Philipp's Computing Blog

Success is about speed and efficiency

Feitian PKI Smartcard (FTCOS / PK-01C)

Features:

  • PIN code security.
  • Support ISO 7816 features / 64KB data space.
  • Support RSA keys up to 2048bit / standard X.509 v3 certificates.
  • On-board DES, 3DES, MD5, SHA-1, SHA-256, RSA 1024,RSA 2048 algorithms.
  • OpenSC compatible (GNU/Linux, Mac OS X, Windows)
  • Both PKCS#11 and MS-CAPI interfaces.
  • Hardware random number generator.

Details

The PKI Smartcard works perfectly for me in the Feitian R-301 SIM reader. The reader doesn't need a driver from the vendor (on Linux and Mac OS X).

Initialization

 opensc-tool --atr

Using reader with a card: Feitian SCR301 00 00
3b:9f:95:81:31:fe:9f:00:65:46:53:05:30:06:71:df:00:00:00:80:6a:82:5e

opensc-tool --serial

Using reader with a card: Feitian SCR301 00 00
15 00 22 24 09 31 12 10 .."$.1..

opensc-tool --name

Using reader with a card: Feitian SCR301 00 00
entersafe

opensc-tool --list-algorithms

Using reader with a card: Feitian SCR301 00 00
Algorithm: rsa
Key length: 512
Flags: onboard key generation padding ( none ) hashes ( )

Algorithm: rsa
Key length: 768
Flags: onboard key generation padding ( none ) hashes ( )

Algorithm: rsa
Key length: 1024
Flags: onboard key generation padding ( none ) hashes ( )

Algorithm: rsa
Key length: 2048
Flags: onboard key generation padding ( none ) hashes ( )

opensc-explorer

OpenSC Explorer version 0.12.2
Using reader with a card: Feitian SCR301 00 00
unable to select MF: Not allowed

Now we erase the card to start from scratch (deletes all information on the card!!!):

pkcs15-init -E

Using reader with a card: Feitian SCR301 00 00

#pkcs15-init --create-pkcs15 --use-default-transport-keys --profile pkcs15+onepin
pkcs15-init --create-pkcs15 --use-default-transport-keys --profile pkcs15+onepin --pin 1234 --puk 987654 --label "Philipp Klaus"

Using reader with a card: Feitian SCR301 00 00

pkcs15-tool --dump

Using reader with a card: Feitian SCR301 00 00
PKCS#15 Card [Philipp Klaus]:
Version : 0
Serial number : 1500222409311210
Manufacturer ID: EnterSafe
Last update : 20111229173029Z
Flags : EID cardompliant

PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:15002224093110116, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 3f005015

You don't have to go on with Tuning smartcard file system as most changes are already in the /Library/OpenSC/share/opensc/entersafe.profile (on Mac OS X). (The OpenSC configuration file is located in /Library/OpenSC/etc/opensc.conf on the Mac OS X operating system.)

Changing the PIN

http://www.gooze.eu/howto/smartcard-quickstarter-guide/managing-pin-codes

pkcs15-tool --change-pin

Creating 2048bit RSA key on the card

pkcs15-init --generate-key rsa/2048 -u sign,decrypt --auth-id

takes about 91 seconds with my Feitian R-301 SIM reader.

Deleting a Key

Deleting keys (files of the PKCS#15 file system) is not supported by the Feitian PKI card.
Basically the command would be:

pkcs15-init -D privkey,pubkey --id 50a086f73683c5c56a749e221a01b7d712e4de9a

OpenVPN

Basically, set up OpenVPN as described on the Goose howto or in my blog post. Then create a new client certificate using:

cd /etc/openvpn/easy-rsa/
source vars
pkitool --pkcs12 client

Enter your password twice to secure the pkcs12 file.

Four files are generated:

  • client.key: client RSA private key.
  • client.crt: client X.509 certificate.
  • client.csr: client signing request (no need to keep it).
  • client.p12: PKCS#12 file including RSA private key, X.509 certificate and CA authority

Copy the files to your local computer. Then put the key on the smartcard:

pkcs15-init --store-private-key client.p12 --format pkcs12 --auth-id 01
pkcs15-tool --dump

Change the client configuration:

; cert client.crt
; key client.key
pkcs11-providers /Library/OpenSC/lib/opensc-pkcs11.so
pkcs11-id 'EnterSafe/PKCS\x2315/4093150022211011/Philipp\x20Klaus\x20\x28User\x20PIN\x29/4BCF074E46D3C046C4507BF9A29312A789BFB765'

where 'EnterSave/...' is what you get when you run:

brew install openvpn
/usr/local/sbin/openvpn --show-pkcs11-ids /Library/OpenSC/lib/opensc-pkcs11.so
# or rather (as the homebrew version does not have the pkcs11 support built-in):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.2.1/openvpn --show-pkcs11-ids /Library/OpenSC/lib/opensc-pkcs11.so

Debugging: http://www.opensc-project.org/opensc/wiki/UsingOpensc http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick#comment-382

OpenSSH

Put you existing RSA key on the card according to this:

openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
pkcs15-init --store-private-key id_rsa.pem --auth-id 01

The OpenSSH man page states:

PKCS11Provider
Specifies which PKCS#11 provider to use. The argument to this
keyword is the PKCS#11 shared library ssh(1) should use to
communicate with a PKCS#11 token providing the user's private
key.

On Mac OS X 10.7.2 Lion we need a newer version of OpenSSH (as the version shipped with it doesn't support PKCS#11):

brew install https://raw.github.com/adamv/homebrew-alt/c1fb11ee73bfcad5ed293875fb1b31f33ac4936f/duplicates/openssh.rb
echo -e "PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.so\n" >> /usr/local/etc/ssh_config

Now you're ready to ssh to a remote host (provided your public key is in .ssh/authorized_keys on the remote machine):

/usr/local/bin/ssh someuser@somehost

Using the Feitian PKI Card as Random Source

echo "random 128" | opensc-explorer

How to use a smart card as a random data source in Linux: cardrand It keeps asking the smartcard for high grade entropy and injecting it into the entropy pool. You could also do this by writing to /dev/random (you can only write cat /proc/sys/kernel/random/poolsize bytes.)

Possible alternatives:

Single Sign On (SSO)

MacOS X Keychain Logon (Single Sign-On)

Resources