NetKey E4 cards
Telesec is a german company that sells NetKey? E4 cards. These cards have a TCOS 2.02 operationg system and an almost PKCS#15* compatible file-layout. OpenSC has read-only support for these kind of cards.
If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a PKCS#15* filesystem. This is not possible right now. You have the same problem, if you own a blank TCOS card.
The good news are: With the help of an emulation layer OpenSC can use cards that are almost PKCS#15* compatible. For NetKey? E4-cards such an emulation layer exists. The emulation cannot store certificates, keys or pins on the card, but you can use whatever is visible through the emulation layer.
SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the NetKey? E4-emulation might not work with these cards. If you have such a card and are willing to help, please post information on the mailing list. You might also send "opensc-tool -r" output to me, maybe I can extend the Netkey-emulation such that other preformatted TCOS cards work as well.
NetKey E4 filesystem layout
NetKey? E4 cards contain different directories with different applications. Only one of these (i.e. directory DF01) is made visible through the NetKey? emulation layer. This directory contains 3 private keys, 3 public keys, 3 read only certificates, 6 empty certificate files, 2 local PINs and one signature-counter.
pkcs15-tool -c
will list all certificates. It will not list the empty certificate files. Here's the output for a new NetKey? E4 card:
$ pkcs15-tool -c
X.509 Certificate [Telesec Signatur Zertifikat]
Flags : 0
Authority: no
Path : DF01C000
ID : 01
X.509 Certificate [Telesec Authentifizierungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C100
ID : 02
X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C200
ID : 03
The read-only certificates are signed by a certificate of german Telekom AG and all have the same CN. Here's some output that shows one of them:
$ pkcs15-tool -r 01 | openssl x509 -noout -text -certopt no_pubkey,no_sigdump
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13356238 (0xcbccce)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Deutsche Telekom AG/0.2.262.1.10.7.20=1, CN=NKS CA 21:PN
Validity
Not Before: Jan 31 08:43:51 2003 GMT
Not After : Jan 31 08:43:51 2006 GMT
Subject: C=DE/0.2.262.1.10.7.20=1, CN=NKS 03 A 02707
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
The public-keys are record-based transparent files and cannot be used for cryptographic operations. They are on the card for convenience only. OpenSC extracts the public keys from the certificates and does not use the public key files.
How do I store additional certificates into the above mentioned empty certificate-files?
You (and OpenSC) dont see the empty certificate files through the emulation layer. One consequence of this is, that you cannot store your own certificates into these files with pkcs11-tool or pkcs15-init.
You must use opensc-explorer and store the certificate directly into the right position or use netkey-tool, a small program, that I wrote exactly for that purpose.
In general (and in particular with TCOS-cards) it's a lot more complicated to create a new file on a smartcard than updating an existing one. That's the reason why there are empty certificate files on a NetKey? card. They contain 1536 0xFF-bytes and you can overwrite them with your own certificate (if your certificate has at most 1536 bytes).
netkey-tool can do other NetKey-card specific things as well. In particular it will display your initial PUK value and all certificates (including the emtpy ones, which are invisible to pkcs15-tool). As of this writing (June 2005) netkey-tool is included in the CVS-version only.