Page 2 of 4 FirstFirst 1234 LastLast
Results 11 to 20 of 38

Thread: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

  1. #11
    Join Date
    Feb 2011
    Beans
    1

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Hi,
    Thanks a lot for a very nice tutorial! It seems that it is actually possible to use a pkcs15 smart card with GPG (as opposed to the openpgp card).
    I haven't had the opportunity to try it yet (I just ordered a few smartcards from Gooze) but it seems that it can be done using a pkcs11 plugin for gpg: http://gnupg-pkcs11.sourceforge.net/support.html

    Also this link might be useful: http://rainerkeller.de/etoken.html
    Even though it documents the necessary steps for the aladin etoken, much of it should still apply.

    I someone manages to get it to work, please keep us posted!

    /J

  2. #12
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Quote Originally Posted by devrandmom View Post
    I haven't had the opportunity to try it yet (I just ordered a few smartcards from Gooze) but it seems that it can be done using a pkcs11 plugin for gpg: http://gnupg-pkcs11.sourceforge.net/support.html
    Yes, I know about gnupg-pkcs11, this is what I have been struggling with. As I said, it's a bit of a hack, so it doesn't seem very reliable. I had issues at some point in the process of making it recognize the keys on the smart card, and I haven't been able to track the problem down.

    Quote Originally Posted by devrandmom View Post
    Also this link might be useful: http://rainerkeller.de/etoken.html
    Even though it documents the necessary steps for the aladin etoken, much of it should still apply.
    Thanks, I'm going to have a look at it whan I get the time. Classes have started again, so I don't have a lot of it right now...
    「明後日の夕方には帰ってるからね。」


  3. #13
    Join Date
    Feb 2009
    Beans
    11

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    hello there,

    first of all thanks a lot for this very complete guidance. I'm a beginner, so I still had some difficulties getting the hardware to work etc.

    I am using an openpgp 1.1 card. I managed to get 3 keys on it. my objective would be to use it for login.

    I had little luck with pkcs-... , I used gpg to create the keys.

    anyway, now I would need to export a certificate. this is where I fail at the moment. I tried

    Code:
    gpgsm --gen-key >x.pem
    
       (3) Existing key from card
    
    then chose the third key,
    
       (1) sign, encrypt
    
    Really create request? (y/N) y
    Now creating certificate request.  This may take a while ...
    gpgsm: about to sign CSR for key: &76D93C191A5829154E5330D85585B4F652757F8E
    gpgsm: certificate request created
    Ready.  You should now send this request to your CA.
    the file created like this is not accepted when trying to load it:

    Code:
    root@x:/etc/pam_pkcs11/cacerts# pkcs11_make_hash_link
    we got a problem with: x.crt
    OK, I know this has so far nothing to do with the howto, just wanted to show both my approaches. as far I understood from the little info, the above should be OK, by the way.

    anyway, I also walked the line with the howto. this looks as follows:

    Code:
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine
    OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key id_03 -out x.pem
    engine "pkcs11" set.
    failed to enumerate slots
    PKCS11_get_private_key returned NULL
    unable to load Private Key
    9314:error:80002005:PKCS11 library:PKCS11_enum_slots:General Error:p11_slot.c:312:
    9314:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
    error in req
    here I got stuck, I found no solution to overcome this.

    the card is accessible by

    Code:
    pkcs15-tool --read-public-key 03
    strangely to me, here I am asked for the admin PIN.

    I hope someone sees my mistake and show me how I can export and re-import that certificate.

  4. #14
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    As its name implies, pam_pkcs11 will only work witk PKCS#11 cards, not with OpenPGP cards. The two standards are AFAIK not compatible (hence the difficulty of using PKCS#11 cards with GnuPG).
    「明後日の夕方には帰ってるからね。」


  5. #15
    Join Date
    Feb 2009
    Beans
    11

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    thanks for the rapid answer. as you see I am that noob. I just had this card and wanted to make use of it...

    I just ordered a Feitian card.

