{{tag>Brouillon}}

= Notes carte à puce - smart card

Voir :
* https://access.redhat.com/documentation/fr-fr/red_hat_enterprise_linux/8/html/managing_systems_using_the_rhel_8_web_console/installing-tools-for-managing-and-using-smart-cards_configuring-smart-card-authentication-with-the-web-console
* https://repo.zenk-security.com/Linux%20et%20systemes%20d.exploitations/Installer%20un%20lecteur%20de%20carte%20a%20puce%20USB%20sous%20Linux.pdf
* https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
* https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
* https://www.redhat.com/en/blog/smart-card-forwarding-fedora
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_smart_card_authentication/index
* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_smart_card_authentication/configuring-and-importing-local-certificates-to-a-smart-card_managing-smart-card-authentication

x509
* https://github.com/johndoe31415/x509sak
* https://docs.aws.amazon.com/fr_fr/elasticbeanstalk/latest/dg/configuring-https-ssl.html
* https://linux.goffinet.org/administration/confidentialite/pratique-certificats-tls

Coté serveur :
* Nginx / PHP : http://sweet.ua.pt/jpbarraca/course/sio-1920/p/guide-SSL-en.pdf

Python:
* https://python-pkcs11.readthedocs.io/en/latest/index.html

<code bash>
sudo aptitude install pcscd libpcsclite1 pcsc-tools
sudo aptitude install openct opensc
</code>

Test your Token
<code bash>
opensc-tool -lv
openct-tool list
pcsc_scan
</code>

Voir aussi :
* https://www.openscdp.org/scsh3/download.html

How can I distinguish a Nitrokey HSM 1 from an Nitrokey HSM 2?

FIXME
Use
<code bash>   
opensc-tool --list-algorithms
</code>

== Outils

* opensc-tool
* pkcs11-tool
* pkcs15-tool
* pkcs15-init
* cardos-tool

== Install - Vérif - Drivers

<code bash>
pkcs11-tool --module opensc-pkcs11.so -L
</code>

== OpenSSL

List the available slots.
<code Nash>
pkcs11-tool --list-slots
</code>


FIXME 
<code bash>
openssl req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text
</code>

where X is the appropriate slot number and XXXX is the slot ID, e.g. "... -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a ..."

== GPG

Reset to factory defaults:
Make sure GnuPG agent is started, if not:
<code bash>
eval $(gpg-agent --daemon)
</code>

Send the reset commands:
<code bash>
gpg-connect-agent < file
</code>

Where “file” contains:
<code ->
hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Reset complete
</code>

Source https://blog.mozilla.org/security/2013/02/13/using-cryptostick-as-an-hsm/

== Autres

data objects (DF, EF)

=== pkcs


The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3.

Key generation via ''pkcs15-init''
<code bash>
pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify
</code>

The keyspec consist of the key type (only RSA is supported) and optinally a slash followed by the keysize in bits (defaults to 1024). E.g to generate a 1024-bit RSA key, use 
''pkcs15-init -G rsa/1024 -a 01 -l testkey''

There is limitation: ''pkcs15-init'' requires new key length to be the same as existing key. To generate key with different key length, ''openpgp-tool'' is recommended.

''pkcs15-init'' also requires to explicitly remove existing key/object. That’s why we have ''--delete-objects privkey,pubkey --id 3'' in the command (though it has no effect to CryptoStick, which does not support deleting key, but support overwriting key).

Source : https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card


Autres
<code bash>
pkcs15-tool --dump
</code>

<code bash>
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
$ pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
</code>

The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing). 


Autres - Génération paire de clefs pour s/mime
<code bash>
#set +o history
export HISTCONTROL = ignorespace
 pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 40 --label "antispam@relst.nl"
</code>