6:08 p.m.
Hi, All,
I'm working on a project for which we need to take blank smart cards
and configure them to be used as authentication tokens in a pure RHEL
environment. Given a token with the appropriate certificate loaded, we
have all the client pieces working, but where we stumble is on getting
the cards set up in the first place.
The three steps I can't seem to accomplish with OpenSC on RHEL are
generating a keypair, generating the corresponding certificate, and
then loading the issued certificate onto the card. I can make all of
that happen with a YubiKey 5, but only using a vendor-specific tool:
# Generate the keypair
yubico-piv-tool -a generate -s 9a -A RSA3072 \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" >
"${WORKDIR}/9a.key"
# Create a CSR
yubico-piv-tool -a verify -a request -s 9a \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \
-S "/CN=${IdMuid}/O=${IdMRealm}/" <
"${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr"
# Submit the CSR to IPA
ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \
--profile-id=IECUserRoles --certificate-out="${WORKDIR}/9a.crt"
# Load certificate onto card
yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \
--key="${TOKEN_MK}" < "${WORKDIR}/9a.crt"
But if I try to replace the calls to yubico-piv-tool above with calls
to opensc's piv-tool or pkcs11-tool, I just get errors about the
operation not being supported by the card -- whether I use a YubiKey, a
G&D SmartCafe card, or a Gemalto card. I also get those errors from the
Taglio PIV_II, but their documentation straight up says you have to use
Windows to provision them.
I suspect what's going on here is that the card vendors aren't
implementing the provisioning operations through standard interfaces
and I lack either the right PKCS11 module for the card, or some
equivalent to the yubico-piv-tool that the other token vendors would
need to supply. Can anyone confirm that? Or otherwise tell me what I'm
missing?
We're pretty flexible about tokens; anything acceptable for US
government use and shaped like a card rather than a USB device is
acceptable for the project, but we don't want any Windows in the
provisioning process. So if you know a particular smart card model that
you know can be provisioned entirely on RHEL, that would be really
useful information for us. I think the Aventra MyEID likely can based
on their site and the OpenSC documentation, but I'm not entirely
certain it's FIPS certified for more than the RNG.
Thanks for any insight you can offer!
-Andrew
2:55 p.m.
On Wed, 2019-03-06 at 16:08 -0800, Andrew C. Dingman wrote:
Hi, All,
I'm working on a project for which we need to take blank smart cards
and configure them to be used as authentication tokens in a pure RHEL
environment. Given a token with the appropriate certificate loaded,
we
have all the client pieces working, but where we stumble is on
getting
the cards set up in the first place.
The three steps I can't seem to accomplish with OpenSC on RHEL are
generating a keypair, generating the corresponding certificate, and
then loading the issued certificate onto the card. I can make all of
that happen with a YubiKey 5, but only using a vendor-specific tool:
# Generate the keypair
yubico-piv-tool -a generate -s 9a -A RSA3072 \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" >
"${WORKDIR}/9a.key"
# Create a CSR
yubico-piv-tool -a verify -a request -s 9a \
--pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \
-S "/CN=${IdMuid}/O=${IdMRealm}/" <
"${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr"
# Submit the CSR to IPA
ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \
--profile-id=IECUserRoles --certificate-
out="${WORKDIR}/9a.crt"
# Load certificate onto card
yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \
--key="${TOKEN_MK}" < "${WORKDIR}/9a.crt"
But if I try to replace the calls to yubico-piv-tool above with calls
to opensc's piv-tool or pkcs11-tool, I just get errors about the
operation not being supported by the card -- whether I use a YubiKey,
a
G&D SmartCafe card, or a Gemalto card. I also get those errors from
the
Taglio PIV_II, but their documentation straight up says you have to
use
Windows to provision them.
I suspect what's going on here is that the card vendors aren't
implementing the provisioning operations through standard interfaces
and I lack either the right PKCS11 module for the card, or some
equivalent to the yubico-piv-tool that the other token vendors would
need to supply. Can anyone confirm that? Or otherwise tell me what
I'm
missing?
We're pretty flexible about tokens; anything acceptable for US
government use and shaped like a card rather than a USB device is
acceptable for the project, but we don't want any Windows in the
provisioning process. So if you know a particular smart card model
that
you know can be provisioned entirely on RHEL, that would be really
useful information for us. I think the Aventra MyEID likely can based
on their site and the OpenSC documentation, but I'm not entirely
certain it's FIPS certified for more than the RNG.
Thanks for any insight you can offer!
Following up my own post, I have now received some of the Aventra MyEID
cards I mentioned, and they do indeed work in a pure RHEL environment.
Given the tools I used, probably any RHEL >= 7.4, though I only tested
on 7.6.
One interesting thing about the card: Although the process below lets
me create a functional card for login purposes, ESC completely refuses
to touch these cards when they are blank. The format button stays
greyed out and no certificates show up even though the blank card is
shown. Formatting with pcks15-init still doesn't give me any option to
enroll. I'm not sure we care about the KRA, TPS, or other features we'd
get by using Certificate System rather than the embedded Dogtag in IPA,
but it does seem odd. Insight would be most welcome.
