This documentation is obsolete: up to date documentation available at: http://cern.ch/linux/docs/smartcards.shtml

(How and if we can use Smartcards under Linux. IT-IS have some pilot project including hardware).

Smartcard access for individual applications

(CNIC would like PVSS and some Java app - but no real specs yet)

Firefox

(for web authentication, to use with CERN SSO. Should work via provided libpkcs11 to match the card)

Thunderbird

(for email signing, and IMAP authentication. Unclear whether IMAP authentication works, at least in SLC4..)

evolution

(for email signing and IMAP auth)

GPG

(can we use the keys for signing/encryption?)

openssl

(integration with the openssl toolkit would allow for several other applications such as stunnel or VPNs to use the card)

rdesktop

(Windows Terminal services - the protocol allows to "forward" hardware card readers, but is unfortunately undocumented..)

Smartcard for Login and SSO

(need integration with PAM and/or GDM, need a GSSKLOG/PKINIT-module to get Kerberos credentials for the card)

SSH

Tricky - needs 3rd-party patches for X509 support in openssh, need to forward the connection to the card (can the "agent" handle cards?); Need to convert into AFS tokens on the destination. Much easier to use Kerberos/GSSAPI for remote access and do a workstation-local conversion from Smartcard to Kerberos via PKINIT.

Screensaver

standard Windows functionality - pulling card should lock screen, insert unlocks (perhaps with PIN).

Grid

it should be possible to get proxy certificates signed by the card. Looks like somebody managed to do this at the Czech META Zentrum - (Daniel Kouril, Ludek Matyska, Michal Prochazka)

• Improving Security in Grids Using the Smart Card Technology (2-page summary)
• Kerberos and Grids
• Kerberos and PKI Cooperation
• http://meta.cesnet.cz/cms/opencms/en/howto/tokens/linux.html - how to install Linux for use with their hardware tokens, has links to some RPMs.

Pointers, Links and random stuff

• Smartcards are hyped for RHEL5, perhaps thanks to the Netscape Directory server integration. Asked RH for whitepaper on the components. Done
  • RHEL5 moved most Public Key things to use the ex-Netscape "nss" libraries, which in turn can use hardware tokens - need single libpkcs11
  • work is focused on the US-DOD "CAC" (common access card)
• CoolKey project in Fedora, mailinglist at https://www.redhat.com/mailman/listinfo/coolkey-devel
• Bob Lord blog
• IS have the required binaries (i586-only, evaluation version, unclear license) on DFS
• IS has a summary paper (March 2008) at ISM meeting space on Sharepoint (unreadable?)
• How to use OpenSC tools (e.g. pkcs15init) to initialize and manage a card: generic Gemsafe PKI
• Heimdal PKINIT: http://people.su.se/~lha/patches/heimdal/pkinit/ - based on the above Czech META work, Docs for setting this up with a Hemdal KDC

Notes from early install attempts on SLC4 by A.Tselishchev, IT/IS

Libraries for the IS smartcard (SafeSign) are under http://www.hatred.ch/Safesign.zip or on dfs:/Systems/SmartCards/Linux

Smartcards under Scientific Linux CERN installation notes - A.Tselishchev IT/IS
v0.1 - Temporary workaround 

1. Install PCSC lite (pcsc-lite-1.2.9-1.i586.rpm)

Safesign software is somehow not compatible with PCSC lite 1.3 and
above, so pcsc 1.3.3 should be deleted before installing 

 rpm -e --nodeps pcsc-lite-1.3.3-1.el4.rf
 rpm -e --nodeps pcsc-lite-libs-1.3.3-1.el4.rf

As long as SLC automatically updates packages, PCSC 1.2.9 will be soon
updated to 1.3.3 making Safesign unusable. To avoid it disable updates
in etc/cron.daily/rpm. This is a temporary workaround, soon Safesign
will  accept our version of pcsc.



2. Install PC/SC driver for Omnikey Cardreader (skip if you already have
reader installed)
 -ifdokccid_lnx-3.4.0.tar.gz (for any Omnikey reader) 
 -ctdeuti_lnx-5.1.0.tar.gz if using Cardman 3121

3. Install all packages from safesign folder.


-Web authentication on Firefox was tested and is OK.



