1 | Activating GemPC USB card reader using myEID smartcard with Ubuntu to |
---|
2 | use with OpenDNSSEC |
---|
3 | |
---|
4 | On Ubuntu, install packages: |
---|
5 | |
---|
6 | libccid |
---|
7 | pcsc-tools |
---|
8 | pcscd |
---|
9 | opensc |
---|
10 | |
---|
11 | Plug the reader, and insert a card |
---|
12 | |
---|
13 | # opensc-tool --list-readers |
---|
14 | |
---|
15 | should list the card reader, asumming that pcscd started and libccid is |
---|
16 | installed: |
---|
17 | |
---|
18 | # Detected readers (pcsc) |
---|
19 | Nr. Card Features Name |
---|
20 | 0 Yes Gemalto GemPC Twin 00 00 |
---|
21 | |
---|
22 | |
---|
23 | If running pcsc_scan shows the reader but complains with "Unrecognized |
---|
24 | card", the ATR for the smartcard is not known and the definition needs |
---|
25 | to be updated. |
---|
26 | |
---|
27 | Download updated smartcard definition file |
---|
28 | http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt |
---|
29 | |
---|
30 | You can save it at |
---|
31 | * the location used by the pcsc-tools package in /usr/share/pcsc |
---|
32 | OR |
---|
33 | * your home directory as ${HOME}/.smartcard_list.txt |
---|
34 | |
---|
35 | Run this to initialize the smartcard: |
---|
36 | |
---|
37 | pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111 |
---|
38 | |
---|
39 | If it complains with "Unrecognized card", then card profile is missing. |
---|
40 | This a bug in Ubuntu, where they didn't package the profiles with opensc. |
---|
41 | |
---|
42 | To fix: |
---|
43 | |
---|
44 | Get OpenSC code from trunk |
---|
45 | git clone git://github.com/martinpaljak/OpenSC.git |
---|
46 | |
---|
47 | mkdir /usr/share/opensc |
---|
48 | |
---|
49 | Copy profile files from opensc trunk |
---|
50 | cp src/pkcs15init/*.profile /usr/share/opensc |
---|
51 | |
---|
52 | If everything goes well, the card should be ready for initialization. |
---|
53 | |
---|
54 | Initiatilization: |
---|
55 | |
---|
56 | pkcs15-init -C --so-pin 1111 --so-puk 1111 --pin 1111 --puk 1111 |
---|
57 | |
---|
58 | pkcs15-init -P -a -1 -l "Basic PIN" --pin nsec3 --puk nsec4 |
---|
59 | |
---|
60 | User PIN : nsec3 |
---|
61 | User PUK : nsec4 |
---|
62 | |
---|
63 | pkcs11-tool --module /usr/lib/opensc-pkcs11.so -L |
---|
64 | |
---|
65 | Once initialized, the output will look like: |
---|
66 | |
---|
67 | Available slots: |
---|
68 | Slot 0 (0xffffffffffffffff): Virtual hotplug slot |
---|
69 | (empty) |
---|
70 | Slot 1 (0x1): Gemalto GemPC Twin 00 00 |
---|
71 | token label: MyEID (Basic PIN) |
---|
72 | token manuf: Aventra Ltd. |
---|
73 | token model: PKCS#15 |
---|
74 | token flags: rng, login required, PIN initialized, token initialized |
---|
75 | serial num : 0093019074952092 |
---|
76 | |
---|
77 | Note the "token label:" field above. It will be used in the Repository |
---|
78 | definition in the OpenDNSSEC conf.xml |
---|
79 | |
---|
80 | Now install the opendnssec tools to test the access to the HSM |
---|
81 | |
---|
82 | aptitude install libhsm-bin |
---|
83 | |
---|
84 | Edit /etc/opendnssec/conf.xml to define the smartcard as a repository |
---|
85 | |
---|
86 | <Repository name="token"> |
---|
87 | <Module>/usr/lib/opensc-pkcs11.so</Module> |
---|
88 | <!-- TokenLabel must match what's reported by pkcs11-tool --> |
---|
89 | <TokenLabel>MyEID (Basic PIN)</TokenLabel> |
---|
90 | <!-- User PIN when initialized --> |
---|
91 | <PIN>nsec3</PIN> |
---|
92 | </Repository> |
---|
93 | |
---|
94 | Test access to the smartcard |
---|
95 | |
---|
96 | ods-hsmutil list token |
---|
97 | Listing keys in repository: token |
---|
98 | 0 keys found. |
---|
99 | |
---|
100 | Test generation of a key |
---|
101 | |
---|
102 | ods-hsmutil generate token rsa 1024 |
---|
103 | Generating 1024 bit RSA key in repository: token |
---|
104 | Key generation successful: d15e0018de6c0d17c71b41e746498d73 |
---|
105 | |
---|
106 | The smartcard is ready to be used with OpenDNSSEC |
---|
107 | |
---|
108 | Let's assume you want to keep the KSK in the smartcard, and the ZSK on a |
---|
109 | different HSM (will use softHSM for the example). |
---|
110 | |
---|
111 | Setting up the softHSM: |
---|
112 | |
---|
113 | apt-get install softhsm |
---|
114 | |
---|
115 | softhsm --init-token --slot 0 --label "ZSK repo" |
---|
116 | SO PIN: SO_must_prevail |
---|
117 | User PIN: 1234 |
---|
118 | |
---|
119 | and then add this softHSM repository to the configuration. |
---|
120 | |
---|
121 | In conf.xml: |
---|
122 | |
---|
123 | <Repository name="SoftHSM"> |
---|
124 | <Module>/usr/lib/libsofthsm.so</Module> |
---|
125 | <TokenLabel>ZSK repo</TokenLabel> |
---|
126 | <PIN>1234</PIN> |
---|
127 | <SkipPublicKey/> |
---|
128 | </Repository> |
---|
129 | |
---|
130 | The relevant section to in kasp.xml is (note the Repository names): |
---|
131 | |
---|
132 | <KSK> |
---|
133 | <Algorithm length="2048">8</Algorithm> |
---|
134 | <Lifetime>P1Y</Lifetime> |
---|
135 | <Repository>token</Repository> |
---|
136 | </KSK> |
---|
137 | |
---|
138 | <!-- Parameters for ZSK only --> |
---|
139 | <ZSK> |
---|
140 | <Algorithm length="1024">8</Algorithm> |
---|
141 | <Lifetime>P30D</Lifetime> |
---|
142 | <Repository>ZSK repo</Repository> |
---|
143 | </ZSK> |
---|
144 | |
---|