Eventually I'll make a blog post or article or something of it, but in
the meantime here's what I did:
[admin@client1 ~]$ sudo pkcs15-init -C --pin ${USERPIN} --puk
${USERPUK} --so-pin ${SOPIN} --so-puk ${SOPUK}
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin@client1 ~]$ pkcs15-init -P -a 1 -l "${PINLABEL}" --pin
${USERPIN} --puk ${USERPUK} --so-pin ${SOPIN}
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin@client1 ~]$ mkdir nssdb
[admin@client1 ~]$ certutil -N -d nssdb --empty-password
[admin@client1 ~]$ modutil -dbdir nssdb/ -add OpenSC -libfile
/lib64/opensc-pkcs11.so
WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
Module "OpenSC" added to database.
[admin@client1 ~]$ certutil -d nssdb/ -h "${PINLABEL} (MyEID)" -R -k
rsa -g 2048 -s 'CN=demo,O=EXAMPLE.COM' -7 demo(a)example.com -a -o
demo.csr
Enter Password or Pin for "Auth PIN (MyEID)":
A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:
|************************************************************|
Finished. Press enter to continue:
Generating key. This may take a few moments...
Enter Password or Pin for "Auth PIN (MyEID)":
Enter Password or Pin for "Auth PIN (MyEID)":
[admin@client1 ~]$ ipa cert-request demo.csr --principal=demo --
profile-id=IECUserRoles --certificate-out=demo.crt
Issuing CA: ipa
Certificate:
MIIEHzCCAwegAwIBAgIBEzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkN
PTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMxNDIzMDQwOFoXDT
IxMDMxNDIzMDQwOFowJTEUMBIGA1UECgwLRVhBTVBMRS5DT00xDTALBgNVBAMMBGRlbW8wg
gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKw5juUA5bmsUp+xlIrVk+hZagqEXt
H5TCjOa9fVnRQPe2bvcR0MIBDBw9/T5tqYVDfzfgONJGon3mO/w7GuopbgxaOarZ14SHqVM
Jqg/VlJCYKwfoGz7YyrXTXC4B7esLgX5RqyDl1V5LMQz4/TL2tODwU18kONjLDE+lsW1G96
+G2GVwKs+yvrMrVBwqXp36Zpt1TZqlDryQvRRvRBvL6SGPz4/vBtGhG4x7l9uqOKnOUZ1SM
lY302W2gnF6PKXIyWiBcTesMkxUgsgx0+FVndXSxfJXgTri1K88nnidS+B1l0hEdVzuhrYB
zlowbUO0SRsugD5E10apgFTQfaPZAgMBAAGjggFHMIIBQzAfBgNVHSMEGDAWgBSVA8nOdcq
JNFk760TBl25ZP0V/lzA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcG
EtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIK
wYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhh
bXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTE
eMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTxuwDHkq/a2cVK5Z
KWCwgxJigqRTAbBgNVHREEFDASgRBkZW1vQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA
4IBAQCEPMZH2ZpvtGZ9+fCXtum2Nu2SP6gtp9OwiOOfhmNVI0NsxMFpumxTQZJEU9cMhi9i
+0LNJU4VB0Kd1T9XO+KZQvpRSpT7j7QR7DPQpOQ+ECUOgVp7hg4j3GeQkII7PcRIwTlAj5j
qljVUGO43LVgzoIk5eyXuH8Hu7VRKcCyH79xkqQFpAYUg9JzttaRuzcjRY0IaNyV/634nQc
doJHLuS9dCHuXG6RtFlU/lu+wi3Am2aWtHmPsoEIXTyFtXxlIu6Utu2t0EHEDBoh/30t2gF
7fwKKYwdiRD/jNzsWGvhgfgBbWDO5hIGk3Ko080TNAkE59Kn0yMBgbeFS0vE8Lt
Subject: CN=demo,O=EXAMPLE.COM
Subject email address: demo(a)example.com
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Not Before: Thu Mar 14 23:04:08 2019 UTC
Not After: Sun Mar 14 23:04:08 2021 UTC
Serial number: 19
Serial number (hex): 0x13
[admin@client1 ~]$ openssl x509 -inform pem -in demo.crt -outform der
-out demo.der
[admin@client1 ~]$ pkcs11-tool -w demo.der -y cert --pin ${USERPIN}
Using slot 1 with a present token (0x4)
Created certificate:
Certificate Object; type = X.509 cert
label: Certificate
ID: 6034d6b339a90c169ecbee2f151a33ec7445a4b7
[admin@client1 ~]$ pkcs15-init -F
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin@client1 ~]$
2108
days inactive
2116
days old
1 comments
1 participants
participants (1)
-
Andrew C. Dingman