-
Notifications
You must be signed in to change notification settings - Fork 2
SmartCardHSM
The SmartCard-HSM is a lightweight hardware security module in a smart card form factor. It provides a remote-manageable secure key store for RSA and ECC keys.
The SmartCard-HSM is available as USB stick, ID-1 card with contact/contactless interface and as ID-000 plug-in. It can be purchased at cardomatic.
Starting with version 0.13, the OpenSC driver has read/write support for RSA and ECC keys, certificates, public and private data objects. New features are made available in our repository at github.
CardContact provides free development samples for open source developers. For commercial use we offer a SmartCard-HSM SDK with certified drivers and extended support for Java.
Unless stated otherwise, a SmartCard-HSM is usually shipped uninitialized, meaning that no SO-PIN is set. You will first need to perform an initialization to set the SO-PIN and initial user PIN. See section Initialize the Device below.
For RSA 2048 operations and write support, the SmartCard-HSM requires a card reader supporting extended length APDUs. In our tests, card reader from Identive performed best. Omnikey readers generally seemed to have problems with extended length APDUs.
After installation of OpenSC you must register the PKCS11 module in Firefox:
1. Open the Firefox preferences dialog. Choose “Advanced” > “Encryption” > “Security Devices”
2. Choose “Load”
3. Enter a name for the security module, such as “OpenSC”. NOTE: there is currently a bug in Firefox where international characters may cause problems (TODO: link to bugzilla?)
4. Choose “Browse…” to find the location of the PKCS11 module on your local computer (Usually c:\WINDOWS\System32\opensc-pkcs11.dll or /usr/local/lib/opensc-pkcs11.so)
After installing OpenSC on Windows, you can register the SmartCard-HSM for use with Microsoft applications like Internet Explorer or Outlook.
Save the following to a file sc-hs.reg and double-click to import it into the registy.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\SmartCard-HSM]
“80000001”=“opensc-minidriver.dll”
“Crypto Provider”=“Microsoft Base Smart Card Crypto Provider”
“ATR”=hex:3b,fe,18,00,00,81,31,fe,45,80,31,81,54,48,53,4d,31,73,80,21,40,81,07,fa
“ATRMask”=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\SmartCard-HSM-CL]
“80000001”=“opensc-minidriver.dll”
“Crypto Provider”=“Microsoft Base Smart Card Crypto Provider”
“ATR”=hex:3B,8E,80,01,80,31,81,54,48,53,4D,31,73,80,21,40,81,07,18
“ATRMask”=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
The SmartCard-HSM is an applet installed on a JavaCard. With opensc-explorer you will first need to select the applet before you can issue further commands.
OpenSC Explorer version 0.13.0-pre1
Using reader with a card: SCM SCR 3310 00 00
OpenSC [3F00]> cd aid:E82B0601040181C31F0201
OpenSC [E82B/0601/0401/81C3/1F02/01]> ls
FileID Type Size
2F02 wEF 436
C401 wEF 44
CE01 wEF 1023
C402 wEF 49
CE02 wEF 781
C403 wEF 49
CE03 wEF 765
C404 wEF 49
CE04 wEF 770
C405 wEF 47
CE05 wEF 796
CC00 unable to select file, File not found
CC01 unable to select file, File not found
CC02 unable to select file, File not found
CC03 unable to select file, File not found
CC04 unable to select file, File not found
CC05 unable to select file, File not found
OpenSC [E82B/0601/0401/81C3/1F02/01]>
Don’t be worry about the CCxx files not being found. These file identifiers are reserved as references for key objects and can not be found by the opensc-explorer.
The card PIN is referenced using the PIN id 0×81. In opensc-explorer you will need to enter
OpenSC [E82B/0601/0401/81C3/1F02/01]> verify chv129
Please enter PIN:
Code correct.
OpenSC [E82B/0601/0401/81C3/1F02/01]>
For changing the PIN you need to enter the old and new PIN as ASCII string:
OpenSC [E82B/0601/0401/81C3/1F02/01]> change chv129 "648219" "123456"
PIN changed.
