13 Feb 2007 - 18:42:33 - DannyDeCockYou are here: Godot's Twiki > 
Using Web > SmartCardsTOC > OpenSCTOC > UsingOpenSCTOC > OpenSC
Using Web > SmartCardsTOC > OpenSCTOC > UsingOpenSCTOC > OpenSCusing opensc
Prerequisites: your operating system should support smartcard readers, and you should have installed opensc (cfr. above)creating a smartcard with a self-signed certificate
# how can I format/create a new pkcs#15 structure on my smartcard?
# Assume you use the following parameters to specify the default pin, so-pin, puk, etc:userPin=1234 userPuk=654321 userPinLabel='User Smartcard' userAuthId=01 userAuthKeyId=45 userNonRepId=02 userNonRepKeyId=46 userCountry=BE userStateOrProvince=Belgium userOrganization=dummyOrganization userOrganizationalUnit=dummyOrganizationalUnit userName=userName userEmailAddress=userEmailAddress userSoPin=123456 userSoPuk=12345678 userSmartcardReaderNumber=0 userSmartcardSlot=$[$userSmartcardReaderNumber*4] userPkcs15initReader="-r $userSmartcardReaderNumber" userPkcs15toolReader="--reader $userSmartcardReaderNumber" verbosityLevel="" #-vv# You can erase the content of a pkcs#15 compatible smartcard such as a gemplus gpk8000 or gpk16000 card with and create a new data structure on it with the command:
pkcs15-init $userPkcs15initReader $verbosityLevel --erase-card pkcs15-init $userPkcs15initReader $verbosityLevel --create-pkcs15 --use-default-transport-keys --so-pin $userSoPin --so-puk $userSoPuk
# how can I initialize a smartcard with a personal identification number (PIN)?
pkcs15-init $userPkcs15initReader $verbosityLevel --store-pin --auth-id $userAuthId --label "$userPinLabel" --pin $userPin --puk $userPuk --so-pin $userSoPin
# create a signing key pair and store it on a smartcard?
# You can create a 1024-bit rsa key pair and store it on the smartcard with:pkcs15-init $userPkcs15initReader $verbosityLevel --generate-key rsa/1024 --auth-id $userAuthId --pin $userPin --so-pin $userSoPin
# generating a self-signed certificate request with the opensc-pkcs11 engine...
# you can create a script and the corresponding input to automate the self-signed certificate request generation:createSelfSignedCertificateRequest=~/tmp/create.self.signed.certificate.request.sh mkdir -p ~/tmp chmod og= ~/tmp echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createSelfSignedCertificateRequest.input echo req -engine pkcs11 -new -key slot_$userSmartcardSlot-id_$userAuthKeyId -keyform engine -sha1 -out userCert.req -subj \"/C=$userCountry/ST=$userStateOrProvince/O=$userOrganization/OU=$userOrganizationalUnit/CN=$userName/emailAddress=$userEmailAddress\" >> $createSelfSignedCertificateRequest.input echo >> $createSelfSignedCertificateRequest.input echo >> $createSelfSignedCertificateRequest.input echo echo the following input was used to create this script: > $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo echo smart card reader to be used=$userSmartcardReaderNumber >> $createSelfSignedCertificateRequest echo echo smart card reader slot to be=$userSmartcardSlot >> $createSelfSignedCertificateRequest echo echo key type=$userAuthKeyId >> $createSelfSignedCertificateRequest echo echo country=$userCountry >> $createSelfSignedCertificateRequest echo echo organization=$userOrganization >> $createSelfSignedCertificateRequest echo echo organizational unit=$userOrganizationalUnit >> $createSelfSignedCertificateRequest echo echo certificate holder name=$userName >> $createSelfSignedCertificateRequest echo echo certificate holder email address=$userEmailAddress >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo echo ==== enter the user pin when asked for the smartcard pin ==== >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo "openssl < $createSelfSignedCertificateRequest.input" >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo ls -al userCert.req >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo openssl req -in userCert.req -text -noout >> $createSelfSignedCertificateRequest echo echo >> $createSelfSignedCertificateRequest echo echo finished creating a self-signed certificate request for $userName >> $createSelfSignedCertificateRequest sh $createSelfSignedCertificateRequest# if this script should fail and report something like
PKCS11_get_private_key returned NULL, you might have forgotten to create the following symbolic link while installing/configuring opensc:
sudo ln -fs /usr/lib/pkcs11/opensc-pkcs11.so /usr/lib# if you wish to get rid of the openct warnings, consider creating the following dummy directory and file:
sudo mkdir -p /var/run/openct sudo touch /var/run/openct/status
# how can I create a self-signed certificate using the private key in my smartcard?
# you can create a script and the corresponding input to automate the self-signed certificate request generation:createSelfSignedCertificate=~/tmp/create.self.signed.certificate.sh mkdir -p ~/tmp chmod og= ~/tmp echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createSelfSignedCertificate.input echo x509 -req -engine pkcs11 -in userCert.req -sha1 -extfile /etc/ssl/openssl.cnf -extensions usr_cert -signkey slot_$userSmartcardSlot-id_$userAuthKeyId -out userCert.pem -days 365 -keyform engine>> $createSelfSignedCertificate.input echo echo the following input was used to create this script: > $createSelfSignedCertificate echo echo >> $createSelfSignedCertificate echo echo smart card reader to be used=$userSmartcardReaderNumber >> $createSelfSignedCertificate echo echo smart card reader slot to be=$userSmartcardSlot >> $createSelfSignedCertificate echo echo key type=$userAuthKeyId >> $createSelfSignedCertificate echo echo >> $createSelfSignedCertificate echo echo >> $createSelfSignedCertificate echo echo ==== enter the user pin when asked for the smartcard pin ==== >> $createSelfSignedCertificate echo echo >> $createSelfSignedCertificate echo "openssl < $createSelfSignedCertificate.input" >> $createSelfSignedCertificate echo echo >> $createSelfSignedCertificate echo ls -al userCert.pem >> $createSelfSignedCertificate# once the script has been created, you can execute it
sh $createSelfSignedCertificate
# how can I store a certificate on my smartcard?
# if the above went fine, you can store the new certificate on the smartcard:pkcs15-init $userPkcs15initReader $verbosityLevel --store-certificate userCert.pem --so-pin $userSoPin
# miscellaneous tools to view/manage your smartcard's content
# how can I read out a certificate from my smartcard?
pkcs15-tool $userPkcs15toolReader $verbosityLevel --read-certificate $userAuthKeyId --output userCertificateFromSmartcard.pem
# how can I get a list of the smartcard readers which opensc currently detected?
opensc-tool --list-readers
# how can I learn the atr (answer to reset) of the cards which are currently available?
for a in `opensc-tool --list-readers|grep -v detached|grep pcsc|cut -d' ' -f1`;do echo -n "atr found in reader $a: " ; opensc-tool --reader $a --atr;done
# how can I see what information is stored on my smartcard?
# You can query your smartcard to see what data objects, public and private keys, certificates and pin objects have been stored on your card:pkcs15-tool $userPkcs15toolReader $verbosityLevel --list-certificates --list-data-objects --list-pins --list-keys --list-public-keys
# how can I change the security officer pin of my smartcard?
pkcs15-tool $userPkcs15toolReader $verbosityLevel --change-pin
# how can I change the user pin of my smartcard?
pkcs15-tool $userPkcs15toolReader $verbosityLevel --change-pin -a 45
# logging in with smartcards
# what should I do to use a smartcard to log in on the console?
- # you should first prepare the pam (pluggable authentication module) configuration file to include opensc as a login possibility:
sudo perl -pi -e 's/auth.*required.*pam_env.so/auth sufficient pam_opensc.so\nauth required pam_env.so/' /etc/pam.d/login
# this should be executed only once
- # each user who wishes to use pam for logging in at the console, should create a ~/.eid directory and store the authentication certificate of his/her smartcard in the file ~/.eid/authorized_certificates:
READERNR=0 mkdir -p ~/.eid chmod og= ~/.eid pkcs15-tool --reader $READERNR -r 45 -o ~/.eid/authorized_certificates
your own simple ca with opensc
# prepare your CA ready to issue new certificates...
CADIR=~/myCA mkdir -p $CADIR/demoCA/newcerts chmod og= $CADIR cd $CADIR touch $CADIR/demoCA/index.txt if test -e $CADIR/demoCA/serial;then echo current certificate serial number: `cat $CADIR/demoCA/serial` else echo 1000 > $CADIR/demoCA/serial echo initialized certificate serial number: `cat $CADIR/demoCA/serial` fi
# how can I create my own ca smartcard?
# Disclaimer: the information you find in this section (even on this site) is to be used for illustration purposes, and for illustration purposes only! Decent certification authority software basically performs the same functionality as illustrated below, but relies on strict procedures with respect to knowledge of the CA pin, access to the CA card, etc... You should use this code for no other purposes than cheap demos. # The methods described below rely on two distinct smartcard readers used to accomodate the ca smartcard and a user smartcard... # Assume you use the following parameters to specify the default pin, so-pin, puk, etc:caPin=2345 caPuk=765432 caPinLabel='CA Smartcard' caAuthId=01 caKeyId=45 caCountry=BE caStateOrProvince=Belgium caOrganization=dummyOrganization caOrganizationalUnit=dummyOrganizationUnit caName=CertificationAuthorityName caEmailAddress=CertificationAuthorityEmailAddress insecureCa=--insecure caSoPin=543216 caSoPuk=65432187 # set "caSmartcardReaderNumber=0" if you use only one smartcard reader while personalizing your smartcards # set "caSmartcardReaderNumber=1" if your ca smartcard is in the second reader... (recommended) caSmartcardReaderNumber=0 caSmartcardSlot=$[$caSmartcardReaderNumber*4] caPkcs15initReader="-r $caSmartcardReaderNumber" caPkcs15toolReader="--reader $caSmartcardReaderNumber" verbosityLevel="" #-vv# the following commands erase all information from a new pkcs#15 smartcard and initializes everything to make it a certification authority smartcard:
rm -f cert.pem pkcs15-tool $caPkcs15toolReader $verbosityLevel --read-certificate $caKeyId --output cert.pem if test -e cert.pem && openssl x509 -in cert.pem -issuer -noout|grep $caOrganization;then echo the smartcard already contains a ca certificate... not overwriting this ca card ============ echo execute the following command manually if the card needs to be reinitialized: echo pkcs15-init \$caPkcs15initReader \$verbosityLevel \$insecureCa --erase-card --create-pkcs15 --use-default-transport-keys --so-pin \$caSoPin --so-puk \$caSoPuk else echo no pre-existing ca information found... assuming the card does not contain any valuable information... pkcs15-init $caPkcs15initReader $verbosityLevel $insecureCa --erase-card --create-pkcs15 --use-default-transport-keys --so-pin $caSoPin --so-puk $caSoPuk pkcs15-init $caPkcs15initReader $verbosityLevel $insecureCa --store-pin --auth-id $caAuthId --label "$caPinLabel" --pin $caPin --puk $caPuk --so-pin $caSoPin pkcs15-init $caPkcs15initReader $verbosityLevel $insecureCa --generate-key rsa/1024 --auth-id $caAuthId --pin $caPin --so-pin $caSoPin fi createSelfSignedCaCertificateRequest=$CADIR/create.self.signed.ca.certificate.request.sh echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createSelfSignedCaCertificateRequest.input echo req -engine pkcs11 -new -sha1 -key slot_$caSmartcardSlot-id_$caKeyId -keyform engine -out cacert.req -subj \"/C=$caCountry/ST=$caStateOrProvince/O=$caOrganization/OU=$caOrganizationalUnit/CN=$caName/emailAddress=$caEmailAddress\" >> $createSelfSignedCaCertificateRequest.input echo >> $createSelfSignedCaCertificateRequest.input echo >> $createSelfSignedCaCertificateRequest.input echo echo the following input was used to create this script: > $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo echo smart card reader to be used=$caSmartcardReaderNumber >> $createSelfSignedCaCertificateRequest echo echo smart card reader slot to be=$caSmartcardSlot >> $createSelfSignedCaCertificateRequest echo echo key type=$caKeyId >> $createSelfSignedCaCertificateRequest echo echo country=$caCountry >> $createSelfSignedCaCertificateRequest echo echo organization=$caOrganization >> $createSelfSignedCaCertificateRequest echo echo organizational unit=$caOrganizationalUnit >> $createSelfSignedCaCertificateRequest echo echo certificate holder name=$caName >> $createSelfSignedCaCertificateRequest echo echo certificate holder email address=$caEmailAddress >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo echo ==== enter the ca pin when asked for the smartcard pin ==== >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo "openssl < $createSelfSignedCaCertificateRequest.input" >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo echo ==== finished creating the self-signed ca certificate request ==== >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest echo ls -al cacert.req >> $createSelfSignedCaCertificateRequest echo echo >> $createSelfSignedCaCertificateRequest sh $createSelfSignedCaCertificateRequest# the following commands create the CA certificate based on the CA certificate request:
createSelfSignedCaCertificate=$CADIR/create.self.signed.ca.certificate.sh echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createSelfSignedCaCertificate.input echo x509 -req -engine pkcs11 -in cacert.req -sha1 -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey slot_$caSmartcardSlot-id_$caKeyId -out cacert.pem -days 365 -keyform engine >> $createSelfSignedCaCertificate.input echo echo > $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo echo ==== enter the ca pin when asked for the smartcard pin ==== >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo "openssl < $createSelfSignedCaCertificate.input" >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo openssl x509 -in cacert.pem -text -noout >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo echo ==== storing the ca certificate to the smartcard ==== >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo if openssl verify -CAfile cacert.pem cacert.pem\;then >> $createSelfSignedCaCertificate echo pkcs15-init $caPkcs15initReader $verbosityLevel --store-certificate cacert.pem --so-pin $caSoPin >> $createSelfSignedCaCertificate echo cp cacert.pem $CADIR/demoCA >> $createSelfSignedCaCertificate echo fi >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate echo echo ==== finished creating a self-signed ca certificate ==== >> $createSelfSignedCaCertificate echo echo >> $createSelfSignedCaCertificate sh $createSelfSignedCaCertificate
# how can I create a new smartcard-based certificate request?
# Assume you use the following parameters to specify the default pin, so-pin, puk, etc:userPin=1234 userPuk=654321 userPinLabel='Device '$[`cat $CADIR/demoCA/serial` +0]' Smartcard' userAuthId=01 userAuthKeyId=45 userCountry=BE userStateOrProvince=Belgium userOrganization=dummyOrganization userOrganizationalUnit=dummyOrganizationalUnit userName=device.$[`cat $CADIR/demoCA/serial`+0] userEmailAddress=userEmailAddress userSoPin=123456 userSoPuk=12345678 userSmartcardReaderNumber=0 userSmartcardSlot=$[$userSmartcardReaderNumber*4] userPkcs15initReader="-r $userSmartcardReaderNumber" userPkcs15toolReader="--reader $userSmartcardReaderNumber" verbosityLevel="" #-vv# we first erase the pkcs#15 compatible smartcard, create a new data structure on it, and generate a new key pair:
rm -f cert.pem
pkcs15-tool $userPkcs15toolReader $verbosityLevel --read-certificate $userAuthKeyId --output cert.pem
if test -e cert.pem && openssl x509 -in cert.pem -issuer -noout|grep $caOrganization;then
echo the smartcard reader contains a ca certificate... not overwriting this ca card ============
echo execute the following command manually if the card needs to be reinitialized:
echo pkcs15-init \$userPkcs15initReader \$verbosityLevel --erase-card --create-pkcs15 --use-default-transport-keys --so-pin \$userSoPin --so-puk \$userSoPuk
else if test -e cert.pem && openssl x509 -in cert.pem -issuer -noout|grep $userOrganization;then
echo the smartcard reader contains a user certificate... not overwriting this user card ============
echo execute the following command manually if the card needs to be reinitialized:
echo pkcs15-init \$userPkcs15initReader \$verbosityLevel --erase-card --create-pkcs15 --use-default-transport-keys --so-pin \$userSoPin --so-puk \$userSoPuk
else
echo the smartcard reader did not seem to contain valuable data, and is now being overwritten ============
pkcs15-init $userPkcs15initReader $verbosityLevel --erase-card --create-pkcs15 --use-default-transport-keys --so-pin $userSoPin --so-puk $userSoPuk
pkcs15-init $userPkcs15initReader $verbosityLevel --store-pin --auth-id $userAuthId --label "$userPinLabel" --pin $userPin --puk $userPuk --so-pin $userSoPin
pkcs15-init $userPkcs15initReader $verbosityLevel --generate-key rsa/1024 --auth-id $userAuthId --pin $userPin --so-pin $userSoPin
fi;fi
createCertificateRequest=$CADIR/create.certificate.request.sh
echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createCertificateRequest.input
echo req -engine pkcs11 -new -key slot_$userSmartcardSlot-id_$userAuthKeyId -keyform engine -sha1 -out $CADIR/$userName.Cert.req -subj \"/C=$userCountry/ST=$userStateOrProvince/O=$userOrganization/OU=$userOrganizationalUnit/CN=$userName/emailAddress=$userEmailAddress\" >> $createCertificateRequest.input
echo >> $createCertificateRequest.input
echo >> $createCertificateRequest.input
echo echo > $createCertificateRequest
echo echo >> $createCertificateRequest
echo echo ==== enter the user pin when asked for the smartcard pin ==== >> $createCertificateRequest
echo echo >> $createCertificateRequest
echo "openssl < $createCertificateRequest.input" >> $createCertificateRequest
echo echo >> $createCertificateRequest
echo ls -al $CADIR/$userName.Cert.req >> $createCertificateRequest
echo echo >> $createCertificateRequest
echo openssl req -in $CADIR/$userName.Cert.req -text -noout >> $createCertificateRequest
echo echo >> $createCertificateRequest
echo echo ==== finished creating a certificate request for $userName >> $createCertificateRequest
echo echo >> $createCertificateRequest
echo echo the file $userName.Cert.req should somehow be sent to the CA... >> $createCertificateRequest
echo echo >> $createCertificateRequest
sh $createCertificateRequest
# create a new certificate: signing the certificate request using your CA smartcard...
createCertificate=$CADIR/create.certificate.sh echo engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD > $createCertificate.input echo ca -engine pkcs11 -in $userName.Cert.req -extfile /etc/ssl/openssl.cnf -extensions usr_cert -cert cacert.pem -keyfile slot_$caSmartcardSlot-id_$caKeyId -out $userName.Cert.pem -days 365 -keyform engine >> $createCertificate.input echo y >> $createCertificate.input echo y >> $createCertificate.input echo echo > $createCertificate echo echo >> $createCertificate echo echo ==== enter the ca pin when asked for the smartcard pin ==== >> $createCertificate echo echo >> $createCertificate echo "openssl < $createCertificate.input" >> $createCertificate echo echo >> $createCertificate echo ls -al $userName.Cert.pem >> $createCertificate echo echo >> $createCertificate echo openssl x509 -in $userName.Cert.pem -text -noout >> $createCertificate echo echo >> $createCertificate echo echo ==== finished creating the user certificate ==== >> $createCertificate echo echo >> $createCertificate echo echo the file $userName.Cert.pem should somehow be delivered to the user... >> $createCertificate echo echo >> $createCertificate echo openssl verify -CAfile cacert.pem $userName.Cert.pem >> $createCertificate echo echo >> $createCertificate sh $createCertificate
# how can I store my new certificate to my smartcard?
# if everything went ok, you can have a look at the certificate and write it to the appropriate smartcard:openssl x509 -in $userName.Cert.pem -text -noout pkcs15-init $userPkcs15initReader $verbosityLevel --store-certificate $userName.Cert.pem --so-pin $userSoPin
# using opensc smartcards to sign data and verify signatures
# how can I sign something with pkcs15-crypt?
fortune > data.txt openssl sha1 -binary data.txt > data.sha1 pkcs15-crypt --key $userAuthKeyId --sign --pkcs1 --sha-1 --input data.sha1 --pin $userPin --output data.auth.sig# make sure the intended recipient receives:
- # the file
data.txt - # the digital signature
data.auth.sig - # the
signer's certificate. You can read out the certificate from the smartcard with:
pkcs15-tool $userPkcs15toolReader $verbosityLevel --read-certificate $userAuthKeyId --output $userName.CertificateFromSmartcard.pem
- # optionally: the certificate of the certification authority that issued the signer's certificate:
pkcs15-tool $caPkcs15toolReader $verbosityLevel --read-certificate $caKeyId --output cacertificateFromSmartcard.pem
# how can I verify such a signature?
openssl x509 -in $userName.Cert.pem -pubkey -noout > userPublicKey.pem if openssl dgst -sha1 -verify userPublicKey.pem -signature data.auth.sig data.txt;then echo digital signature verified ok else echo digital signature verification FAILED ============== fi
# how can I verify all these certificates?
openssl verify -CAfile cacert.pem cacert.pem openssl verify -CAfile cacert.pem $userName.Cert.pem
# how can I upload my own private key to a smartcard...
# Note: this procedure shall never be used for key pairs or smartcards that you are going to depend on in a production environment... Software key generation is not recommended for authentication or non-repudiation key pairs!# prepare the smartcard to contain a non-repudiation key pair...
pkcs15-init $userPkcs15initReader $verbosityLevel --store-pin --auth-id $userNonRepId --label "$userPinLabel" --pin $userPin --puk $userPuk --so-pin $userSoPin
# how can I upload my own non-repudiation private key to a smartcard?
# generating a fresh key pair...
openssl genrsa -out rsa.non.repudiation.key.1024.pem 1024
# store the key pair into the smartcard...
pkcs15-init $userPkcs15initReader $verbosityLevel --store-private-key rsa.non.repudiation.key.1024.pem --id $userNonRepKeyId --auth-id $userNonRepId -T --pin $userPin --so-pin $userSoPin
# how can I sign something with this key?
fortune > data.non.repudiation.txt openssl sha1 -binary data.non.repudiation.txt > data.sha1 pkcs15-crypt --key $userNonRepKeyId --sign --pkcs1 --sha-1 --input data.sha1 --pin $userPin --output data.non.repudiation.sig
# how can I upload my own authentication private key to a smartcard?
# prepare the smartcard to contain an authentication key pair...
pkcs15-init $userPkcs15initReader $verbosityLevel --store-pin --auth-id $userAuthId --label "$userPinLabel" --pin $userPin --puk $userPuk --so-pin $userSoPin
# generating a fresh key pair...
openssl genrsa -out rsa.authentication.key.1024.pem 1024
# store the key pair into the smartcard...
pkcs15-init $userPkcs15initReader $verbosityLevel --store-private-key rsa.authentication.key.1024.pem --id $userAuthKeyId --auth-id $userAuthId -T --pin $userPin --so-pin $userSoPin
# how can I sign something with this key?
fortune > data.authentication.txt openssl sha1 -binary data.authentication.txt > data.sha1 pkcs15-crypt --key $userAuthKeyId --sign --pkcs1 --sha-1 --input data.sha1 --pin $userPin --output data.authentication.sig
Using.OpenSC moved from HowTos.UsingOpenSC on 08 May 2005 - 22:38 by DannyDeCock - put it back
HomeeID Cards in Belgium
recently presented presentations
Identity Management Projects
eID-aware Applets
- Webs
-
Bookmarks
- Compiling
- Customizing
- Eid
- EidForums
- EidPlayground
- HowTos
- Installing
- Main
- PlayGround
- PressReleases
- Programming
- Rules
- Sandbox
- Symbian
- TWiki
- Ubuntu
- Using
Search
Statistics
PreferencesWelcome at Godot.Be |
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Godot's Twiki? Send feedback