- later update:

Actually it was not that simple to get Safesign working on SLC4, and the
solution of downgrading the PCSC was found by occasion. Safesign works
on my home machine, which runs Ubuntu and supposed to work on Redaht 5
and some Suse distributions. When SLC5 will be available (I couldn't
find it yet) I think the things will run smooth. Consider today's
solution as a sneak peek for multiplatform smartcards. 

Small update on testing - in order to integrate Safesign security module
to Firefox one should add libaetpkss.so as a security device in firefox.
The same implies to Thunderbird. 

Install notes from Jan, "GemPC Card" PCMCIA reader, SLC4

• (started with DAGs pcsc-lite-1.3.3 RPMs) : yum install pcsc-lite
• plug in Smartcard reader, look at /var/log/messages. Here the things is detected as /dev/ttyS1

Mar 20 08:26:29 laptop cardmgr[3704]: initializing socket 0
Mar 20 08:26:29 laptop kernel: cs: memory probe 0xa0000000-0xa0ffffff: clean.
Mar 20 08:26:29 laptop cardmgr[3704]: socket 0: Serial or Modem
Mar 20 08:26:29 laptop cardmgr[3704]:   product info: "Gemplus", "SerialPort", "GemPC Card"
Mar 20 08:26:29 laptop cardmgr[3704]:   manfid: 0x0157, 0x0100  function: 2 (serial)
Mar 20 08:26:29 laptop cardmgr[3704]: executing: 'modprobe serial_cs'
Mar 20 08:26:29 laptop kernel: ttyS1 at I/O 0x2f8 (irq = 3) is a 16450
Mar 20 08:26:29 laptop cardmgr[3704]: executing: './serial start ttyS1'
Mar 20 08:26:29 laptop cardmgr[3704]: + Default modem setup

• configure PCSC for the new reader (using the the serial driver included with pcsc-lite)

 cat /etc/reader.conf.d/gem.conf
FRIENDLYNAME     "GEMplus PCMCIA Reader"
DEVICENAME       /dev/ttyS1
LIBPATH          /usr/lib/pcsc/drivers/serial/libccidtwin.so.1.2.0
CHANNELID        1

• apply config: run update-reader.conf
• start pcscd in debug mode pcscd -f --debug
• insert something into reader, should see

ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp
commands.c:115:CmdPowerOn Card absent or mute
ifdhandler.c:877:IFDHPowerICC() PowerUp failed
eventhandler.c:419:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
eventhandler.c:433:EHStatusHandlerThread() Error powering up card.

or (if you are lucky and have a working card, GSM in this case..)

ifdhandler.c:841:IFDHPowerICC() lun: 0, action: PowerUp
eventhandler.c:419:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
Card ATR: 3B 89 00 91 16 91 02 90 05 01 03 00

• install safesign rpm -Uvh safesign*rpm
• insert blank card ("IBM JCOP41 Standard"),
• run "tokenadmin"
  • can now initialize token and import the CA certificates:
    • download from https://cern.ch/ca - "save link" in firefox (otherwise firefox will try to import them directly), these are DER (binary)-encoded
    • rename to have extension ".cer" (default is ".crt") -- or change wildcard in tokenadmin
  • Follow SafeSign "Token Utilities Guide" to initialize card (give name, choose PUK and PIN, optionally import CA certificates)
• import exisiting certificate
  • export from browser in pkcs12 format (.p12 extension)
  • use tokenadmin/tokenmanager to "Add Digital ID"
  • FAILS silently! tokenadmin / Token / "Analyze certificate quality" complains about

    - The value for CKA_ID of the certificate does not match the value for CKA_ID on the private key. This certificate is unusable for applications.

