Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: gpa

How to use a NetKey card

 

 

GnuPG gpa RSS feed   Index | Next | Previous | View Threaded


wk at gnupg

Mar 28, 2002, 1:38 PM

Post #1 of 4 (191 views)
Permalink
How to use a NetKey card

Hi!

I managed to make the German Telesec NetKey Smartcards work with
Aegypten. For now only signing is supported and card personalization
requires the use of OpenSSL.

You have to use the latest NewPG from the CVS and with a modified
OpenSC tarball at:

ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/newpg-0.6-1-wk-20020328.tar.gz

I am going to prepare patches for the upstream release but for now the
tarball should work.

IF YOU DON'T FOLLOW THESE RULES, IT MAY HAPPEN THAT YOU MAKE THE CARD
UNUSABLE - IT IS ALSO LIKELY THAT THIS HAPPENS DUE TO BUGS OR
INSTRALLATION PROBLEMS. I have been lucky in that I have only one
file on one card which is not deletable anymore.

The blank TCOS cards don't work yet because we do not have a procedure
yet to install a SO password (global secret 0).


1. Build OpenSC as usual and make sure that OpenSSL supported is
included (the configure run displays this).

2. You must install an opensc.conf file in {prefix}/etc; an example is
included in opensc/etc/. I am using the pcsc framework.

3. Build newpg

4. Create a new test certificate and a key using OpenSSL.

5. Insert the Netkey card and fire up opensc-explorer. Do this at the
opensc-explorer command line (we assume that it is a fresh card
with a 6 byte NullPIN):

change CHV0 00:00:00:00:00:00 "admin0"
get 2F00 saved-2F00
del 2F00
quit

We need to delete the GDO file because the record length used is
too short for our application. Note the new SO (Security Officer)
password ("admin0") somewhere.

6. Initialize the card:

$ pkcs15-init -C

You are asked for 2 PINs and PUKs; use at least 6 characaters.
The PUKs are not yet used, the SO password serves for this.

7. Write a certificate to the card:

$ pkcs15-init -X /somewhere/my_cert.pem

8. Write a secret key to the card

$ pkcs15-init -S /somewhere/my_private_key.pem

You are asked for the PEM password which is used to protect the ket
in the PEM file and for CHV2, where you enter the password/PIN set
in step 2.

Note, you will see an error message - don't care about this.

9. Check that everything is fine:

$ pkcs-tool --list-pins

After some garbage you should get:

Card has 2 PIN code(s).

PIN [Authentication PIN]
Com. Flags: 0x13
Auth ID : 01
Flags : [0x03], case-sensitive, local
Length : 6..16
Pad char : 0x00
Reference : 128
Type : 2
Path : 3F005015

PIN [Non-repudiation PIN]
Com. Flags: 0x13
Auth ID : 02
Flags : [0x03], case-sensitive, local
Length : 6..16
Pad char : 0x00
Reference : 129
Type : 2
Path : 3F005015

$ pkcs-tool -c

Card has 1 certificate(s).

X.509 Certificate [Authentication Certificate]
Flags : 0
Authority: no
Path : 3F0050159001
ID : 45

$ pkcs-tool -k

Card has 1 private key(s).

Private RSA Key [Authentication Key]
Com. Flags : 0
Usage : [0x4], sign
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : no
Path : 3F0050155001
Auth ID : 01
ID : 45


10. Now register this card with gpgsm:

$ gpgsm --learn-card

11. Now you can use this card to create a signature

$ gpgsm -sbvu 'user_id_of_new_cert' plain >plain.sig

The PIN entry dialog should pop up and ask you for the
Authentication PIN which is the one you entered as CHV0.

There will also be a popup window to ask you to insert the card
if you did remove it from the reader or you are using a different
one.


That's it. This is all alpha code of course and some security
things are not yet setup in the way they should.

You may want to erase the PKCS15 structure in case of (very likely)
problems; you can use this script:

$ opensc-explorer <<EOF
cd 5015
del 9001
del 5002
del 5001
del 4404
del 4402
del 4401
del 5032
del 5031
del 0011
del 0001
cd ..
del 5015
EOF


If you want to play with the PIN files created under the 5015 DF, you
should now that you have to use CHV128 and CHV129 with the
opensc-explorer commands "ver" and "change".


Happy hacking,

Werner


jan at intevation

Mar 28, 2002, 2:51 PM

Post #2 of 4 (185 views)
Permalink
Re: How to use a NetKey card [In reply to]

Hi Werner,

On Thu, Mar 28, 2002 at 01:35:01PM +0100, Werner Koch wrote:
> I managed to make the German Telesec NetKey Smartcards work with
> Aegypten. For now only signing is supported and card personalization
> requires the use of OpenSSL.
>
> You have to use the latest NewPG from the CVS and with a modified
> OpenSC tarball at:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/newpg-0.6-1-wk-20020328.tar.gz
>
> I am going to prepare patches for the upstream release but for now the
> tarball should work.
>
> IF YOU DON'T FOLLOW THESE RULES, IT MAY HAPPEN THAT YOU MAKE THE CARD
> UNUSABLE - IT IS ALSO LIKELY THAT THIS HAPPENS DUE TO BUGS OR
> INSTRALLATION PROBLEMS. I have been lucky in that I have only one
> file on one card which is not deletable anymore.
>
> The blank TCOS cards don't work yet because we do not have a procedure
> yet to install a SO password (global secret 0).

what exactly is the difference between non-personalized and blank TCOS
cards?

Jan

--
Jan-Oliver Wagner http://intevation.de/~jan/

Intevation GmbH http://intevation.de/
FreeGIS http://freegis.org/


bernhard at intevation

Mar 28, 2002, 3:36 PM

Post #3 of 4 (183 views)
Permalink
Re: How to use a NetKey card [In reply to]

On Thu, Mar 28, 2002 at 01:35:01PM +0100, Werner Koch wrote:
> You have to use the latest NewPG from the CVS and with a modified
> OpenSC tarball at:
>
> ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/newpg-0.6-1-wk-20020328.tar.gz
>
> I am going to prepare patches for the upstream release but for now the
> tarball should work.

The tarball probably is in the same directory as given in the url,
but named:
opensc-0.6.1-wk-20020328.tar.gz


wk at gnupg

Mar 28, 2002, 4:08 PM

Post #4 of 4 (185 views)
Permalink
Re: How to use a NetKey card [In reply to]

On Thu, 28 Mar 2002 14:49:36 +0100, Jan-Oliver Wagner said:

>> ftp://ftp.gnupg.org/gcrypt/alpha/aegypten/newpg-0.6-1-wk-20020328.tar.gz

s/newpg/opensc/

and I was so sure to have it typed in correctly this time :-(

> what exactly is the difference between non-personalized and blank TCOS
> cards?

The blank TCOS cards are chipcards with the TCOS on it but without any
application; i.e. files on it. Well, it is not exactly true, they do
come with 2 files: 3f002f02 which contains the serial number and one
keyfile probably used during manufactoring or by some 3-letter agency.

Werner

GnuPG gpa RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.