File: QuickStart.html

package info (click to toggle)
opensc 0.11.1-2etch2
  • links: PTS
  • area: main
  • in suites: etch
  • size: 7,284 kB
  • ctags: 7,257
  • sloc: ansic: 69,499; sh: 9,480; xml: 4,191; makefile: 346; lex: 92; perl: 25
file content (204 lines) | stat: -rw-r--r-- 9,059 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
 
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>QuickStart - OpenSC - Trac</title><style type="text/css">
           @import url(trac.css);
          </style></head><body><div class="wikipage">
    <div id="searchable"><h1>Quick Start with OpenSC</h1>
<p>
If you haven't already, please first take a look at our <a href="OverView.html" shape="rect">OverView</a> page, the
<a href="OperatingSystems.html" shape="rect">OperatingSystems</a> page and the <a href="CompilingInstalling.html" shape="rect">CompilingInstalling</a> page. For the rest of this
document we assume you have installed OpenSC. We will show you how you
can test if it works, and what you can do with it.
</p>
<p>
Please note that OpenSC 0.10 does not include the pam module and the openssl
engine any more. We suggest you install <a class="ext-link" title="http://www.opensc-project.org/libp11/" href="http://www.opensc-project.org/libp11/" shape="rect">libp11</a>
and <a class="ext-link" title="http://www.opensc-project.org/engine_pkcs11/" href="http://www.opensc-project.org/engine_pkcs11/" shape="rect">engine_pkcs11</a> and if you want
to login with your smart card or crypto token, you might want to install
either <a class="ext-link" title="http://www.opensc-project.org/pam_p11/" href="http://www.opensc-project.org/pam_p11/" shape="rect">pam_p11</a> (a simple authentication
module) or <a class="ext-link" title="http://www.opensc-project.org/pam_pkcs11/" href="http://www.opensc-project.org/pam_pkcs11/" shape="rect">pam_pkcs11</a> (a full featured
authentication module).
</p>
<p>
Before we start a word of warning: these experiments can destroy your card
(e.g. if we have a bug. there is _NO WARRANTY_ on opensc of any kind).
Also be sure to make notes of everything you do, for example the pin and puk
and so-pin and so-puk you set, as it is for example not possible to erase
some cards.
</p>
<p>
But lets start. First test if OpenSC works: check if your smart card
reader is found:
</p>
<pre class="wiki" xml:space="preserve">$ opensc-tool --list-readers
Readers known about:
Nr.    Driver     Name
0      openct     Towitoko Chipdrive Micro
1      openct     Aladdin eToken PRO
2      openct     OpenCT reader (detached)
3      openct     OpenCT reader (detached)
4      openct     OpenCT reader (detached)
</pre><p>
You can see, openct claims five slots, but only two are used.
This is done to support hotplugging, those slots can be filled
later by additional readers you plugin via usb.
</p>
<p>
Next test is to see if your card is found. Every card has a so
called ATR ("Answer to reset"), a hex string used for identifying
the card type.
</p>
<pre class="wiki" xml:space="preserve">$ opensc-tool --reader 0 --atr
3b:e2:00:ff:c1:10:31:fe:55:c8:02:9c
</pre><p>
Lets see if that card is supported by OpenSC. If so, we should
know the name of the card:
</p>
<pre class="wiki" xml:space="preserve">$ opensc-tool --reader 0 --name
Cryptoflex 32K e-gate
</pre><p>
OpenSC has a small low level tool for exploring your smart card.
This is useful if you have a new card and want to look at it,
or check some details.
</p>
<pre class="wiki" xml:space="preserve">$ opensc-explorer
</pre><p>
However opensc-explorer only works with known cards and 
even then: some cards don't have then required functionality,
for example no "ls" command.
</p>
<h1>Quick start guide to initializing a blank card</h1>
<p>
The best way to use all features of OpenSC is to start
with a blank card and initialize it with OpenSC. Make sure
your vendor sold you a real blank card, many vendors
also have pre-initialized cards, and those only work
with the vendors software, but not or only limited with
OpenSC.
</p>
<p>
<strong></strong>Warning: <strong></strong>before writing any data on the token please
read the smartcard os specific wiki pages as some smartcards cannot be
deleted once initialized.
</p>
<p>
You can add "-v" to all of these commands, to get a more verbose
output. Adding "-v" more than once will enable debugging or increase
the debugging level.
</p>
<p>
First you need to create the basic structure. At this step you are
asked to enter a "security office" pin. Only with this pin you can
alter the card, but that pin is not needed to use the keys.
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-init --create-pkcs15
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 
</pre><p>
Next step is to create a user and a pin. That pin is needed for
using the keys we will create later.
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-init --store-pin --auth-id 01 --label "Andreas Jellinghaus"
New User PIN.
Please enter User PIN: 
Please type again to verify: 
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): 
Please type again to verify: 
Security officer PIN required.
Please enter Security officer PIN: 
</pre><p>
Now create a key. Both pins are needed for this.
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-init --generate-key rsa/1024 --auth-id 01
Security officer PIN required.
Please enter Security officer PIN: 
User PIN required.
Please enter User PIN: 
Security officer PIN required.
Please enter Security officer PIN: 
</pre><p>
If <a class="ext-link" title="http://www.opensc-project.org/engine_pkcs11/" href="http://www.opensc-project.org/engine_pkcs11/" shape="rect">engine_pkcs11</a> is installed we can use openssl to create
a self signed certificate. 
</p>
<pre class="wiki" xml:space="preserve">$ openssl
OpenSSL&gt; engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so \
	-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
        -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/home/aj/opentest/lib/opensc/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (pkcs11) pkcs11 engine
OpenSSL&gt;
</pre><p>
It is important to enter the whole long command in one single command
line. I usually copy&amp;paste the command, to make sure I don't mistype
anything. This command loads the opensc engine, so openssl can delegate
some work from your computers cpu to the smart card.
</p>
<pre class="wiki" xml:space="preserve">OpenSSL&gt; req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509
SmartCard PIN: 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:.
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Andreas Jellinghaus
Email Address []:aj@dungeon.inka.de

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
OpenSSL&gt; 
</pre><p>
So now I have a signed certificate. Remove the final "-x509" if you want
a certificate signing request only. In that case, send the request
to the CA, wait till you get it back, signed, and proceed as normal.
</p>
<p>
For more details on the openssl engine, please see the
<a class="ext-link" title="http://www.opensc-project.org/engine_pkcs11/" href="http://www.opensc-project.org/engine_pkcs11/" shape="rect">engine pkcs11 documentation</a>.
</p>
<p>
Now store the certificate side by side with the key. It is important
to save the certificate under the same ID as the key. You can get
a list of all keys and their details (including the ID) with:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool --list-keys
Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x4], sign
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 1024
        Key ref     : 16
        Native      : yes
        Path        : 3F005015
        Auth ID     : 01
        ID          : 45
</pre><p>
So lets store the key:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-init --store-certificate req.pem --auth-id 01 --id 45 --format pem 
Security officer PIN required.
Please enter Security officer PIN: 
</pre><p>
Now we are ready to go. If you want to add more certificates (e.g. the root
certificate of the CA that signed your key, or some intermediate certificates
in the chain to the root CA) simply put those into pem files, and add them
to id 46, 47 and so on. 
</p>
</div>
   </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>