January 27, 2014

PIV card and Linux

Goal: 
  1. Program a blank Gelmalto PIV card ( Protiva PIV CARD v1.55 DL) so that it contains a certificate, using the RSA keypair generated by the card
  2. Have Linux wpa_supplicant use the certificate in the card to perform EAP-TLS authentication

Card Programming:
Approach 1: Use the NIST PIV card test software
  1. Download the software from: http://csrc.nist.gov/groups/SNS/piv/download.html
    1. You need both the “SP 800-73 Reference Implementation” and the “PIV Data Generator and PIV Data Loader”
  2. Get Java JRE if you don’t have
  3. unzip both of them to a folder, in my case c:\tools\pivcard
    1. Open a “Cmd” windows as Administrator,
    2. cd \tools\pivcard\PIV Middleware\Binaries
    3. install.bat
    4. copy c:\windows\system32\piv.dll  ..\..\ PIV_Test_Data_Software\Binaries
  4. Now you can run the program PIV_Test_Data_Software\Binaries\ PIV Data Loader.exe to write to the card; and use the program JPIV Test Data Generator.jar to generate the data
  5. To piv data loader needs the data from the data generator. Some data generator tips:
    1. Goto “Crypto Provider”, and point it to your root keystore. If you don’t have one, you can use “keystore explorer” software (open source) to create one, and then create a key-pair, and make it a self-signed root CA. (use standard JKS format).
    2. The CA Alias is your CA’s name
    3. The content signer’s alias can be the same as your CA’s alias.
    4. Now put something random in fields of tab CHUID. GUID has to be 16 chars
    5. Under “Certificates tab”, pick “piv auth cert”, “valid from” and “valid to” is in the format of “YYYYMMDDHHMMSS”.
    6. Choose “get public key from file”. This file should be generated by the piv loader program, under “asymmetric key pair”.
    7. Now hit generate, and check console there is no error, and then “Save”
  6. The saved certificate format is weird. It adds a header and footer around the standard “DER” format.
    1. It adds 0x “30 82 LEN1 LEN2” as header. 0x30 in DER format means “sequence of”.  “82 LEN1 LEN2” is the “long form” of the “definite form” encoding of the length.  For “Signature Certificate”, the header is “70 82”.
    2. It also adds a footer of 5 bytes “71 01 00 fe 00”, means “application” tag, “set or set of”, length of 1, content of 00. Then another tag “fe”, meaning “private tag” of 0 byte.
    3. If you want to generate your own certificate instead of using the data generator, I suppose you could generate a DER format certificate, and then wrapper it with header and footer above, then burn to the card using the data loader application. I have not tried this yet.

Approach 2: Use piv-tool inside opensc-tools (piv-tool itself did not work well for me)

  1. Use opensc-tools 0.12.2 or newer
  2. To read the certificate of the card, use:
    1. pkcs11-tool --module=/usr/lib/i386-linux-gnu/opensc-pkcs11.so -r -y cert -a "Certificate for PIV Authentication" > mycert.der (using label to read)
    2. OR, pkcs11-tool --module=/usr/lib/i386-linux-gnu/opensc-pkcs11.so -r -y cert -d 01 -o my.cert (using id to read)
    3. To list all the data objects, use: pkcs11-tool --module=/usr/lib/i386-linux-gnu/opensc-pkcs11.so –O

Wpa_supplicant
# OpenSSL Engine support
# These options can be used to load OpenSSL engines.
# The two engines that are supported currently are shown below:
# They are both from the opensc project (http://www.opensc.org/)
# By default no engines are loaded.
# make the opensc engine available
#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
# make the pkcs11 engine available
#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
# configure the path to the pkcs11 module required by the pkcs11 engine
#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so

It seems that engine_opensc is the old version. The current version should be pkcs11_engine. Opensc-pkcs11.so is the PKCS11 library to access the smartcard.

OpenSC installation under GNU|Linux

  • Communication with smartcard reader is managed by pcsc + libccid.
  • Smartcard drivers and PKCS#11 library is managed by opensc

installing pcsc + libccid + opensc

Modern smartcard readers are CCID compliant.  GNU/Linux can only handle CCID readers. It is recommended to use libccid >= 1.4.5.
$ apt-get install pcscd libccid libpcsclite1 opensc
 
Some important files:
/usr/lib/i386-linux-gnu/opensc-pkcs11.so uses
/usr/lib/i386-linux-gnu/libopensc.so.3, which uses
/usr/lib/i386-linux-gnu/libpcsclite.so.1.0.0
Make sure to add your own user to the pcscd group:
$ adduser foo pcscd

No comments:

Post a Comment