Agenda: opendnssec-smartcard-lab.txt

File opendnssec-smartcard-lab.txt, 3.8 KB (added by trac, 5 years ago)
Line 
1Activating GemPC USB card reader using myEID smartcard with Ubuntu to
2use with OpenDNSSEC
3
4On Ubuntu, install packages:
5
6    libccid
7    pcsc-tools
8    pcscd
9    opensc
10
11Plug the reader, and insert a card
12
13# opensc-tool --list-readers
14
15should list the card reader, asumming that pcscd started and libccid is
16installed:
17
18# Detected readers (pcsc)
19Nr.  Card  Features  Name
200    Yes             Gemalto GemPC Twin 00 00
21
22
23If running pcsc_scan shows the reader but complains with "Unrecognized
24card", the ATR for the smartcard is not known and the definition needs
25to be updated.
26
27Download updated smartcard definition file
28http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt
29
30You can save it at
31* the location used by the pcsc-tools package in /usr/share/pcsc
32OR
33* your home directory as ${HOME}/.smartcard_list.txt
34
35Run this to initialize the smartcard:
36
37pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111
38
39If it complains with "Unrecognized card", then card profile is missing.
40This a bug in Ubuntu, where they didn't package the profiles with opensc.
41
42To fix:
43
44    Get OpenSC code from trunk
45    git clone git://github.com/martinpaljak/OpenSC.git
46
47    mkdir /usr/share/opensc
48
49    Copy profile files from opensc trunk
50    cp src/pkcs15init/*.profile /usr/share/opensc
51
52If everything goes well, the card should be ready for initialization.
53
54Initiatilization:
55
56pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111
57
58pkcs15-init -P -a -1 -l "Basic PIN"  --pin nsec3 --puk nsec4
59
60 User PIN : nsec3
61 User PUK : nsec4
62
63pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L
64
65Once initialized, the output will look like:
66
67Available slots:
68Slot 0 (0xffffffffffffffff): Virtual hotplug slot
69  (empty)
70Slot 1 (0x1): Gemalto GemPC Twin 00 00
71  token label:   MyEID (Basic PIN)
72  token manuf:   Aventra Ltd.
73  token model:   PKCS#15
74  token flags:   rng, login required, PIN initialized, token initialized
75  serial num  :  0093019074952092
76
77Note the "token label:" field above. It will be used in the Repository
78definition in the OpenDNSSEC conf.xml
79
80Now install the opendnssec tools to test the access to the HSM
81
82    aptitude install libhsm-bin
83
84Edit /etc/opendnssec/conf.xml to define the smartcard as a repository
85
86        <Repository name="token">
87            <Module>/usr/lib/opensc-pkcs11.so</Module>
88            <!-- TokenLabel must match what's reported by pkcs11-tool -->
89            <TokenLabel>MyEID (Basic PIN)</TokenLabel>
90            <!-- User PIN when initialized -->
91            <PIN>nsec3</PIN>
92        </Repository>
93
94Test access to the smartcard
95
96    ods-hsmutil list token
97    Listing keys in repository: token
98    0 keys found.
99
100Test generation of a key
101
102    ods-hsmutil generate token rsa 1024
103    Generating 1024 bit RSA key in repository: token
104    Key generation successful: d15e0018de6c0d17c71b41e746498d73
105
106The smartcard is ready to be used with OpenDNSSEC
107
108Let's assume you want to keep the KSK in the smartcard, and the ZSK on a
109different HSM (will use softHSM for the example).
110
111Setting up the softHSM:
112
113apt-get install softhsm
114
115softhsm --init-token --slot 0 --label "ZSK repo"
116SO PIN: SO_must_prevail
117User PIN: 1234
118
119and then add this softHSM repository to the configuration.
120
121In conf.xml:
122
123        <Repository name="SoftHSM">
124            <Module>/usr/lib/libsofthsm.so</Module>
125            <TokenLabel>ZSK repo</TokenLabel>
126            <PIN>1234</PIN>
127            <SkipPublicKey/>
128        </Repository>
129
130The relevant section to in kasp.xml is (note the Repository names):
131
132        <KSK>
133            <Algorithm length="2048">8</Algorithm>
134            <Lifetime>P1Y</Lifetime>
135            <Repository>token</Repository>
136        </KSK>
137
138        <!-- Parameters for ZSK only -->
139        <ZSK>
140            <Algorithm length="1024">8</Algorithm>
141            <Lifetime>P30D</Lifetime>
142            <Repository>ZSK repo</Repository>
143        </ZSK>
144