Notes carte à puce - smart card

Voir :

x509

Coté serveur :

Nginx / PHP : http://sweet.ua.pt/jpbarraca/course/sio-1920/p/guide-SSL-en.pdf

Python:

https://python-pkcs11.readthedocs.io/en/latest/index.html

sudo aptitude install pcscd libpcsclite1 pcsc-tools
sudo aptitude install openct opensc

Test your Token

opensc-tool -lv
openct-tool list
pcsc_scan

Voir aussi :

https://www.openscdp.org/scsh3/download.html

How can I distinguish a Nitrokey HSM 1 from an Nitrokey HSM 2?

Use

opensc-tool --list-algorithms

Outils

opensc-tool
pkcs11-tool
pkcs15-tool
pkcs15-init
cardos-tool

Install - Vérif - Drivers

pkcs11-tool --module opensc-pkcs11.so -L

OpenSSL

List the available slots.

pkcs11-tool --list-slots

openssl req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text

where X is the appropriate slot number and XXXX is the slot ID, e.g. “… -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a …”

GPG

Reset to factory defaults: Make sure GnuPG agent is started, if not:

eval $(gpg-agent --daemon)

Send the reset commands:

gpg-connect-agent < file

Where “file” contains:

hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Reset complete

Source https://blog.mozilla.org/security/2013/02/13/using-cryptostick-as-an-hsm/

Autres

data objects (DF, EF)

pkcs

The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3.

Key generation via pkcs15-init

pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify

The keyspec consist of the key type (only RSA is supported) and optinally a slash followed by the keysize in bits (defaults to 1024). E.g to generate a 1024-bit RSA key, use pkcs15-init -G rsa/1024 -a 01 -l testkey

There is limitation: pkcs15-init requires new key length to be the same as existing key. To generate key with different key length, openpgp-tool is recommended.

pkcs15-init also requires to explicitly remove existing key/object. That’s why we have --delete-objects privkey,pubkey --id 3 in the command (though it has no effect to CryptoStick, which does not support deleting key, but support overwriting key).

Source : https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card

Autres

pkcs15-tool --dump

pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
$ pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin

The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing).

Autres - Génération paire de clefs pour s/mime

#set +o history
export HISTCONTROL = ignorespace
 pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 40 --label "antispam@relst.nl"