This documentation is obsolete: up to date documentation available at: http://cern.ch/linux/docs/smartcards.shtml
(How and if we can use Smartcards under Linux. IT-IS have some pilot project including hardware).
Smartcard access for individual applications
(CNIC would like PVSS and some Java app - but no real specs yet)
Firefox
(for web authentication, to use with CERN SSO. Should work via provided libpkcs11 to match the card)
Thunderbird
(for email signing, and IMAP authentication. Unclear whether IMAP authentication works, at least in SLC4..)
evolution
(for email signing and IMAP auth)
GPG
(can we use the keys for signing/encryption?)
openssl
(integration with the openssl toolkit would allow for several other applications such as stunnel or VPNs to use the card)
rdesktop
(Windows Terminal services - the protocol allows to "forward" hardware card readers, but is unfortunately undocumented..)
Smartcard for Login and SSO
(need integration with PAM and/or GDM, need a GSSKLOG/PKINIT-module to get Kerberos credentials for the card)
SSH
Tricky - needs 3rd-party patches for X509 support in openssh, need to forward the connection to the card (can the "agent" handle cards?); Need to convert into AFS tokens on the destination. Much easier to use Kerberos/GSSAPI for remote access and do a workstation-local conversion from Smartcard to Kerberos via PKINIT.
Screensaver
standard Windows functionality - pulling card should lock screen, insert unlocks (perhaps with PIN).
Grid
it
should be possible to get proxy certificates signed by the card. Looks like somebody managed to do this at the Czech META Zentrum - (Daniel Kouril, Ludek Matyska, Michal Prochazka)
Pointers, Links and random stuff
Notes from early install attempts on SLC4 by A.Tselishchev, IT/IS
Libraries for the IS smartcard (SafeSign) are under
http://www.hatred.ch/Safesign.zip
or on dfs:/Systems/SmartCards/Linux
Smartcards under Scientific Linux CERN installation notes - A.Tselishchev IT/IS
v0.1 - Temporary workaround
1. Install PCSC lite (pcsc-lite-1.2.9-1.i586.rpm)
Safesign software is somehow not compatible with PCSC lite 1.3 and
above, so pcsc 1.3.3 should be deleted before installing
rpm -e --nodeps pcsc-lite-1.3.3-1.el4.rf
rpm -e --nodeps pcsc-lite-libs-1.3.3-1.el4.rf
As long as SLC automatically updates packages, PCSC 1.2.9 will be soon
updated to 1.3.3 making Safesign unusable. To avoid it disable updates
in etc/cron.daily/rpm. This is a temporary workaround, soon Safesign
will accept our version of pcsc.
2. Install PC/SC driver for Omnikey Cardreader (skip if you already have
reader installed)
-ifdokccid_lnx-3.4.0.tar.gz (for any Omnikey reader)
-ctdeuti_lnx-5.1.0.tar.gz if using Cardman 3121
3. Install all packages from safesign folder.
-Web authentication on Firefox was tested and is OK.
- later update:
Actually it was not that simple to get Safesign working on SLC4, and the
solution of downgrading the PCSC was found by occasion. Safesign works
on my home machine, which runs Ubuntu and supposed to work on Redaht 5
and some Suse distributions. When SLC5 will be available (I couldn't
find it yet) I think the things will run smooth. Consider today's
solution as a sneak peek for multiplatform smartcards.
Small update on testing - in order to integrate Safesign security module
to Firefox one should add libaetpkss.so as a security device in firefox.
The same implies to Thunderbird.
Install notes from Jan, "GemPC Card" PCMCIA reader, SLC4
- (started with DAGs pcsc-lite-1.3.3 RPMs) :
yum install pcsc-lite
- plug in Smartcard reader, look at
/var/log/messages
. Here the things is detected as /dev/ttyS1
Mar 20 08:26:29 laptop cardmgr[3704]: initializing socket 0
Mar 20 08:26:29 laptop kernel: cs: memory probe 0xa0000000-0xa0ffffff: clean.
Mar 20 08:26:29 laptop cardmgr[3704]: socket 0: Serial or Modem
Mar 20 08:26:29 laptop cardmgr[3704]: product info: "Gemplus", "SerialPort", "GemPC Card"
Mar 20 08:26:29 laptop cardmgr[3704]: manfid: 0x0157, 0x0100 function: 2 (serial)
Mar 20 08:26:29 laptop cardmgr[3704]: executing: 'modprobe serial_cs'
Mar 20 08:26:29 laptop kernel: ttyS1 at I/O 0x2f8 (irq = 3) is a 16450
Mar 20 08:26:29 laptop cardmgr[3704]: executing: './serial start ttyS1'
Mar 20 08:26:29 laptop cardmgr[3704]: + Default modem setup
- configure PCSC for the new reader (using the the serial driver included with pcsc-lite)
cat /etc/reader.conf.d/gem.conf
FRIENDLYNAME "GEMplus PCMCIA Reader"
DEVICENAME /dev/ttyS1
LIBPATH /usr/lib/pcsc/drivers/serial/libccidtwin.so.1.2.0
CHANNELID 1
- apply config: run
update-reader.conf
- start pcscd in debug mode
pcscd -f --debug
- insert something into reader, should see
ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp
commands.c:115:CmdPowerOn Card absent or mute
ifdhandler.c:877:IFDHPowerICC() PowerUp failed
eventhandler.c:419:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
eventhandler.c:433:EHStatusHandlerThread() Error powering up card.
or (if you are lucky and have a working card, GSM in this case..)
ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp
eventhandler.c:419:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
Card ATR: 3B 89 00 91 16 91 02 90 05 01 03 00
- install safesign
rpm -Uvh safesign*rpm
- insert blank card ("IBM JCOP41 Standard"),
- run "tokenadmin"
- can now initialize token and import the CA certificates:
- download from https://cern.ch/ca - "save link" in firefox (otherwise firefox will try to import them directly), these are DER (binary)-encoded
- rename to have extension ".cer" (default is ".crt") -- or change wildcard in tokenadmin
- Follow SafeSign "Token Utilities Guide" to initialize card (give name, choose PUK and PIN, optionally import CA certificates)
- import exisiting certificate
- export from browser in pkcs12 format (.p12 extension)
- use tokenadmin/tokenmanager to "Add Digital ID"
- FAILS silently!
tokenadmin
/ Token / "Analyze certificate quality" complains about - The value for CKA_ID of the certificate does not match the value for CKA_ID on the private key. This certificate is unusable for applications.
-
tokenadmin
/ Token / Dump gives (for the certificate)
CKA_LABEL:
"Jan Iven's CERN Trusted Certification Authority ID"
CKA_ID:
7C D7 D3 47 D0 65 48 81 0D 07 9C 55 12 7C F6 0F 91 7C C4 90
and for the private key
CKA_LABEL:
"Jan Iven's CERN Trusted Certification Authority ID"
CKA_ID:
B0 10 BA F4 60 D3 39 75 D5 3F 1A 1E E7 79 B4 F0 C9 AC AA 32
- things to check:
- firefox - how to add new card/device:
- Preferences/Advanced/Security tab/"Security devices" button,
- "Load" button, Name: something like "SafeSign PKCS11" Path:
/usr/lib/libaetpkss.so.2.3.1
(from safesign-pkcs11 RPM), confirm, confirm. Should show your smartcard reader.
- thunderbird (1.5, SLC4):
- Preferences/Privacy/Security tab/"Security devices" button
- "Load" button, Name: something like "SafeSign PKCS11" Path:
/usr/lib/libaetpkss.so.2.3.1
(from safesign-pkcs11 RPM), confirm, confirm. Should show your smartcard reader.
- openssl - can we get the pkcs11 "engine" to work?
Problems
- on SLC4,
pcscd
seems to be continously running/eating a few % of CPU. The thing is multithreaded. strace
shows the main thread is waiting in select()
, one thread is constantly looking at /proc/bus/usb
(and the things underneath), the other is reading and writing like mad to /dev/ttys1
:
select(6, [5], NULL, NULL, {2, 0}) = 1 (in [5], left {2, 0})
read(5, "\3\6e\0\0\0\0\0 \0\0\0@\3\6\201\0\0\0\0\0 \2\0\0\246", 548) = 26
nanosleep({0, 400000000}, NULL) = 0
write(5, "\3\6e\0\0\0\0\0!\0\0\0A", 13) = 13
select(6, [5], NULL, NULL, {2, 0}) = 1 (in [5], left {2, 0})
...
Install notes from Jan, "GemPC Card" PCMCIA reader, SLC5
Differences to above attempt on SLC4:
- pcsc-lite now comes from the distribution (pcsc-lite-1.4.4-0.1.el5) - good.
- serial driver library (as recorded in
/etc/reader.conf.d/gem.conf
) is /usr/lib/pcsc/drivers/serial/libccidtwin.so.1.0.1
(i.e. an older version than on SLC4), but appears to work - good. Note: use a symlink to the library instead of the versioned name, less trouble on upgrades.
- install
safesign-tokenadmin-2.3.1-1.i586.rpm
and safesign-pkcs11-2.3.1-2.i586.rpm
, tokenadmin sees the (initialized) card and shows the certificates - good.
- firefox-3.0b5 need to remove (Unload) previously-installed safesign library), then re-add, then works against CERN's http://cern.ch/login - good.
update for SLC53
SLC53 contained an update to the
ccid
version, this gave us a new version of the serial card driver. Therefore
/etc/reader.conf.d/gem.conf
should point to the symlink
/usr/lib/pcsc/drivers/serial/libccidtwin.so
, not to the exact versioned library. Otherwise
pcscd
won't start after the update, and the token will not be visible..
Experiments with the gemsafexpresso 16k card on Linux
Not recognized automatically,
pcscd
says
Mar 16 11:15:54 laptop pcscd: eventhandler.c:431:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
Mar 16 11:15:54 laptop pcscd: Card ATR: 3B 7D 94 00 00 80 31 80 65 B0 83 01 01 90 83 00 90 00
Mar 16 11:15:54 laptop pcscd: prothandler.c:130:PHSetProtocol() Attempting PTS to T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:488:IFDHSetProtocolParameters() lun: 0, protocol T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:1436:extra_egt() Extra EGT patch applied
Mar 16 11:15:54 laptop pcscd: towitoko/atr.c:351:ATR_GetDefaultProtocol() no default protocol found in ATR. Using T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:1035:IFDHTransmitToICC() lun: 0
ATR
is "GemSafeXpresso 16k R3.2"
Software might be
JavaCard or Gemalto ".net" (
http://www.gemalto.com/products/dotnet_card/news.html has links to
the manual and
drivers, incl RHEL5-32bit)
Alternatively, need
gpshell to upload applets (some test utilities (alg supported etc) are available from
http://www.fi.muni.cz/~xsvenda/jcsupport.html)