smartcard reader
Installation Procedure:
Step 1: Install pcsclite. The latest version of pcsclite is available at
http://pcsclite.alioth.debian.org/
or
sudo apt-get update sudo apt-get install pcscd
Step 2: Install libusb library. The latest version of libusb is available at
http://libusb.sourceforge.net/download.html#stable
Step 3: Extract the tar archive and run the ./install script that comes with this package
This will copy the following files
1. Driver bundle to pcsclite usb drop directory
2. scmccid.ini file to /usr/local/scm/ini
step4
sudo apt-get install coolkey pcscd pcsc-tools pkg-config libpam-pkcs11 opensc libengine-pkcs11-openssl
step5
pcsc_scan
and then you can see if your reader and card are recognised:
Code:
:~$ pcsc_scan PC/SC device scanner V 1.4.15 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.4.102 Scanning present readers... 0: MSI StarReader SMART (20070818000000000) 00 00 Mon Apr 5 09:42:22 2010 Reader 0: MSI StarReader SMART (20070818000000000) 00 00 Card state: Card removed,
I inserted the card (the one described above):
Code:
Mon Apr 5 09:44:34 2010 Reader 0: MSI StarReader SMART (20070818000000000) 00 00 Card state: Card inserted, ATR: 3B F2 98 00 FF C1 10 31 FE 55 C8 03 15 ATR: 3B F2 98 00 FF C1 10 31 FE 55 C8 03 15 + TS = 3B --> Direct Convention + T0 = F2, Y(1): 1111, K: 2 (historical bytes) TA(1) = 98 --> Fi=512, Di=12, 42.6667 cycles/ETU 93750 bits/s at 4 MHz, fMax for Fi = 5 MHz => 117187 bits/s TB(1) = 00 --> VPP is not electrically connected TC(1) = FF --> Extra guard time: 255 (special value) TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1 ----- TC(2) = 10 --> Work waiting time: 960 x 16 x (Fi/F) TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 ----- TA(3) = FE --> IFSC: 254 TB(3) = 55 --> Block Waiting Integer: 5 - Character Waiting Integer: 5 + Historical bytes: C8 03 Category indicator byte: C8 (proprietary format) + TCK = 15 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F2 98 00 FF C1 10 31 FE 55 C8 03 15 Siemens CardOS M 4.01 (SLE66CX320P)
when card removed:
Code:
Mon Apr 5 09:46:14 2010 Reader 0: MSI StarReader SMART (20070818000000000) 00 00 Card state: Card removed,
Now time to get opensc (SmartCard management software) to see my card reader.
Code:
$ opensc-tool --list-readers [opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found No smart card readers found.
There is apparently a known bug lurking here and it is solved by:
Code:
sudo gedit /etc/opensc/opensc.conf
search for the line starting with 'provider_library' and remove # and modify it to be:
Code:
provider_library = /lib/libpcsclite.so.1
Then also
search for the line starting with 'reader_drivers' and remove # and modify it to be:
Code:
reader_drivers = pcsc;
after doing this we can try again:
Code:
$ opensc-tool --list-readers Readers known about: Nr. Driver Name 0 pcsc MSI StarReader SMART (20070818000000000) 00 00
Next thing to do is test if the card is detected:
Code:
$ opensc-tool --reader 0 --atr 3b:f2:98:00:ff:c1:10:31:fe:55:c8:03:15 $ opensc-tool --reader 0 --name CardOS M4 $ opensc-explorer OpenSC Explorer version 0.11.8 Using reader with a card: MSI StarReader SMART (20070818000000000) 00 00 OpenSC [3F00]> ls FileID Type Size [6666] DF 26285 Name: AKS
It appears that this one is!
Next step is to initialise the card.
Code:
$ pkcs15-init --create-pkcs15 About to create PKCS #15 meta structure. New Security Officer PIN (Optional - press return for no PIN). Please enter Security Officer PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify:
and then the user pin
Code:
$ pkcs15-init --store-pin --auth-id 01 --label "Your Name" Using reader with a card: MSI StarReader SMART (20070818000000000) 00 00 New User PIN. Please enter User PIN: Please type again to verify: Unblock Code for New User PIN (Optional - press return for no PIN). Please enter User unblocking PIN (PUK): Please type again to verify: Security officer PIN required. Please enter Security officer PIN:
RSA private key:
Code:
$ pkcs15-init --generate-key rsa/1024 --auth-id 01 Using reader with a card: MSI StarReader SMART (20070818000000000) 00 00 User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN: Security officer PIN required. Please enter Security officer PIN: $ pkcs15-tool --list-keys Using reader with a card: MSI StarReader SMART (20070818000000000) 00 00 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x4], sign Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 16 Native : yes Path : 3f005015 Auth ID : 01 ID : 45
Now public key using openssl:
Code:
$openssl
and then:
Code:
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -x509 -out cert.pem -text engine "pkcs11" set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []: Email Address []: OpenSSL> exit
You need to copy&paste the red highlighted parts and put user pin in the green part.
You can verify self signing of the certificate by:
Code:
$ openssl verify -CAfile cert.pem cert.pem cert.pem: OK
openssl public certificate needs to be stored on the card now:
Code:
$pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 --format pem Using reader with a card: MSI StarReader SMART (20070818000000000) 00 00 User PIN required. Please enter User PIN: Security officer PIN required. Please enter Security officer PIN:
Card is ready to be used now!
Next step is to get different application and services using it!
Thunderbird with OpenPGP
1) Adding Security Device
1.1) Thunderbird click on: Preferences, Advances, Security Devices, Load
1.2) Type in name: OpenSC PKCS#11 Module
1.3) Type in filename: /usr/lib/opensc-pkcs11.so
1.4) Click OK, OK, OK
See attached file for graphical help (Thunderbird.png).
This does not do the trick yet but I am working on it.