
|
||||
made using the smart card. The result can then be sent to a CA for
|
||||
certification or the resulting certificate can be put on the card with pkcs15-init
|
||||
or pkcs11-tool.
|
||||
- Run openssl
|
||||
- On the openssl command prompt, type
|
||||
engine dynamic -pre SO_PATH:engine_pkcs11 -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
|
||||
or
|
||||
engine dynamic -pre SO_PATH:engine_opensc -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
|
||||
depending on which one of the 2 engines (pkcs11 or opensc) you want to use.
|
||||
- Then type (on the openssl command prompt)
|
||||
req -engine pkcs11 -new -key <ID> -keyform engine -out <cert_req>
|
||||
or
|
||||
req -engine opensc -new -key <ID> -keyform engine -out <cert_req>
|
||||
in which ID is the slot+ID in the following format:
|
||||
[slot_<slotID>][-][id_<ID>], e.g. id_45 or slot_0-id_45
|
||||
|
||||
* pkcs11-tool and Mozilla/Netscape
|
||||
|
||||
You can use the OpenSC pkcs11 library to generate a key pair in Mozilla or
|
||||
Netscape, and let the browser generate a certificate request that is sent
|
||||
to an on-line CA to issue and send you a certificate that is then added to the
|
||||
card.
|
||||
|
||||
Just go to an online CA (Globalsign, Thawte, ...) and follow their guidelines.
|
||||
Because such a request either costs you or at least requires you to provide a
|
||||
valid mail address, it is advisable to first try you card with
|
||||
"pkcs11-tool --moz-cert <cert_file_in_der_format> --login".
|
||||
|
||||
NOTE: This can only be done with the onepin profile option (because the browser
|
||||
won't ask for an SO PIN, only for the user PIN).
|
||||
|
||||
|
||||
5. Card-specific issues
|
||||
=======================
|
||||
|
||||
Experience is that marvelous thing that enables you to recognize
|
||||
a mistake when you make it again. -- Franklin P. Jones
|
||||
|
||||
Cryptoflex:
|
||||
- DFs and EFs in a DF have to be deleted in reverse order of creation.
|
||||
OpenSC relies on this fact for security, but also has some downsides. For
|
||||
example, if you did a "pkcs15-init -C" and then added some EFs or DFs in the
|
||||
MF, you won't be able to do a "pkcs15-init -E" afterwards to remove the
|
||||
PKCS15 DF (5015). So you'll first have to manually remove all EFs/DFs you
|
||||
created in the MF before being able remove the pkcs15 DF.
|
||||
|
||||
Starcos SPK 2.3:
|
||||
- Due to the way Starcos SPK 2.3 manages access rights it is necessary
|
||||
to manually call "pkcs15-init --finalize" after card personalization
|
||||
if no SO-PIN has been specified. Once the card has been finalized it is
|
||||
not possible to add new private/secret keys or PINs. If a SO-PIN is
|
||||
used the card will automatically be finalized after the SO-PIN has
|
||||
been stored.
|
||||
- If an SO-PIN is used and if there is enough space in the key file left,
|
||||
then the owner of the SO-PIN can access/use every protected item by
|
||||
creating a PIN for the necessary state.
|
Loading…
Reference in New Issue