OpenSC [E82B/0601/0401/81C3/1F02/01]>
A SmartCard-HSM equipped with test certificates from the support package contains one RSA and four ECC keys:
$ pkcs15-tool -D
Using reader with a card: SCM SCR 3310 [CCID Interface] (21120843305113) 00 00
PKCS#15 Card [SmartCard-HSM]:
Version : 0
Serial number : UTCC0200062
Manufacturer ID: www.CardContact.de
Flags :
PIN [UserPIN]
Object Flags : [0×3], private, modifiable
ID : 01
Flags : [0×81A], local, unblock-disabled, initialized, exchangeRefData
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0×00
Reference : 129 (0×81)
Type : ascii-numeric
Tries left : 3
PIN [SOPIN]
Object Flags : [0×1], private
ID : 02
Flags : [0×9E], local, change-disabled, unblock-disabled, initialized, soPin
Length : min_len:16, max_len:16, stored_len:0
Pad char : 0×00
Reference : 136 (0×88)
Type : bcd
Tries left : 3
Private RSA Key [Joe Doe (RSA2048)]
Object Flags : [0×1], private
Usage : [0×2E], decrypt, sign, signRecover, unwrap
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0×1)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 01
GUID : {770ef182-4ff5-c00f-0a60-8a9b261ae0a8}
Private EC Key [Joe Doe (ECC-SECP256)]
Object Flags : [0×1], private
Usage : [0×104], sign, derive
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 256
Key ref : 2 (0×2)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 02
GUID : {d6fec6cb-2c43-1ab0-8742-a8bdb4fd4eab}
Private EC Key [Joe Doe (ECC-SECP192)]
Object Flags : [0×1], private
Usage : [0×104], sign, derive
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 192
Key ref : 3 (0×3)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 03
GUID : {2db6a307-0241-cf86-5b48-33c5f9636804}
Private EC Key [Joe Doe (ECC-BP224)]
Object Flags : [0×1], private
Usage : [0×104], sign, derive
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 224
Key ref : 4 (0×4)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 04
GUID : {d8a5d028-f382-7643-82b0-438766926582}
Private EC Key [Joe Doe (ECC-BP320)]
Object Flags : [0×1], private
Usage : [0×104], sign, derive
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
FieldLength : 320
Key ref : 5 (0×5)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 05
GUID : {64bb4c16-63c2-3216-f4e5-e10ff1d47506}
Private RSA Key [Joe Doe (RSA1536)]
Object Flags : [0×1], private
Usage : [0×2E], decrypt, sign, signRecover, unwrap
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1536
Key ref : 6 (0×6)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 06
GUID : {14027c5b-0971-ed85-9716-1bb8083a1496}
Private RSA Key [Joe Doe (RSA1024)]
Object Flags : [0×1], private
Usage : [0×2E], decrypt, sign, signRecover, unwrap
Access Flags : [0×1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 7 (0×7)
Native : yes
Path : e82b0601040181c31f0201::
Auth ID : 01
ID : 07
GUID : {f40c87ed-3026-a3a3-2f16-4e339fce6ff9}
X.509 Certificate [Joe Doe (RSA2048)]
Object Flags : [0×0]
Authority : no
Path : ce01
ID : 01
GUID : {770ef182-4ff5-c00f-0a60-8a9b261ae0a8}
Encoded serial : 02 08 02B00F6CEC251CE5
X.509 Certificate [Joe Doe (ECC-SECP256)]
Object Flags : [0×0]
Authority : no
Path : ce02
ID : 02
GUID : {d6fec6cb-2c43-1ab0-8742-a8bdb4fd4eab}
Encoded serial : 02 08 02F9D76BFF7291B1
X.509 Certificate [Joe Doe (ECC-SECP192)]
Object Flags : [0×0]
Authority : no
Path : ce03
ID : 03
GUID : {2db6a307-0241-cf86-5b48-33c5f9636804}
Encoded serial : 02 08 02E83DD1B2C2C857
X.509 Certificate [Joe Doe (ECC-BP224)]
Object Flags : [0×0]
Authority : no
Path : ce04
ID : 04
GUID : {d8a5d028-f382-7643-82b0-438766926582}
Encoded serial : 02 08 02E3A790DD0D1761
X.509 Certificate [Joe Doe (ECC-BP320)]
Object Flags : [0×0]
Authority : no
Path : ce05
ID : 05
GUID : {64bb4c16-63c2-3216-f4e5-e10ff1d47506}
Encoded serial : 02 08 026B07E37DBFA205
X.509 Certificate [Joe Doe (RSA1536)]
Object Flags : [0×0]
Authority : no
Path : ce06
ID : 06
GUID : {14027c5b-0971-ed85-9716-1bb8083a1496}
Encoded serial : 02 08 02A7EEFA99415EBF
X.509 Certificate [Joe Doe (RSA1024)]
Object Flags : [0×0]
Authority : no
Path : ce07
ID : 07
GUID : {f40c87ed-3026-a3a3-2f16-4e339fce6ff9}
Encoded serial : 02 08 02C05C90657208BC
Initializing – and thereby erasing all keys, certificates and data elements – requires the following command
$ sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 648219
or
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --init-token --label "test" --so-pin 3537363231383830
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so --login --login-type so --so-pin 3537363231383830 --init-pin --new-pin 648219
If the SmartCard-HSM was never initialized before, the presented SO-PIN is stored as future SO-PIN for this device. Any later initialization requires the presentation of the same SO-PIN. Please make sure to select your own values for SO-PIN and user PIN if used in a production environment.
The parameter —label is required as per PKCS#11, however it’s silently ignored by the SmartCard-HSM code.
The —init-pin option can only be used immediately after the —init-token command. To reset a lost PIN you will need to reinitialize the device.
To use the key backup and restore mechanism please refer to the sc-hsm-tool man page.
Use the following command to generate a key pair:
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --keypairgen --key-type rsa:1024 --id 10
Using slot 1 with a present token (0x1)
Key pair generated:
Private Key Object; RSA
label: Private Key
ID: 10
Usage: decrypt, sign, unwrap
Public Key Object; RSA 1024 bits
label: Private Key
ID: 10
Usage: encrypt, verify, wrap
or for ECC keys:
$ pkcs11-tool —module /usr/local/lib/opensc-pkcs11.so —login —pin 648219 —keypairgen —key-type EC:prime256v1 —label mykey
The SmartCard-HSM does not permanently store public keys, but generates the required PKCS#11 public key object from certificates stored on the device. As newly generated key pairs don’t have a certificate initially, the public key is extracted from the card generated certificate signing request that is saved instead of the certificate. To save the generated public key in Subject Public Key Information format as per RF3280 use the following command
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --keypairgen --key-type rsa:1024 --id 10 --read-object --type pubkey --output-file pubkey.spki
Use the following commands to store certificates and data:
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --write-object testcert.der --type cert --id 10
and
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --write-object testcert.der --type data --label testdata
For deleting objects use one of the following commands
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --delete-object --type cert --id 10
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --delete-object --type privkey --id 10
$ pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 648219 --delete-object --type data --label testdata