  6. #16
    Join Date
    Feb 2009
    Beans
    11

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    hello again.

    i got a feitian card. on lucid i had to install opensc 0.12.1 to make it work. i also had to copy over stuff from /usr/local/bin and /usr/local/lib to /usr/bin and /usr/lib. this just for the sake of the record.

    ok, so i initialized the card. the next step is exactly the same, where i got stuck with the other card:

    Code:
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine
    OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key id_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -out mysmartcard.cert.pem
    engine "pkcs11" set.
    Found empty token; 
    PKCS11_get_private_key returned NULL
    unable to load Private Key
    12695:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126:
    error in req
    is this something i messed up in my environment? shall i better start on another machine? thanks.

  7. #17
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Quote Originally Posted by stupid_for_a_file View Post
    hello again.

    i got a feitian card. on lucid i had to install opensc 0.12.1 to make it work. i also had to copy over stuff from /usr/local/bin and /usr/local/lib to /usr/bin and /usr/lib. this just for the sake of the record.
    You shouldn't have done that. By copying files around, you probably overwrote something important. Also it worked in Lucid with the OpenSC version from the repos when I wrote the tutorial, so it definitely should still work now. You should have posted the error message you got with the version from the repos, because now, it's hard to tell where the error comes from since your installation is potentially broken.
    「明後日の夕方には帰ってるからね。」


  8. #18
    Join Date
    Feb 2009
    Beans
    11

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    you won't see me giving up... so i started to follow the howto step-by-step on a clean 10.04 64-bit machine. there are packages removed from the machine, but not anything which is related to this (i hope).

    so the first note is "to add myself to the scard group". this group did not exist after installing the packages opensc pcsc-tools libccid. i did not do that yet, but i guess the commands are:

    addgroup scard
    addgroup yourname scard

    i carried on skipping the steps with initializing the card, because that was done properly on the other machine already.

    after listing the id i went on to openssl to request the certificate, but loading the engine failed:

    Code:
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Failure]: LOAD
    7363:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/usr/lib/engines/engine_pkcs11.so): /usr/lib/engines/engine_pkcs11.so: cannot open shared object file: No such file or directory
    7363:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
    7363:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
    [Failure]: MODULE_PATH:opensc-pkcs11.so
    7363:error:260AC089:engine routines:INT_CTRL_HELPER:invalid cmd name:eng_ctrl.c:134:
    7363:error:260AB089:engine routines:ENGINE_ctrl_cmd_string:invalid cmd name:eng_ctrl.c:316:
    OpenSSL>

    here i figured out i need
    Code:
    libengine-pkcs11-openssl
    . i installed it, and then the engine got properly loaded. then i wanted to reauest the certificate:

    Code:
    OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key id_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -out mysmartcard.cert.pem
    invalid engine "pkcs11"
    8663:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(/usr/lib/ssl/engines/libpkcs11.so): /usr/lib/ssl/engines/libpkcs11.so: cannot open shared object file: No such file or directory
    8663:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
    8663:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
    8663:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:415:id=pkcs11
    8663:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:162:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
    8663:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:
    8663:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450:
    no engine specified
    unable to load Private Key
    error in req
    OpenSSL> q

    this libpkcs11.so is not found on the filesystem. here i thought i would ask you before i do something inappropriate. thanks a lot.

  9. #19
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Quote Originally Posted by stupid_for_a_file View Post
    you won't see me giving up...
    That's the spirit. I am going to try later today on a Lucid system because what you say puzzles me. I will tell you what I find.
    「明後日の夕方には帰ってるからね。」


  10. #20
    Join Date
    Feb 2009
    Beans
    11

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    i solved this one...

    Code:
    root@masodik:/usr/lib/ssl/engines# cp engine_pkcs11.so libpkcs11.so
    ...and then i got the following error:

    Code:
    [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied
    [opensc-pkcs11] card-entersafe.c:901:entersafe_compute_with_prkey: internal set security env failed: Security status not satisfied
    [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security status not satisfied
    [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied
    this i could solve with re-commenting the line i uncommented in the beginning:

    Code:
    nano /etc/opensc/opensc.conf
    Code:
    #lock_login = false;

    now i have a certificate how nice. i keep fighting tomorrow, i guess.
    Last edited by stupid_for_a_file; June 24th, 2011 at 11:47 PM.

Page 2 of 4 FirstFirst 1234 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •