Subject: Re: setting up a cac card reader at a lost. - msg#00087

Previous Message by Date: click to view message preview

Re: pkcs#11 engine

This is a multipart message in MIME format. Hi, I never tried the pin in the opensc.conf, I tried the pin in openssl.conf and that did not work. I try to debug why not. I did not know there is an openssh patch. Openssh with smartcard key in ssh-agent works fine without the patch as seen in my example. The main reason I published the full compilation, configuration, initialization and test script is that it took me a really long time to get a functioning combination by combining the different pieces of information from the wiki pages and the examples from the list. Therefore I thought a full picture of a functioning example might be useful to many newcomers on the list. I would appreciate if the experienced persons on the list would post complete functioning examples (compile, configuration, card initialization and testing) for different setups. For example I have dell a latitude laptop with internal smart-card reader (Most of the Dell latitudes nowdays have O2 Micro Oz7762 reader). If someone has managed to get this functioning with opensc (and have both oz7762 and axalto e-gate reader working at the same time), I would very much like to have an example compilation and configuration posted on the list. I know that firmware has bugs (http://pcsclite.alioth.debian.org/ccid.html), but it might still be usable.  My testing was stopped to the simple problem that I was unable to configure opensc/pkcs-lite combination to use Axalto e-gate, a problem propably so simple that the experienced people would laugh at but still a showstopper for many people. More developed version of this idea would be to creating a wike page for sumitting complete functioning examples. BR. Jari Andreas Jellinghaus <aj@xxxxxxxxxxxxxxx> 24.11.2006 21:18 To jari.heikkinen@xxxxxxxxxxx cc opensc-user@xxxxxxxxxxxxxxxxxxxxxxxx Subject Re: [opensc-user] pkcs#11 engine jari.heikkinen@xxxxxxxxxxx wrote: > For me the engine does work, however pin is not accepted neither from > the command line nor from the config file. > I am using knoppix (debian), kernel 2.6 and axalto e-gate. Hi Jari, good to hear. but why is the pin not accepted from the config file? I added "PIN = 123456" to my opensc.conf and it works fine over here. what did you try? I used engine_pkcs11 version 0.1.3. >         cd /ramdisk/openssh-4.3p2; ./configure --with-opensc=/usr/local > --sysconfdir=/etc/ssh2 add the patch from opensc/src/openssh, or openssh won't ask you for the pin of your smart card. (bug 608 in openssh bug tracker.) > openssl_conf            = openssl_def > > [openssl_def] > engines = engine_section > > [engine_section] > pkcs11 = pkcs11_section > > [pkcs11_section] > engine_id = pkcs11 > dynamic_path = /usr/local/lib/engines/engine_pkcs11.so > MODULE_PATH  = /usr/local/lib/opensc-pkcs11.so PIN = 123456 > init = 0 > > [req] > distinguished_name = req_distinguished_name > > [req_distinguished_name] everything else is very good, exactly like the test scripts and files I have floating around here and there :) if the pin doesn't work, could you try putting pkcs11-spy between the engine and opensc, and create a log? (see UsingOpenSC wiki page, you need to set two environment varibales etc). Maybe that will help tracking down this issue. Regards, Andreas

Next Message by Date: click to view message preview

Re: pkcs#11 engine

jari.heikkinen@xxxxxxxxxxx wrote: I never tried the pin in the opensc.conf, I tried the pin in openssl.conf and that did not work. I try to debug why not. sorry if I left the wrong impression: the PIN statement has to go into the openssl config file of course, not the opensc config file. I did not know there is an openssh patch. Openssh with smartcard key in ssh-agent works fine without the patch as seen in my example. yes, the agent works fine. but ssh without agent won't work if you have a pin set to protect the private key (nearly everyone does), but with the patch it does. also debugging is easier with ssh, as you won't see good error messages if you use the agent (well, only in the log file the agent writes to, such as .xsession-errors). The main reason I published the full compilation, configuration, initialization and test script is that it took me a really long time to get a functioning combination by combining the different pieces of information from the wiki pages and the examples from the list. sorry to hear that. how can we improve our documentation? I try to provide everything for a quick and easy start in the QuickStart wiki pages, but they are not as well connected as I think they should be. For example I have dell a latitude laptop with internal smart-card reader (Most of the Dell latitudes nowdays have O2 Micro Oz7762 reader). If someone has managed to get this functioning with opensc it is a normal ccid device I'm told - at least the modern one. so you should see it with "lsusb" and it will work with either openct or pcsc-lite and ccid. with openct you might need to add the usb vendor and product id to openct.conf however (I did that a few days ago, so it will be in the next release, but older versions don't have that). > My testing was stopped to the simple problem that I was unable to configure opensc/pkcs-lite combination to use Axalto e-gate, a problem propably so simple that the experienced people would laugh at but still a showstopper for many people. hmm, I do not know which driver is needed with pcsc-lite for the egate. but openct+opensc should work out of the box without any changes. simply follow both quick starts and you should be up and running. it is my reference solution - if I test anything. I test cryptoflex+egate+openct+opensc first. and I have a number of active users tht use that every day. More developed version of this idea would be to creating a wike page for sumitting complete functioning examples. I thought about that. maybe a new wiki? or some document in openoffice or docbook or whatever format? a document per distribution or a general one for compiling from source? I wrote a quick start howto in german, will need to rewrite it in english, maybe it could be used as base. I think documentation is our biggest issus with all the software we have, and the wiki based documentation is nice as reference, but seems to confuse quite a number of people. not sure what the best way to go from here is, so any recommendation and suggestion and help is very, very welcome. Regards, Andreas

Previous Message by Thread: click to view message preview

pkcs#11 engine

This is a multipart message in MIME format. For me the engine does work, however pin is not accepted neither from the command line nor from the config file. I am using knoppix (debian), kernel 2.6 and axalto e-gate. The pin options from the command line do not work with current versions and did not work at least from opensc0.9.6/openct0.6.4. However without pin on the command line, everything works now and it worked then. Please find below how I compiled sw, initialized the card and tested pkcs11-tool, pkcs15-tool, openssl engine and ssh-agent. This is how I compiled to sw:         tar xzf openssl-0.9.8d.tar.gz         cd openssl-0.9.8d; ./config --prefix=/usr/local --openssldir=/usr/local         cd openssl-0.9.8d; make         cd openssl-0.9.8d; make test         cd openssl-0.9.8d; make install         rm -rf openssl-0.9.8d         mkdir -p /ramdisk         apt-get -y install libusb-dev         apt-get -y install libtool libltdl3-dev zlib1g-dev         if [  "`grep scard /etc/group | wc -l`" == "0" ]; then groupadd scard; fi         usermod -G scard knoppix         apt-get -y remove opensc libopenct1         mkdir -p /ramdisk         tar -C /ramdisk  -xzf openct-0.6.10.tar.gz         cd /ramdisk/openct-0.6.10; ./configure --sysconfdir=/etc         cd /ramdisk/openct-0.6.10; make         cd /ramdisk/openct-0.6.10; make install         mkdir -p /usr/local/etc         cd /ramdisk/openct-0.6.10; cp etc/openct.udev /etc/udev/rules.d/95-openct.rules         cd /ramdisk/openct-0.6.10; cp etc/openct_usb /lib/udev/openct_usb         cd /ramdisk/openct-0.6.10; cp etc/openct_pcmcia /lib/udev/openct_pcmcia         cd /ramdisk/openct-0.6.10; cp etc/openct_serial /lib/udev/openct_serial         cd /ramdisk/openct-0.6.10; cp etc/openct.conf /etc/         cd /ramdisk/openct-0.6.10; cp etc/init-script /etc/init.d/openct         touch /etc/rc3.d/K50openct; rm -f /etc/rc3.d/K50openct         touch /etc/rc5.d/K50openct; rm -f /etc/rc5.d/K50openct         ln -s ../init.d/openct /etc/rc3.d/K50openct         ln -s ../init.d/openct /etc/rc5.d/K50openct         mkdir -p /ramdisk         tar -C /ramdisk -xzf opensc-0.10.1.tar.gz         cd /ramdisk/opensc-0.10.1; ./configure --prefix=/usr/local --sysconfdir=/etc         cd /ramdisk/opensc-0.10.1; make         cd /ramdisk/opensc-0.10.1; make install         mkdir -p /usr/local/etc         cd /ramdisk/opensc-0.10.1; /bin/cp etc/opensc.conf /etc/         echo /usr/local/lib/opensc>tmp.tmp         echo /usr/local/lib/pkcs11>>tmp.tmp         cat /etc/ld.so.conf >>tmp.tmp         /bin/cp -f tmp.tmp /etc/ld.so.conf         ldconfig         /bin/rm -rf /ramdisk/opensc-0.10.1         # now we have opensc in /usr/local         tar -C /ramdisk -xzf openssh-4.3p2.tar.gz         cd /ramdisk/openssh-4.3p2; ./configure --with-opensc=/usr/local --sysconfdir=/etc/ssh2         cd /ramdisk/openssh-4.3p2; make         cd /ramdisk/openssh-4.3p2; make install         if test -f /usr/local/etc/ssh_host_rsa_key; then /bin/rm -f /usr/local/etc/ssh_host_*; fi         if test -f /etc/ssh2/ssh_host_rsa_key; then /bin/rm -f /etc/ssh2/ssh_host_*; fi         /bin/rm -rf /ramdisk/openssh-4.3p2         /bin/rm -rf /ramdisk/openct-0.6.10         tar xzf libp11-0.2.2.tar.gz         cd libp11-0.2.2; ./configure --prefix=/usr/local         cd libp11-0.2.2; make         cd libp11-0.2.2; make install         tar xzf engine_pkcs11-0.1.3.tar.gz         cd engine_pkcs11-0.1.3; ./configure --prefix=/usr/local         cd engine_pkcs11-0.1.3; make         cd engine_pkcs11-0.1.3; make install         cd engine_pkcs11-0.1.3; make         if [ `grep /usr/local/lib/engines /etc/ld.so.conf| wc -l` == 0 ]; then echo /usr/local/lib/engines >>/etc/ld.so.conf; ldconfig; fi This is how I initialized the card: ################################################################ # initialize e-Gate ################################################################ pkcs15-init -E -C -P --pin $pin --puk $puk -a 01 --label "${username}pin" --so-pin $sopin --so-puk $sopuk -T pkcs15-init -G rsa/2048 -a 01 --pin $pin --so-pin $sopin -u sign,decrypt pkcs15-tool --list-pins --list-public-keys -k -c -C ################################################################ # verify that pkcs15 works ################################################################ echo abcd>a.txt pkcs15-tool --read-public-key 45 >pub.pem pkcs15-crypt -s -k 45 --pkcs1 -i a.txt -o a.crypted --pin $pin a=`openssl rsautl -in a.crypted -inkey pub.pem -pubin -pkcs -verify` if [ "$a" = "abcd" ]; then     echo passed else     echo pkcs15-crypt test failed. a=$a     exit 1 fi ################################################################ # create cert to card ################################################################ openssl req -config openssl.conf -engine pkcs11 -new -key id_45 -keyform engine -out cert.pem -x509 -days 9999 -sha1 -subj "/CN=jari.heikkinen/O=Modirum" openssl x509 -in cert.pem -text pkcs15-init -X cert.pem -f pem -a 01 ################################################################ # test ssh - note very debian specific commands ################################################################ echo testing openssh echo starting agent /usr/local/bin/ssh-agent >.agent source .agent echo dumping ssh key from card, should see the key below /usr/local/bin/ssh-keygen -D 0 echo adding identity, enter the pin /usr/local/bin/ssh-add -s0 echo testing the key /etc/init.d/ssh start mkdir -p /root/.ssh /usr/local/bin/ssh-keygen -D 0 >${username}.ssh.pub cat ${username}.ssh.pub>/root/.ssh/authorized_keys echo trying to list content of root directory echo if you get asked for password, then something went wrong ssh root@localhost "ls -l /" ###################### BEGIN OPENSSL.CONF ############################## openssl_conf            = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/local/lib/engines/engine_pkcs11.so MODULE_PATH  = /usr/local/lib/opensc-pkcs11.so init = 0 [req] distinguished_name = req_distinguished_name [req_distinguished_name] ###################### END OPENSSL.CONF ##############################

Next Message by Thread: click to view message preview

Re: Re: setting up a cac card reader at a lost.

Rick Seitz wrote: Hi all, I hope someone can help me with my problem. I am trying to get an active card 2.0 reader working. on the muscle mailing list in this thread: http://lists.musclecard.com/pipermail/muscle/2006-August/005785.html we are told it is s SCM 331 device (rebadged) and you should best update the firmware. once you did that, you can use it with opensc plus either pcsclite and ccid driver or openct (and its internal ccid driver). whether you need opensc or musclecard depends on your smart card: opensc is (in general) for filesystem cards / traditional cards, while musclecard is for java cards with a muscle applet. Good luck! Andreas