Initially you need a smart-card reader, I suppose any supported by opensc would do. I got one from gooze.eu, that also provided me with some smart-cards for free for the development of GnuTLS. Anyway after you have a smart-card reader make sure opensc is installed and is operating. For example in my system I see my reader as:
$ opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes OmniKey CardMan 3121 00 00
Also make sure that /etc/gnutls/pkcs11.conf contains the line
load=/usr/lib/opensc-pkcs11.so
which instructs GnuTLS to load the opensc PKCS #11 library. If you are wondering what PKCS #11 is, think of it as a common interface to talk to smart-cards. From now on, only GnuTLS (2.12) tools are required.
Initially let's verify the card is present. That would be with the command:
$ ./p11tool --list-tokens
Token 0:
URL: pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API
Label: BELPIC (Basic PIN)
Manufacturer: (unknown)
Model: PKCS#15
Serial: XXX
Nice. We see that the card is present. Note that URL on top of the listing. GnuTLS uses PKCS #11 URLs to identify all objects within a token. They might be a bit intimidating because of their size, but they can uniquely and permanently identify an object. But let's now see what's stored inside:
$ ./p11tool --list-all --login
PIN required for token 'BELPIC (Basic PIN)' with URL 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29'
Enter PIN:
Object 0:
URL: pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Authentication;objecttype=private;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%02
Type: Private key
Label: Authentication
ID: 02
Object 1:
URL: pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Authentication;objecttype=cert;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%02
Type: X.509 Certificate
Label: Authentication
ID: 02
Object 2:
URL: pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Authentication;objecttype=public;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%02
Type: Public key
Label: Authentication
ID: 02
[...]
Object 9:
URL: pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=93FF298DB713225;model=PKCS%2315;manufacturer=%28unknown%29;object=Root;objecttype=public;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%06
Type: Public key
Label: Root
ID: 06
That's quite some stuff there. As it seems there are a private-public key pair with a certificate to be used for authentication, another pair for signing and few national certificate authorities and their public keys. We can try to export one of the authorities as:
$ ./p11tool --login --export "pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Root;objecttype=cert;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%06"|certtool -i
Enter PIN:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 2affbe9fa2f0e987
Issuer: C=BE,CN=Belgium Root CA2
Validity:
Not Before: Thu Oct 04 10:00:00 UTC 2007
Not After: Wed Dec 15 08:00:00 UTC 2021
Subject: C=BE,CN=Belgium Root CA2
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
c6:73:42:1e:92:ff:75:0f:8b:bf:74:86:a7:3f:ed:b2
18:2d:2d:97:f9:a9:fb:98:4a:23:df:d5:8d:e0:8c:c6
32:1c:16:2d:07:42:d6:2d:b6:6e:2f:a7:f5:fc:c6:85
82:5d:95:de:b5:22:00:cc:a8:53:40:9f:af:0a:35:a2
7a:c7:e1:ca:f7:60:10:67:0e:a7:50:73:17:53:95:9f
22:9f:0c:5d:6f:b6:41:bc:8c:eb:da:1d:46:bd:a7:94
bf:f3:1a:cb:d4:fb:8d:0e:1e:33:c8:96:d7:ec:8c:53
de:93:1e:34:1e:8a:50:71:26:58:b4:5d:c2:88:89:da
60:d2:89:21:3f:de:d7:01:18:36:6e:e1:2c:70:03:04
65:ef:98:06:2b:5d:1e:62:dc:55:6b:fe:66:64:21:5f
f8:2f:e1:d7:9b:29:af:6f:cd:9f:aa:0c:46:d1:88:c5
9d:a2:95:9f:ac:3f:15:ae:f2:61:df:ef:c3:6b:9a:22
d8:2c:71:fd:58:1d:ec:00:a4:38:20:95:5a:c7:d5:37
63:ba:4f:9b:aa:fe:56:46:2e:63:d9:0b:23:d5:8a:fa
b5:23:f0:89:1b:a1:14:0d:26:da:41:f0:38:8f:30:ed
05:26:79:c1:4b:4e:a1:b8:7e:55:52:3a:69:46:84:75
Exponent (bits 24):
01:00:01
Extensions:
Key Usage (critical):
Certificate signing.
CRL signing.
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Unknown extension 2.5.29.32 (not critical):
ASCII: 0907..`8...0.0,..+........ http://repository.eid.belgium.be
Hexdump: 3039303706056038090101302e302c06082b060105050702011620687474703a2f2f7265706f7369746f72792e6569642e62656c6769756d2e6265
Subject Key Identifier (not critical):
858aebf4c5bbbe0e590394ded6800115e3109c39
Unknown extension 2.16.840.1.113730.1.1 (not critical):
ASCII: ....
Hexdump: 03020007
Authority Key Identifier (not critical):
858aebf4c5bbbe0e590394ded6800115e3109c39
Signature Algorithm: RSA-SHA
Signature:
51:d8:85:dd:bb:57:6f:cc:a0:6c:b5:a3:20:9c:53:09
f3:4a:01:0c:74:bf:2b:b3:9a:9a:ba:18:f2:0b:88:ac
1c:b3:33:af:ce:e5:13:01:27:92:84:58:9a:10:b9:f7
cc:14:92:6b:74:16:8a:96:e8:51:ef:bf:fa:4a:25:a7
89:b6:63:2b:5d:94:58:d1:cf:11:72:b6:1e:b9:39:41
16:4d:29:bc:35:53:0b:da:de:8e:0e:cd:a9:95:77:25
ca:94:5a:e9:b2:69:ae:d8:c0:13:be:98:fc:96:9c:84
7f:55:13:e6:3c:87:e3:bc:20:a4:a4:36:68:6b:4d:60
66:1c:f9:bf:ac:80:94:66:2e:b9:41:8a:d3:65:d3:84
80:02:ef:50:1d:5e:46:dc:f7:c9:ba:b5:34:7c:2a:f3
c6:d8:5f:5f:54:9d:db:4d:cd:11:e7:fd:14:02:83:66
5e:c8:a6:00:12:a0:5f:be:ce:14:fe:bb:1f:a7:61:f7
ab:4a:f1:06:14:9f:ca:49:42:c2:a9:bc:ed:85:b1:ab
81:41:e6:0d:c5:42:69:53:87:39:9d:4c:1f:00:0e:3e
07:0d:75:57:44:a8:53:b4:36:76:64:99:dc:6e:eb:3d
46:6e:14:5d:5e:47:53:8d:78:4d:e0:27:bb:8e:85:76
Other Information:
MD5 fingerprint:
e9ac47cc78b6cf02505ee2481bec95dc
SHA-1 fingerprint:
51cca0710af7733d34acdc1945099f435c7fc59f
Public Key Id:
b7513777b278676554fc2679b4ff7f6374cef157
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIIKv++n6Lw6YcwDQYJKoZIhvcNAQEFBQAwKDELMAkGA1UE
BhMCQkUxGTAXBgNVBAMTEEJlbGdpdW0gUm9vdCBDQTIwHhcNMDcxMDA0MTAwMDAw
WhcNMjExMjE1MDgwMDAwWjAoMQswCQYDVQQGEwJCRTEZMBcGA1UEAxMQQmVsZ2l1
bSBSb290IENBMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMZzQh6S
/3UPi790hqc/7bIYLS2X+an7mEoj39WN4IzGMhwWLQdC1i22bi+n9fzGhYJdld61
IgDMqFNAn68KNaJ6x+HK92AQZw6nUHMXU5WfIp8MXW+2QbyM69odRr2nlL/zGsvU
+40OHjPIltfsjFPekx40HopQcSZYtF3CiInaYNKJIT/e1wEYNm7hLHADBGXvmAYr
XR5i3FVr/mZkIV/4L+HXmymvb82fqgxG0YjFnaKVn6w/Fa7yYd/vw2uaItgscf1Y
HewApDgglVrH1Tdjuk+bqv5WRi5j2Qsj1Yr6tSPwiRuhFA0m2kHwOI8w7QUmecFL
TqG4flVSOmlGhHUCAwEAAaOBuzCBuDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
BAUwAwEB/zBCBgNVHSAEOzA5MDcGBWA4CQEBMC4wLAYIKwYBBQUHAgEWIGh0dHA6
Ly9yZXBvc2l0b3J5LmVpZC5iZWxnaXVtLmJlMB0GA1UdDgQWBBSFiuv0xbu+DlkD
lN7WgAEV4xCcOTARBglghkgBhvhCAQEEBAMCAAcwHwYDVR0jBBgwFoAUhYrr9MW7
vg5ZA5Te1oABFeMQnDkwDQYJKoZIhvcNAQEFBQADggEBAFHYhd27V2/MoGy1oyCc
UwnzSgEMdL8rs5qauhjyC4isHLMzr87lEwEnkoRYmhC598wUkmt0FoqW6FHvv/pK
JaeJtmMrXZRY0c8RcrYeuTlBFk0pvDVTC9rejg7NqZV3JcqUWumyaa7YwBO+mPyW
nIR/VRPmPIfjvCCkpDZoa01gZhz5v6yAlGYuuUGK02XThIAC71AdXkbc98m6tTR8
KvPG2F9fVJ3bTc0R5/0UAoNmXsimABKgX77OFP67H6dh96tK8QYUn8pJQsKpvO2F
sauBQeYNxUJpU4c5nUwfAA4+Bw11V0SoU7Q2dmSZ3G7rPUZuFF1eR1ONeE3gJ7uO
hXY=
-----END CERTIFICATE-----
Ok let's now connect to a site using gnutls-cli. We use the authentication key and certificate we listed before.
$ ./gnutls-cli test.gnutls.org -p 5556 --x509certfile "pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Authentication;objecttype=cert;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%02" --x509keyfile "pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29;object=Authentication;objecttype=private;library-manufacturer=OpenSC%20%28www%2Eopensc%2Dproject%2Eorg%29;library-description=Smart%20card%20PKCS%2311%20API;id=%02"
PIN required for token 'BELPIC (Basic PIN)' with URL 'pkcs11:token=BELPIC%20%28Basic%20PIN%29;serial=XXX;model=PKCS%2315;manufacturer=%28unknown%29'
Enter pin:
Processed 1 client X.509 certificates...
Resolving 'test.gnutls.org'...
Connecting to '207.192.75.61:5556'...
- Successfully sent 1 certificate(s) to server.
- Ephemeral Diffie-Hellman parameters
- Using prime: 1024 bits
- Secret key: 1020 bits
- Peer's public key: 1023 bits
- Server has requested a certificate.
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `O=GnuTLS test server,CN=test.gnutls.org', issuer `CN=GnuTLS test CA', RSA key 1024 bits, signed using RSA-SHA1, activated `2007-04-18 13:29:21 UTC', expires `2008-04-17 13:29:21 UTC', SHA-1 fingerprint `9838d56df8d651c70aea6202bb2e8322f527b2cb'
- The hostname in the certificate matches 'test.gnutls.org'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.1
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
GET / HTTP/1.0
...
The output of the GET command will show us the certificate used for the connection. That was all and I hope it was simple enough.
No comments:
Post a Comment