remove old text files.
new documentation is in opensc/docs/opensc.html (and .xml) git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1244 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
aee7119020
commit
d94de46a59
15
AUTHORS
15
AUTHORS
|
@ -1,15 +0,0 @@
|
|||
Authors of OpenSC:
|
||||
|
||||
Juha Yrjölä <juha.yrjola@iki.fi>
|
||||
Antti Tapaninen <aet@cc.hut.fi>
|
||||
Timo Teräs <timo.teras@iki.fi>
|
||||
Olaf Kirch <okir@suse.de>
|
||||
|
||||
Contributors:
|
||||
Stef Hoeben <Hoeben.S@Zetes.com> (pkcs11, libopensc, win32 port)
|
||||
Andreas Jellinghaus <aj@dungeon.inka.de> (usbtoken, tools, auto{conf,make})
|
||||
Robert Bihlmeyer <robbe@orcus.priv.at> (bug fixes)
|
||||
|
||||
Contributors to usbtoken:
|
||||
Matthias Brüstle
|
||||
Kevin Stefanik <kstef@mtppi.org>
|
35
README
35
README
|
@ -1,35 +0,0 @@
|
|||
README for OpenSC
|
||||
|
||||
|
||||
Introduction
|
||||
============
|
||||
|
||||
libopensc is a library for accessing SmartCard devices using PC/SC Lite
|
||||
middleware package. It is also the core library of the OpenSC project.
|
||||
Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO
|
||||
7816-4 compatible SmartCard. Encryption and decryption using private keys on
|
||||
the SmartCard is at the moment possible only with PKCS#15 compatible cards,
|
||||
such as the FINEID (Finnish Electronic IDentity) card manufactured by
|
||||
Setec.
|
||||
|
||||
|
||||
Building and Installing libopensc
|
||||
=================================
|
||||
|
||||
See the INSTALL file for instructions. If you are using the CVS version,
|
||||
you have to run the 'bootstrap' script before running configure. Please
|
||||
note, that for bootstrap to work, you have to have the correct versions of
|
||||
Autoconf, Automake and Libtool installed.
|
||||
|
||||
|
||||
Troubleshooting
|
||||
===============
|
||||
|
||||
A mailing-list has been set up for support and discussion about the
|
||||
OpenSC project. Additional info is available at OpenSC web site.
|
||||
|
||||
|
||||
Resources
|
||||
=========
|
||||
|
||||
See the OpenSC web site at http://www.opensc.org/
|
76
README.Win32
76
README.Win32
|
@ -1,76 +0,0 @@
|
|||
README for Win32 port of OpenSC
|
||||
|
||||
|
||||
Compiling
|
||||
=========
|
||||
|
||||
Type "nmake -f makefile.mak" in the opensc\ dir to compile.
|
||||
|
||||
You need also perl and flex installed for the compile process
|
||||
to complete succesfully.
|
||||
|
||||
|
||||
What works
|
||||
==========
|
||||
|
||||
At the moment only libopensc.dll and opensc-pkcs11.dll, and most
|
||||
executables in the tools\ and tests\ dir have been ported.
|
||||
They are tested on Win98, WinNT, Win2000 and WinXP.
|
||||
|
||||
|
||||
Installation
|
||||
============
|
||||
|
||||
No installation script has been provided, so you have to do this
|
||||
manually:
|
||||
- Copy opensc.conf to your Windows directory (usually C:\WINDOWS
|
||||
or C:\WINNT). This is optional.
|
||||
- Copy opensc.dll and opensc-pkcs11.dll to your path.
|
||||
- If you want to use pkcs15-init.exe, make sure the *.profile files
|
||||
in the pkcs15-init\ dir are in the same directory as pkcs15-init.exe.
|
||||
|
||||
|
||||
What needs to be done
|
||||
=====================
|
||||
|
||||
Other parts of OpenSC be should ported as well.
|
||||
Also we should implement native Win32 APIs such as
|
||||
CryptoAPI Provider, some login stuff and ActiveX plugin for
|
||||
Explorer to do the signing.
|
||||
|
||||
|
||||
How to add openssl
|
||||
==================
|
||||
|
||||
This adds extended functionality.
|
||||
E.g. the pkcs15-init tool, pkcs11 hash mechanisms and more
|
||||
pkcs11 signature mechs.
