[2018.06.20]
When the company I work for decided to become serious about its Public Key Infrastructure (PKI), take on the role of Registration Authorithy (RA) on behalf of a well-known Certificate Service Provider (CSP) and teach its employees to use SSL certificates to secure e-mail messages, I did not suspect the vastness of the task that confronted me, includingly (but not exclusively) when it came to introduce smart cards into our daily Linux life.
Usually, when setting on a new Linux project, I netsearch for a few keywords,
quickly find some exquisite documentation (thanks to whomever wrote it), and get
going.
With smart cards… nope! Thou shall not have it that easy, you miserable
ignorant twat!
To start with, I never encountered a domain with so many acronyms, standards, vendors, etc. entangled into such an obscure web of features, specifications, versions, etc. Oh dear! I quickly stood humbled…
So here follow a few clues for smart card illiterates (like me).
Smart cards support is usually - iow. the least troublelessly - implemented on Linux using three pieces of software:
the CCID library (software driver), aka. libccid
; website
the PC/SC lite middleware and daemon, aka. pcscd
; website
OpenSC libraries and tools; website
Along the Public Key Cryptography Standards (PKCS) relevant to the matter at hand, namely:
PKCS#11: the standardized API allowing to access and use public key cryptography material (public/private keys, certficates, etc.), implemented by OpenSC thanks to:
opensc-pkcs11
library (for Firefox, Thunderbird, Chromium, etc.)engines/libpkcs11
library (for OpenSSL)PKCS#15: the standardized scheme for storing public key cryptographic material on smart cards, implemented by OpenSC thanks to:
pkcs15-init
and pkcs15-tool
utilitiesUsing a smart card entails two pieces of hardware:
a smart card reader:
the smart card itself, which is nothing less than very tiny and highly specialized microcomputer, and which may come in many different flavors:
The protocols commonly used to allow the PC to communicate with the reader, via its USB connection, and the smart card are:
hardware-wise: the Chip Card Interface Device (CCID), readily supported on Linux thanks to the CCID software driver
software-wise: the Personal Computer/Smart Card (PC/SC) API, readily supported on Linux thanks to the PS/SC lite middleware
The interfaces most commonly used for the reader to interact with the smart card via physical electrical contact are:
hardware-wise: the ISO/IEC 7816 standard, along T=0 and T=1 transmission protocols (the latter often being required to fully support modern PKI operations)
software-wise: the ISO/IEC 7816-15 part, mirroring the PKCS#15 specifications
The interfaces most commonly used for the reader to interact with the smart card via radio communications are:
hardware-wise:
software-wise: the same forementioned PKCS#15 specifications
Like already mentioned, smart cards come into with a wide variety of options.
contact vs contactless: mostly a question of compromise between usability and security. For qualified electronic signature (i.e. with legal value as per your country’s legislation; e.g. SuisseID), I would definitely opt for the contact version.
writeonce vs rewritable: I personally haven’t thought of a use case (yet) that would benefit from a writeonce media.
cryptographics modules: they allow for the key pairs to be generated by the smart card itself; the private key never leaves and can not be recovered from the smart card (signature and encryption being offloaded to it by the host PC via its PKCS#11 interface). I consider it a MUST for PKI applications.
memory (EEPROM): a minimum of 64kB will be necessary to store the required key pair(s) and corresponding certificate(s)
Operating System (OS): not an issue as long as the smart card supports the CCID and PC/SC interfaces (which shall be preferred on Linux)
Application Programming Interface (API): like already said, the Personal Computer/Smart Card (PC/SC) interface is the preferred choice for Linux operations
Once all options sorted out, one may want to verify the chosen smart card compatibility with the Linux stack:
Let’s first verify our hardware choices are indeed compatible with the Linux stack and with one-another:
Check the reader support/accessibility:
opensc-tool --list-readers
Check the smart card support/accessibility:
opensc-tool --atr
opensc-tool --name
Most smart cards will be blank when received from their manufacturer.
The best course of action from here is too follow OpenSC’s exhaustive documentation.
Shortly put, one will need to:
Initialize the smart card with a PKCS#15 structure:
pkcs15-init --create-pkcs15 ...
Add a PIN/PUK code:
pkcs15-init --store-pin ...
Generate a key pair:
pkcs15-init --generate-key ...
Generate a Certificate Signing Request (CSR):
openssl ... # along engines/libpkcs11
Install the signed certificate:
pkcs15-init --store-certificate ...
(…a few eons later…)
Please read-on: