[usign etoke an cryptoflex with RSA keys]
1.) go to http://www.opensc.org/files/snapshots
download latest openct and opensc snapshot.
2.) install openct. tar xfvz ... && configure && make && make install
3.) look at the openct documentation (it's in the doc/ subdir):
- create the /var/run/openct dir and set permissions
- install the init.d script, make sure your distribution starts it
on boot.
- make sure the kernel hotplugging calls the openct hotplug script.
- either reboot or run the init.d script with "start".
4.) insert an etoken, run openct-tool and see if it was found should be.
5.) install opensc. tar xfvz ... && configure
--with-openct=/path/to/openct && make && make install
6.) run opensc-explorer and see if you can access the etoken.
7.) create pkcs15 structure with pkcs15-init -C
8.) want a pin on it? create it with pkcs15-init -P -a 01
9.) create a key? pkcs15-init -G rsa/1024 (add -a 01 if you have a pin)
import a key? pkcs15-init -S file.pem (add -a 01 if you have a pin)
note: etoken uses cardOS and thus is limited to either signing or
deciphering keys. but opensc can work around that, use --split-key.
or if you only want signing use -u sign, if you only want deciphering
use -u decipher (or ... see -u help for help on key usage).
same thing with a cryptoflex, in this example an egate card:
exactly the same thing, except you don't need --split-key.
if you have a normal reader (e.g. a towitoko or kaan reader), you need
to edit the openct.conf.
btw: pcsc-lite is no longer needed with the opensc+openct combo.
So I suggest moving this thread to [EMAIL PROTECTED] mailing
list. If there is any problem, the opensc and openct developers
will surely assist you.
as author of the openct driver, i will still fix bugs for etoken and
usbtoken, but I'm moving all development efford to openct.
openct can also be used as a ifdhandler or ct-api driver with pcsc-lite.
(and if you want that, you can use openct <-> pcsc-lite <-> opensc .)
> The card should treat the keys as if they where generated onboard.
I don't know if the card keeps a flag "was generated on board", but
I don't think so. So from my perspective there shouldn't be a problem.
> That means that it should be able to sign with the keys, to export the public
> key but not to export the private key etc. to
opensc will store or generate all keys as non exportable, unless you
specify --exportable. so what you want is already the default setting.
> Since we are using cryptoflex cards and eToken usb-tokens, I wonder if anybody
> on this list has done such a thing with one of these cards and could give me
> some useful hints ?
working fine here. My thawte certificate was created in mozilla (key and
crt), downloaded from thawte, exported to a pkcs12 file, imported into
a hardware key (works with all three: aladdin etoken pro, rainbow ikey
3000 (windows software for import), schlumberger cryptoflex egate), and
the keys inside mozilla were deleted, mozilla was reconfigured to use
opensc pkcs#11 engine. it works fine, I can sign and decrypt emails.
the opensc sslengine for openssl also works fine, so I can create
certificates requests with keys stored in hardware. (actualy opensc
has two engines, both work fine :-).
the pam module works also fine, but its been a few weeks since I tried
it. Other people also tested openssh: it should work, but you need to
apply a patch as far as i know. the other developers should know...
No, I haven't tried getting ipsec to work with opensc / key on crypto
token. maybe soon :-)
Regards, Andreas
_______________________________________________
Muscle mailing list
[EMAIL PROTECTED]
http://lists.musclecard.com/mailman/listinfo/muscle