  • tokenadmin / Token / Dump gives (for the certificate)

    CKA_LABEL:
        "Jan Iven's CERN Trusted Certification Authority ID"
    CKA_ID:
         7C D7 D3 47 D0 65 48 81 0D 07 9C 55 12 7C F6 0F 91 7C C4 90  

    and for the private key

    CKA_LABEL:
        "Jan Iven's CERN Trusted Certification Authority ID"
    CKA_ID:
         B0 10 BA F4 60 D3 39 75 D5 3F 1A 1E E7 79 B4 F0 C9 AC AA 32

---

• things to check:
  • firefox - how to add new card/device:
    • Preferences/Advanced/Security tab/"Security devices" button,
    • "Load" button, Name: something like "SafeSign PKCS11" Path: /usr/lib/libaetpkss.so.2.3.1 (from safesign-pkcs11 RPM), confirm, confirm. Should show your smartcard reader.
  • thunderbird (1.5, SLC4):
    • Preferences/Privacy/Security tab/"Security devices" button
    • "Load" button, Name: something like "SafeSign PKCS11" Path: /usr/lib/libaetpkss.so.2.3.1 (from safesign-pkcs11 RPM), confirm, confirm. Should show your smartcard reader.
  • openssl - can we get the pkcs11 "engine" to work?
    • look at http://www.opensc-project.org/engine_pkcs11

Problems

• on SLC4, pcscd seems to be continously running/eating a few % of CPU. The thing is multithreaded. strace shows the main thread is waiting in select(), one thread is constantly looking at /proc/bus/usb (and the things underneath), the other is reading and writing like mad to /dev/ttys1:

select(6, [5], NULL, NULL, {2, 0})      = 1 (in [5], left {2, 0})
read(5, "\3\6e\0\0\0\0\0 \0\0\0@\3\6\201\0\0\0\0\0 \2\0\0\246", 548) = 26
nanosleep({0, 400000000}, NULL)         = 0
write(5, "\3\6e\0\0\0\0\0!\0\0\0A", 13) = 13
select(6, [5], NULL, NULL, {2, 0})      = 1 (in [5], left {2, 0})
...

Install notes from Jan, "GemPC Card" PCMCIA reader, SLC5

Differences to above attempt on SLC4:

• pcsc-lite now comes from the distribution (pcsc-lite-1.4.4-0.1.el5) - good.
• serial driver library (as recorded in /etc/reader.conf.d/gem.conf) is /usr/lib/pcsc/drivers/serial/libccidtwin.so.1.0.1 (i.e. an older version than on SLC4), but appears to work - good. Note: use a symlink to the library instead of the versioned name, less trouble on upgrades.
• install safesign-tokenadmin-2.3.1-1.i586.rpm and safesign-pkcs11-2.3.1-2.i586.rpm, tokenadmin sees the (initialized) card and shows the certificates - good.
• firefox-3.0b5 need to remove (Unload) previously-installed safesign library), then re-add, then works against CERN's http://cern.ch/login - good.

update for SLC53

SLC53 contained an update to the ccid version, this gave us a new version of the serial card driver. Therefore /etc/reader.conf.d/gem.conf should point to the symlink /usr/lib/pcsc/drivers/serial/libccidtwin.so, not to the exact versioned library. Otherwise pcscd won't start after the update, and the token will not be visible..

Experiments with the gemsafexpresso 16k card on Linux

Not recognized automatically, pcscd says

 Mar 16 11:15:54 laptop pcscd: eventhandler.c:431:EHStatusHandlerThread() Card inserted into GEMplus PCMCIA Reader 00 00
Mar 16 11:15:54 laptop pcscd: Card ATR: 3B 7D 94 00 00 80 31 80 65 B0 83 01 01 90 83 00 90 00 
Mar 16 11:15:54 laptop pcscd: prothandler.c:130:PHSetProtocol() Attempting PTS to T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:488:IFDHSetProtocolParameters() lun: 0, protocol T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:1436:extra_egt() Extra EGT patch applied
Mar 16 11:15:54 laptop pcscd: towitoko/atr.c:351:ATR_GetDefaultProtocol() no default protocol found in ATR. Using T=0
Mar 16 11:15:54 laptop pcscd: ifdhandler.c:1035:IFDHTransmitToICC() lun: 0

ATR is "GemSafeXpresso 16k R3.2"

Software might be JavaCard or Gemalto ".net" (http://www.gemalto.com/products/dotnet_card/news.html has links to the manual and drivers, incl RHEL5-32bit)

Alternatively, need gpshell to upload applets (some test utilities (alg supported etc) are available from http://www.fi.muni.cz/~xsvenda/jcsupport.html)