|
||||
|
||||
- download and compile the openssl sources from
|
||||
http://www.openssl.org/source/
|
||||
|
||||
- Add the inc32\ dir to your include path,
|
||||
the out32dll\ to your lib path and your executable path
|
||||
set include=%include%;.....\inc32
|
||||
set lib=%lib%;.....\out32dll
|
||||
set path=%path%;....\out32dll
|
||||
|
||||
- In src/tools/Makefile.mak
|
||||
- uncomment pkcs15-init.exe in the "TARGETS" line (optionally)
|
||||
- Add libeay32.lib (and gdi32.lib) to the "link" line
|
||||
|
||||
- In src/libopensc/Makefile.mak
|
||||
- Add libeay32.lib (and gdi32.lib) to the "link" line
|
||||
|
||||
- In src/pkcs11/Makefile.mak
|
||||
- Add libeay32.lib (and gdi32.lib) to the "link" line
|
||||
|
||||
- In win32/Make.rules.mak
|
||||
- Add /DHAVE_OPENSSL to the "COPTS" line
|
||||
|
||||
- For the pkcs11 OpenSSL engine
|
||||
- Add sslengines to the "SUBDIRS" line in opensc/src/Makefile.mak
|
||||
|
||||
To add the OpenSSL code to the DLLs (so you won't need libeay32.dll
|
||||
anymore): statically compile OpenSSL and add gdi32.lib next to
|
||||
libeay32.lib in the 3 Makefile.mak files above.
|
33
README.cards
33
README.cards
|
@ -1,33 +0,0 @@
|
|||
|
||||
Supported Cards
|
||||
===============
|
||||
|
||||
CryptoFlex
|
||||
Support signing/decrypting, and initialization
|
||||
|
||||
GPK 4K, 8K, 16K
|
||||
Support signing/decrypting, and initialization.
|
||||
|
||||
NOTE: You will not be able to initialize a GemSafe cards -
|
||||
these card already have been personalized by Gemplus, and you
|
||||
cannot erase them or create new key files on them.
|
||||
|
||||
eToken
|
||||
Support signing/decrypting, and initialization.
|
||||
|
||||
NOTE: The eToken does not support keys that can
|
||||
be used for decryption and signing simultaneously.
|
||||
You need to create two keys with different usage.
|
||||
|
||||
Micardo
|
||||
Supported - need to fill in the details
|
||||
|
||||
Miocos
|
||||
Supported - need to fill in the details
|
||||
|
||||
Setcos
|
||||
Supported - need to fill in the details
|
||||
|
||||
Tcos
|
||||
Supported - need to fill in the details
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
|
||||
Introduction
|
||||
============
|
||||
|
||||
OpenSC Signer is a Netscape plugin that will generate digital signatures
|
||||
using facilities on PKI-capable smartcards.
|
||||
|
||||
|
||||
Building and Installing libopensc
|
||||
=================================
|
||||
|
||||
You should specify your plugin directory with:
|
||||
$ configure --with-plugin-dir=<directory>
|
||||
|
||||
Common plugin directories are /usr/lib/mozilla/plugins and
|
||||
/usr/lib/netscape/plugins.
|
||||
|
||||
See the INSTALL file for more instructions.
|
||||
|
||||
NOTE: PIN code dialog is done through libassuan from Project Ägypten.
|
||||
If you don't have it installed already, download it from the link
|
||||
below.
|
||||
|
||||
|
||||
Troubleshooting
|
||||
===============
|
||||
|
||||
A mailing-list has been set up for support and discussion about the
|
||||
OpenSC project. Additional info is available at the OpenSC web site.
|
||||
|
||||
|
||||
Resources
|
||||
=========
|
||||
|
||||
OpenSC web site:
|
||||
http://www.opensc.org/
|
||||
|
||||
Information about Assuan and project Ägypten:
|
||||
http://www.gnupg.org/aegypten/
|
5
THANKS
5
THANKS
|
@ -1,5 +0,0 @@
|
|||
The following people provided inspiration, moral support and/or valuable
|
||||
information during the development of OpenSC:
|
||||
|
||||
Antti Partanen <antti.partanen@vrk.intermin.fi>
|
||||
David Corcoran <corcoran@linuxnet.com>
|
23
TODO
23
TODO
|
@ -1,23 +0,0 @@
|
|||
* Debian packaging
|
||||
* GUI applications
|
||||
* Ports to MacOS X (jey) and Win32 (fabled?)
