Agenda: opendnssec-smartcard-freebsd.txt

File opendnssec-smartcard-freebsd.txt, 3.4 KB (added by trac, 5 years ago)
Line 
1Activating GemPC USB card reader using myEID smartcard with FreeBSD to
2use with OpenDNSSEC
3
4On FreeBSD, install packages:
5
6    devel/libccid
7        devel/pcsc-lite
8    security/pcsc-tools
9    security/opensc
10
11You will have to fix
12
13/usr/local/share/opensc/myeid.profile
14
15as decribed here:
16
17https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card
18
19204c204
20<                     file-id   = 4501;
21---
22>                     file-id   = 4601;
23
24You will then need to restart pcscd (service pcscd restart)
25
26Plug the reader, and insert a card
27
28# opensc-tool --list-readers
29
30should list the card reader, asumming that pcscd started and libccid is
31installed:
32
33# Detected readers (pcsc)
34Nr.  Card  Features  Name
350    Yes             Gemalto GemPC Twin 00 00
36
37
38Run this to initialize the smartcard:
39
40pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111
41
42If everything goes well, the card should be ready for initialization.
43
44Initiatilization:
45
46pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111
47
48pkcs15-init -P -a -1 -l "Basic PIN"  --pin nsec3 --puk nsec4
49
50 User PIN : nsec3
51 User PUK : nsec4
52
53pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L
54
55Once initialized, the output will look like:
56
57Available slots:
58Slot 0 (0xffffffffffffffff): Virtual hotplug slot
59  (empty)
60Slot 1 (0x1): Gemalto GemPC Twin 00 00
61  token label:   MyEID (Basic PIN)
62  token manuf:   Aventra Ltd.
63  token model:   PKCS#15
64  token flags:   rng, login required, PIN initialized, token initialized
65  serial num  :  0093019074952092
66
67Note the "token label:" field above. It will be used in the Repository
68definition in the OpenDNSSEC conf.xml
69
70Now install the opendnssec tools to test the access to the HSM
71
72    aptitude install libhsm-bin
73
74Edit /etc/opendnssec/conf.xml to define the smartcard as a repository
75
76        <Repository name="token">
77            <Module>/usr/local/lib/opensc-pkcs11.so</Module>
78            <!-- TokenLabel must match what's reported by pkcs11-tool -->
79            <TokenLabel>MyEID (Basic PIN)</TokenLabel>
80            <!-- User PIN when initialized -->
81            <PIN>nsec3</PIN>
82        </Repository>
83
84Test access to the smartcard
85
86    ods-hsmutil list token
87    Listing keys in repository: token
88    0 keys found.
89
90Test generation of a key
91
92    ods-hsmutil generate token rsa 1024
93    Generating 1024 bit RSA key in repository: token
94    Key generation successful: d15e0018de6c0d17c71b41e746498d73
95
96The smartcard is ready to be used with OpenDNSSEC
97
98Let's assume you want to keep the KSK in the smartcard, and the ZSK on a
99different HSM (will use softHSM for the example).
100
101Setting up the softHSM:
102
103apt-get install softhsm
104
105softhsm --init-token --slot 0 --label "ZSK repo"
106SO PIN: SO_must_prevail
107User PIN: 1234
108
109and then add this softHSM repository to the configuration.
110
111In conf.xml:
112
113        <Repository name="SoftHSM">
114            <Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
115            <TokenLabel>ZSK repo</TokenLabel>
116            <PIN>1234</PIN>
117            <SkipPublicKey/>
118        </Repository>
119
120The relevant section to in kasp.xml is (note the Repository names):
121
122        <KSK>
123            <Algorithm length="2048">8</Algorithm>
124            <Lifetime>P1Y</Lifetime>
125            <Repository>token</Repository>
126        </KSK>
127
128        <!-- Parameters for ZSK only -->
129        <ZSK>
130            <Algorithm length="1024">8</Algorithm>
131            <Lifetime>P30D</Lifetime>
132            <Repository>ZSK repo</Repository>
133        </ZSK>
134