Douglas E. Engert wrote:
Attached are the latest code patches for the use of PIV cards with OpenSC.
These are against today's svn version 2835.
This include the patch to src/pkcs11/framework-pkcs15.c that I sent in
yesterday
The piv-tool.c is for the src/tools directory. card-piv.c and pkcs15-piv.c
are for the src/libopensc directory.
I have removed some of the support for very early beta cards, as these
problems
have been fixed, and the code is cleaner.
The code takes advantage of the new apdu.c chaining.
For testing I have been adding something like this to the opensc.conf
for each different type of card:
card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 {
name = "PIV-II";
driver = "piv";
pkcs15emu = "PIV-II";
}
We have used 4 different cards from 3 vendors.
So far we have been able to change pins, generate a key pair, saving the
public key to a file. Use the ENGINE code with OpenSSL to generate a
certificate request, using the saved public key, and the private key on
the card to sign the request. The request was then sent to a Windows CA
to generate a certificate. The certificate is then loaded on to the card.
Then th card can be used with PKCS#11 with a browser. It can also be used
to login via PAM using Heimdal Kerberos PKINIT to authenticate to a
Microsoft
AD.
The PIV standards allow each manufacture to define how to initialize
their own cards. The piv-tool has some features to work with different
cards.
Some vendors use a 3des key, to authenticate to the card., So
to generate a keypair and save the public key would require something like
this in a script:
PIV_EXT_AUTH_KEY=cards/9B03.$1
export PIV_EXT_AUTH_KEY
piv-tool -A M:9B:03 -G 9A:06 -o cards/9A06.$1
Where cards/9B03.$1 is a file containing the 24 bytes of the 3des key
separated by ":"
-A M:9B:03 says to authenticate to the card using mutual authentication,
and the 9B key, with 03 3des.
-G 9A:06 says generate a key for 9A of type 06, which is RSA.
-o cards.9A06.$1 says save the public key in the file for the $1 card.
Then to generate a cert request using OpenSSL for card $1 would need
something like:
PIV_9A06_KEY=cards/9A06.$1
export PIV_9A06_KEY
openssl << EOT
engine dynamic -vvvv -pre
SO_PATH:/opt/smartcard/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre
NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/opt/smartcard/lib/opensc-pkcs11.so
req $SSLEAY_CONFIG -engine pkcs11 -md5 -new -key slot_0-id_1 -keyform
engine -out cards/myreq.$1.pem -text
$2
EOT
Where $1 was the card number, and $2 is the CN for the request.
After the certificate is signed and saved as cards/cert/$1.pem it can
be loaded
on the card:
PIV_EXT_AUTH_KEY=cards/9B03.$1
export PIV_EXT_AUTH_KEY
piv-tool -A A:9B:03 -C 9A -i cards/cert.$1.pem
I would hope that you would consider committing this code some time soon,
as it would give others a chance to make additional changes.
thanks for your effort Douglas, I will look at it asap.
Cheers,
Nils
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