|
||||
* Add support for EMV and GSM (anyone?)
|
||||
|
||||
Nitty gritty details:
|
||||
* Pin pad support
|
||||
* Merge DODF patches (mostly done)
|
||||
* put generic PEM encoding/decoding functions into libopensc?
|
||||
* Merge pkcs11 proxy from Zetes
|
||||
* pkcs11: support decrypt for those cards that have it
|
||||
* pkcs11: make sure all PIN ops work through pkcs11
|
||||
* pkcs11: unblock pins: check for unblock pins in AODF
|
||||
* all: support for RSA-PSS
|
||||
* pkcs15-init: support SOPIN on Cryptoflex
|
||||
* pkcs15-init: use max. possible usage by default
|
||||
* pkcs15-init: during keygen, make sure the pubkey usage is right
|
||||
* pkcs15-init: when using an unblock PIN, write an AODF entry for it
|
||||
(alternatively: set unblockDisabled flag for those PINs that have no PUK?)
|
||||
* pkcs15: fix sc_pkcs15_change_reference_data; add unblock function
|
||||
* pkcs11: make sure all PIN ops work through pkcs11
|
||||
|
||||
|
|
@ -1,79 +0,0 @@
|
|||
The OpenSC PKCS11 implementation
|
||||
|
||||
1) What is PKCS11
|
||||
|
||||
PKCS11 is a standard API for accessing cryptographic tokens
|
||||
such as smart cards, Hardware Security Modules, ...
|
||||
It contains functions like C_GetSlotList(), C_OpenSession(),
|
||||
C_FindObjects(), C_Login(), C_Decrypt(), ...
|
||||
|
||||
Some core concepts of pkcs11 are:
|
||||
- slot: the place in which a smart card can be put. Usually this
|
||||
corresponds with a card reader (but: see below, Virtual slots).
|
||||
- token: the thing that is put in a slot. Usually this corresponds
|
||||
with a smart card (but: see below, virtual slots).
|
||||
- object: a key, a certificate, some data, ... Is either a token
|
||||
object (if it resides on the card) or a session object (if it
|
||||
doesn't reside on the card, e.g. a certificate given to the
|
||||
pkcs11 library to do a verification).
|
||||
- session: before you can do anything with a token, you have to
|
||||
open a session on it.
|
||||
- operation: a signature, decryption, digest, ... operation, that
|
||||
can consist of multiple function calls. Example: C_SignInit(),
|
||||
C_SignUpdate(), C_SignFinal(); here the first function starts
|
||||
the operation, the third one ends it. Only one operation can be
|
||||
done in the same session, but multiple sessions can be opened
|
||||
on the same token.
|
||||
|
||||
2) Virtual slots
|
||||
|
||||
Per token, only 2 PINs can be given: the SO (Security Officer) PIN
|
||||
and the user PIN. However, smart cards can have 2 or more user
|
||||
PINs.
|
||||
A way to this solve problem is to have multiple 'virtual' slots,
|
||||
as explained in appendix D of the pkcs11 standard. So per physical
|
||||
reader, you have a number of virtual slots. If you insert a card
|
||||
in the reader, a token will appear in all the virtual slots,
|
||||
and each token will contain 1 PIN along with the private keys
|
||||
it protects and certificates corresponding to those private keys.
|
||||
|
||||
Because OpenSC supports multiple cards, it is not known in advance
|
||||
how many PINs a smart card will have. Therefore, a default number
|
||||
of 4 virtual slots is used. You can change this default in the
|
||||
pkcs11 section of opensc.conf: num_slots.
|
||||
|
||||
Opensc implements the following behaviour: for each PIN, its
|
||||
private keys and corresponding certs, there is 1 virtual slot
|
||||
allocated. If there are any objects left, they are put in the
|
||||
next free virtual slot. And if there are some virtual slots left,
|
||||
an 'empty' token is 'put' in them; on this empty token a PIN and
|
||||
data can then be put. If you find this too confusing, you
|
||||
can hide empty tokens with the hide_empty_tokens option in
|
||||
the config file.
|
||||
|
||||
Example:
|
||||
Take a card with 2 PINs. Each PIN protects a private key and
|
||||
each private key has a corresponding cert chain. And then there
|
||||
are 3 other roots certs that have nothing to do with the other
|
||||
data.
|
||||
Now if num_slots = 4, hide_empty_tokens = false; and if you put
|
||||
the card your second card reader, you'll get the following:
|
||||
- token in slot 4: PIN 1, key 1, cert chain 1
|
||||
- token in slot 5: PIN 2, key 2, cert chain 2
|
||||
- token in slot 6: the 3 other root certs
|
||||
- token in slot 7: no data
|
||||
If hide_empty_tokens would have been true, slot 7 wouldn't show
|
||||
a token.
|
||||
|
||||
Note: if in the example the 2 cert chain would have common
|
||||
certificates, those certificates would appear in the tokens
|
||||
in slots 4 and 5. (Which would cause a problem if those
|
||||
certs were deleted, this hasn't been solved yet in OpenSC).
|
||||
|
||||
Another good-to-know: the number of virtual slots has been
|
||||
hard-coded (it is 8 at the moment). So if num_slots = 4,
|
||||
only the first 2 readers will be visible. Or if you'd put
|
||||
num_slots to 3, the first 2 readers will have 3 virtual
|
||||
slots and the third reader will have 2.
|
||||
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
Steps for your OpenSSH pleasure:
|
||||
|
||||
- Download, compile and install OpenSSL (http://www.openssl.org)
|
||||
- Download the current version of OpenSSH/portable
|
||||
from http://www.openssh.com/portable.html
|
||||
- Read openssh/README.smartcard, compile and install
|
||||
|
||||
- Download a public key from your SmartCard in OpenSSH format
|
||||
(e.g. 'ssh-keygen -D <reader num>[:<certificate ID>] > <file>')
|
||||
- Transfer the public key to desired server
|
||||
- Run OpenSSH with 'ssh -I <reader num>[:<certificate ID>] <host>'
|
||||
(e.g. '-I 0:45' uses first available reader and certificate with
|
||||
ID 45h, '-I 0' uses the first found certificate')
|
||||
|
||||
With luck you should be authenticated and ready to go. If it won't work,
|
||||
try enabling debug information with the '-d' switch.
|
||||
--
|
||||
Antti Tapaninen <aet@cc.hut.fi>
|
|
@ -1,49 +0,0 @@
|
|||
pam_opensc - smart card authentication module for PAM
|
||||
-----------------------------------------------------
|
||||
|
||||
The following options are recognized:
|
||||
debug - log more debugging info
|
||||
audit - a little more extreme than debug
|
||||
use_first_pass - don 't prompt the user for passwords
|
||||
take them from PAM_ items instead
|
||||
try_first_pass - don 't prompt the user for the passwords
|
||||
unless PAM_(OLD)AUTHTOK is unset
|
||||
use_authtok - like try_first_pass, but * fail * if the new
|
||||
PAM_AUTHTOK has not been previously set.
|
||||
(intended for stacking password modules only)
|
||||
set_pass - set the PAM_ items with the passwords
|
||||
used by this module.
|
||||
nodelay - used to prevent failed authentication
|
||||
resulting in a delay of about 1 second.
|
||||
auth_method=X - use authentication method X, the following
|
||||
methods are currently recognized:
|
||||
pkcs15-ldap, pkcs15-eid
|
||||
|
||||
Generic options:
|
||||
-h Show help
|
||||
|
||||
auth_method[pkcs15-ldap]:
|
||||
-r <reader> Reader name
|
||||
LDAP specific options:
|
||||
-L ldap.conf Configuration file to load
|
||||
-A entry Add new entry
|
||||
-E entry Set current entry
|
||||
LDAP entry specific options:
|
||||
-H hostname
|
||||
-P port
|
||||
-S scope
|
||||
-b binddn
|
||||
-p passwd
|
||||
-B base
|
||||
-a attribute(s)
|
||||
-f filter
|
||||
|
||||
auth_method[pkcs15-eid]:
|
||||
-r <reader> Reader name
|
||||
|
||||
# Copy your PEM encoded certificate to a file in your home directory
|
||||
# called '.eid/authorized_certificates'.
|
||||
# NOTE:
|
||||
# You can use the 'pkcs15-tool -r <ID> -o ~/.eid/authorized_certificates'
|
||||
# command to get the PEM encoded certificate. Find the ID by saying
|
||||
# 'pkcs15-tool -c'. FINEID card owners should use 45 for the ID.
|
|
@ -1,64 +0,0 @@
|
|||
Installation
|
||||
------------
|
||||
|
||||
Netscape:
|
||||
Select menu: Communicator -> Tools -> Security Info
|
||||
|
||||
Select Cryptographic Modules
|
||||
|
||||
Click: Add
|
||||
|
||||
Module name: descriptive name about module (eg. opensc-pkcs11)
|
||||
Module file: absolute path of opensc-pkcs11.so
|
||||
|
||||
For proper operation, you also need to configure the module:
|
||||
In the Crypthographic Modules dialog, select the OpenSC card,
|
||||
and click on the "Config" button to the right. Select the
|
||||
"Enable this token" radio button, and select the "Publicly
|
||||
readable Certs" button.
|
||||
|
||||
This will ensure that netscape uses the card when trying to
|
||||
display encrypted messages in netscape messenger. Setting
|
||||
"Publicly readable Certs" will also stop a pretty annoying habit
|
||||
of netscape which is to ask for all PINs when browsing sites
|
||||
requiring client authentication.
|
||||
|
||||
You should _not_ select the "RSA" button. If this option is
|
||||
selected, netscape will try to use the card for all public key
|
||||
operations, and will fail horribly.
|
||||
|
||||
Mozilla:
|
||||
Make sure Personal Security Manager (PSM) is installed
|
||||
(eg. mozilla-psm package is installed).
|
||||
|
||||
Select menu: Edit -> Preferences
|
||||
|
||||
Select category: Privacy & Security -> Certificates
|
||||
|
||||
Click: Manage Security Devices
|
||||
|
||||
Click: Load
|
||||
|
||||
Module name: descriptive name about module (eg. opensc-pkcs11)
|
||||
Module file: absolute path of opensc-pkcs11.so
|
||||
|
||||
|
||||
Notes
|
||||
-----
|
||||
|
||||
Netscape seems to show more information about the security module
|
||||
than Mozilla. Otherwise all stuff is untested.
|
||||
|
||||
Thread safety on Linux and Mac OS X:
|
||||
Netscape/Mozilla uses the CKF_OS_LOCKING_OK flag in C_Initialize().
|
||||
The result is that the browser process doesn't end when closing
|
||||
the browser, so you have to kill the process yourself.
|
||||
(If the browser would do a C_Finalize, the sc_pkcs11_free_lock()
|
||||
would be called and there wouldn't be a problem.)
|
||||
Therefore, we don't use the PTHREAD locking mechanisms, even if they
|
||||
are requested. This seems to work fine for Mozilla, BUT will cause
|
||||
problems for apps that use multiple threads to access this lib
|
||||
simultaneously.
|
||||
If you do want to use OS threading, compile with -DPKCS11_THREAD_LOCKING
|
||||
On Windows, no PTHREAD lib is used and there the problem doesn't
|
||||
occur. So there the OS locking is enabled.
|
|
@ -1,20 +0,0 @@
|
|||
engine-pkcs11
|
||||
-------------
|
||||
|
||||
This is an OpenSSL engine for making certificate requests for
|
||||
a key that resides on an smart card. When the certificate
|
||||
request has to be signed, the smart card is contacted through
|
||||
the opensc-pkcs11 lib for creating the signature.
|
||||
|
||||
Usage:
|
||||
|
||||
- start the OpenSSL tool: openssl
|
||||
- at the prompt, enter: engine dynamic -pre SO_PATH:engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
|
||||
(for Windows, use "engine_pkcs11" instead of "engine_pkcs11.so")
|
||||
- at the prompt, enter: req -engine pkcs11 -new -key <key> -keyform engine -out req.pem -text
|
||||
|
||||
In the last line, <key> has the format [slot_<slotNr>][-][id_<keyID>], in which
|
||||
- the optional slotNr indicates which pkcs11 slot to take (starting from 0, which is also the default)
|
||||
- keyID is the key ID in hex notation
|
||||
Examples: id_45 -> private key with ID = 0x45 in the first 'suited' slot
|
||||
slot_2-id_46 -> private key with ID = 0x46 in the third slot
|
Loading…
Reference in New Issue