Hi everyone,
Ubuntu 10.04 LTS Beta 1 ("lucid") is now available on www.ubuntu.org.
I did some testing already, and it seems to work fine for the apps I
tested. More testing would be very welcome!
Also for those of you that want to test firefox with https client certificate
authentication, I found out you can do that easily with openssl. See below
for details.
Regards, Andreas
My testing so far:
1.) Version test
Package OpenSC Ubuntu Lucid
Enginge PKCS#11 0.1.8 0.1.8-2
Lib P11 0.2.7 0.2.7-1
OpenCT 0.6.20 0.6.19-1ubuntu3
OpenSC 0.11.13 0.11.12-1ubuntu2
Pam P11 0.1.5 0.1.5-1build1
Result:
Versions ok, latest OpenCT/OpenSC changes with Rutoken S patch missing
(but those were released quite late, so ok)
2.) Content check
Pam P11 Looks OK
Lib P11 HTML Documentation missing
api.out missing in source tar.gz
Engine PKCS#11 Looks OK
OpenCT Looks OK
OpenSC HTML Documentation (wiki) missing
3.) Function test
Had to use VirtualBox Personal/Evaluation edition:
* Virtmanager with KVM and USB devices didn't work out.
* VirtualBox OSE doesn't include USB device support.
Installed Ubuntu Lucid amd64 beta 1 Desktop (default installation).
Installed dselect with "apt-get install dselect"
In dselect installed all openct, opensc, libp11, pam-p11, engine-pkcs11
packages
Added my user ("ubuntu") to group scard, logout, login again.
Plugged in an token (Rainbow iKey 3000), assigned it to the guest VM
Run "openct-tool list" -> found!
Run "/etc/init.d/openct stop; /etc/init.d/openct start"
Run "openct-tool list" again -> found!
Testing with other tokens:
* Rainbow iKey 3000 OK
* Aladdin eToken PRO (4.2B) OK
* GemPC KEY with Cryptoflex OK, but very slow
* SCM SCR 335 OK
-> Hotplugging seems to work fine. Wow, first Ubuntu release with that?
4.) Test by QuickStart (all tests only once, with an Aladdin eToken PRO 4.2B)
Lets test the commands from each projects QuickStart documentation.
OpenCT
openct-tool list
openct-tool atr
OpenSC
opensc-tool --list-readers
opensc-tool --reader 0 --atr
opensc-tool --reader 0 --name
pkcs15-init --create-pkcs15 --so-pin 12345678 --so-puk 78907890
pkcs15-init --store-pin --auth-id 01 \
--label "Andreas Jellinghaus" \
--pin 123456 --puk 567890 --so-pin 12345678
pkcs15-init --generate-key rsa/2048 --auth-id 01 \
--pin 123456 --so-pin 12345678
openssl
engine dynamic \
-pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
-pre MODULE_PATH:opensc-pkcs11.so \
-pre PIN:123456
req -engine pkcs11 -new -key id_45 -keyform engine \
-x509 -out cert.pem -text \
-subj "/CN=Andreas Jellinghaus"
openssl verify -CAfile cert.pem cert.pem
pkcs15-init --store-certificate cert.pem --auth-id 01 --id 45 \
--format pem --pin 123456 --so-pin 12345678
pkcs15-tool --dump
pkcs11-tool --test --login --pin 123456
Libp11 - no special commands
Engine PKCS#11 - already covered
Pam P11 : pam_p11_opensc
As root: modify pam config for su:
auth required pam_p11_opensc.so
/usr/lib/opensc-pkcs11.so
And create a file with login information (still as root):
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 45 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates
Keep xterm as root open, so you can fix / undo things.
Open a new xterm with Alt-F2 and try "su" from user to root.
Pam P11 : pam_p11_openssh
Pam config for "su:
auth required pam_p11_openssh.so
/usr/lib/opensc-pkcs11.so
mkdir ~/.ssh
chmod 0755 ~/.ssh
ssh-keygen -D 0 > ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
OpenSSH
not compiled with ssh support.
Firefox
Edit / Preferences / ... (load opensc-pkcs11.so as module)
Setup a local https test server:
openssl genrsa -out server.key 2048
openssl req -new -x509 -key server.pem -out server.pem \
-days 365 -subj "/CN=localhost"
openssl s_server -accept 4443 -cert server.pem -key server.key \
-www -verify 99
The use firefox to surv to "https://localhost:4443/";
Other applications
wpa_supplicant - no test environment here
strongswan - no test environment here
thunderbird - no test environment here
-> testing and feedback and test procedures welcome
Cleanup
pkcs15-init --erase-card --pin 123456 --so-pin 12345678
Card information for cardos cards
cardos-tool --info
Running the test suite (on empty cards)
svn co http://www.opensc-
project.org/svn/opensc/releases/opensc-0.11.13/src/tests/regression
cd regression
./run-all --installed
(on cryptoflex cards need a transport key specified,
for example "-T" for the default one)
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
