Ceci est une ancienne révision du document !
Table des matières
Notes carte à puce - smart card
Voir :
x509
Coté serveur :
Python:
sudo aptitude install pcscd libpcsclite1 pcsc-tools sudo aptitude install openct opensc
Test your Token
opensc-tool -lv
openct-tool list
pcsc_scan
Voir aussi :
How can I distinguish a Nitrokey HSM 1 from an Nitrokey HSM 2?
Use
opensc-tool --list-algorithms
Outils
- opensc-tool
- pkcs11-tool
- pkcs15-tool
- pkcs15-init
- cardos-tool
Install - Vérif - Drivers
pkcs11-tool --module opensc-pkcs11.so -L
OpenSSL
List the available slots.
pkcs11-tool --list-slots
openssl req -engine pkcs11 -new -key slot_X-id_XXXX -keyform engine -x509 -out cert.pem -text
where X is the appropriate slot number and XXXX is the slot ID, e.g. “… -key slot_5-id_c6f280080fb0ed1ebff0480a01d00a98a1b3b89a …”
GPG
Reset to factory defaults: Make sure GnuPG agent is started, if not:
eval $(gpg-agent --daemon)
Send the reset commands:
gpg-connect-agent < file
Where “file” contains:
hex scd serialno scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40 scd apdu 00 e6 00 00 scd apdu 00 44 00 00 /echo Reset complete
Source https://blog.mozilla.org/security/2013/02/13/using-cryptostick-as-an-hsm/
Autres
data objects (DF, EF)
pkcs
The three keys in the have these IDs: Singing key: 1, Decryption key: 2, Authentication: 3.
Key generation via pkcs15-init
pkcs15-init --delete-objects privkey,pubkey --id 3 --generate-key rsa/2048 --auth-id 3 --verify
The keyspec consist of the key type (only RSA is supported) and optinally a slash followed by the keysize in bits (defaults to 1024). E.g to generate a 1024-bit RSA key, use pkcs15-init -G rsa/1024 -a 01 -l testkey
There is limitation: pkcs15-init requires new key length to be the same as existing key. To generate key with different key length, openpgp-tool is recommended.
pkcs15-init also requires to explicitly remove existing key/object. That’s why we have --delete-objects privkey,pubkey --id 3 in the command (though it has no effect to CryptoStick, which does not support deleting key, but support overwriting key).
Source : https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card
Autres
pkcs15-tool --dump
pkcs15-init --delete-objects privkey,pubkey --id 3 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin $ pkcs15-init --delete-objects privkey,pubkey --id 2 --store-private-key myprivate.p12 --format pkcs12 --auth-id 3 --verify-pin
The two commands copy the key-certificate pair to the slot 2 (needed for decrypting emails) and slot 3 (needed for signing).
Autres - Génération paire de clefs pour s/mime
#set +o history export HISTCONTROL = ignorespace pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type rsa:2048 --id 40 --label "antispam@relst.nl"