Skip to content

Instantly share code, notes, and snippets.

@rechner

rechner/smartcard-notes.md

Last active December 18, 2019 09:40
Show Gist options
  • Save rechner/c8c8676f73b56056462fce3fbd52ed86 to your computer and use it in GitHub Desktop.
Save rechner/c8c8676f73b56056462fce3fbd52ed86 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
smartcard-notes.md

IsoApplet

https://github.com/philipWendland/IsoApplet/wiki/Initialization

Serial: DEADBEEFCAFEBABEC0DEFEE1 PIN: 123456789 PUK: deadbeefcafebabe

Once applet is loaded, it's necessary to add the javacard's ATR to opensc.conf so that the middleware knows what driver to use:

card_atr 3b:fc:18:00:00:81:31:80:45:90:67:46:4a:01:00:11:06:00:00:00:00:7c {
    driver = "isoApplet";
}

Then proceed to initiate the card with the instructions (here)[https://github.com/philipWendland/IsoApplet/wiki/Initialization].

Short:

Intialize

pkcs15-init --create-pkcs15

Generate key "myKey" in slot 1

pkcs15-init --generate-key "rsa/2048" --auth-id "FF" --label "myKey" --id "1"

The OpenSSL command to load the PKCS#11 module is much more straight-forward by putting the apropriate section at the top of /etc/ssl/openssl.cnf:

[openssl_init]
engines=engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
#dynamic_path = /usr/lib/ssl/engines/libpkcs11.so
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
init = 0

Logging in with SSH

See:

Exporting the public key for key slot 2 from a card: pkcs15-tool --read-ssh-key 2

Generating x509 keys

See:

Test that your PKCS11 module and the card is working:

pkcs11-tool --test --login

Remember, if your card reader is a keyboard or has a PIN pad, it might look like the command is hanging, but the keyboard is probably just waiting for your PIN!

Find the URI for your card:

p11tool --list-token-urls

For an ISOApplet card, you should see something like pkcs11:model=PKCS%2315;manufacturer=unknown;serial=0000;token=JavaCard%20isoApplet%20%28User%20PIN%29. We'll call this $TOKEN_URL from here out.

Key references in the pkcs11 module are also refered to by URLs. To obtain the URLs for the keys presently on the card, use:

p11tool --list-privkeys --login $TOKEN_URL

Object 0:
URL: pkcs11:model=PKCS%2315;manufacturer=unknown;serial=0000;token=JavaCard%20isoApplet%20%28User%20PIN%29;id=%01;object=myKey;type=private
Type: Private key
Label: myKey
Flags: CKA_PRIVATE; CKA_NEVER_EXTRACTABLE; CKA_SENSITIVE; 
ID: 01

To generate an x509 key against one of those URLs, use OpenSSL:

openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine \
pkcs11 -keyform engine -key "$PKCS11_URL" -out cert.pem

substituting for the apropriate private key on the card. To self-sign the CSR req.csr:

openssl x509 -req -CAkeyform engine -engine pkcs11 \
-in req.csr -CA cert.pem -CAkey "$PKCS11_URL" -set_serial 1 -sha256

And you should get your certificate.

Alternatively, generate a CSR for externally signing with a CA:

openssl req -new -days 365 -subj '/CN=rechner' -sha256 \
-engine pkcs11 -keyform engine -key "$PKCS11_URL" -out ipacert.csr

NOTE that there is a bug in OpenSSL present in versions 1.0.1 through 1.1.0f (fixed in 1.1.0g), if you get a message like "bad format 'engine'; must be pem or der", see this github issue. There doesn't seem to be any way around this except installing a version with the fix.

Load the certificate back onto the card:

pkcs15-init --store-certificate signed.crt --id 1 --cert-label "user@realm"

Workstation login

Take a look at this article. There's a few ways we could go about this, but an IPA-joined machine should have most of the aformentioned setup with nsss completed already.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment