root/releases/opensc-0.9.5/QUICKSTART

Revision 2063, 10.1 KB (checked in by anonymous, 4 years ago)

This commit was manufactured by cvs2svn to create branch 'opensc-0.9.5'.
  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1A quick installation guide to opensc
2====================================
3
4To install opensc, please do as user,
5
6$ wget http://www.opensc.org/files/opensc-0.9.4.tar.gz
7$ tar xfvz opensc-0.9.4.tar.gz
8$ cd opensc-0.9.4
9
10nothing special so far.
11
12$ ./configure --prefix=/usr --sysconfdir=/etc
13
14This will install opensc in /usr with the config file in /etc.
15If you installed openct at some special place opensc might not
16find it. Please add "--with-openct=/path/to/openct" to make
17sure it is found. At the end of the configure script, opensc
18will print a summary page, too. It should look like this:
19
20OpenSC has been configured with the following options
21
22User binaries:       /usr/bin
23Configuration files: /etc
24
25Host:                i686-pc-linux-gnu
26Compiler:            gcc
27Compiler flags:      -Wall -fno-strict-aliasing -g -O2
28Preprocessor flags:  -I${top_builddir}/src/include
29Linker flags:        -L/usr -L/usr/lib -L/usr/lib
30Libraries:           -lpthread
31
32Random number collection: device (/dev/urandom)
33OpenSSL support:          yes
34        with engine:      yes
35PC/SC support:            yes
36OpenCT support:           yes
37Assuan support:           no
38LDAP support:             yes
39PAM support:              yes
40
41
42OpenSSL support is very important, some cards cannot work without.
43I strongly suggest to use a recent version. Best is 0.9.7d or later,
44as the OpenSSL project improved one issue very important to opensc.
45But older versions will work fine, too.
46
47If you want to use openssl version 0.9.6, be aware that it is available in two
48flavors: the normal version and an "engine" version. Only with the "engine"
49version OpenSC can provide full OpenSSL support, including two engines for
50OpenSSL.
51
52With OpenSSL 0.9.7 you don't need to worry, the engine support is always
53enabled.
54
55OpenSC is about smart cards. You need some software that knows smart
56card readers to access the cards in them. OpenSC supports three flavors:
57 - CT-API is a very simple interface, and there are many drivers for it,
58   mostly binary only. This support is always build into OpenSC.
59   But it is recommended to use this only for testing, or in environments
60   with a single user and a single application using smart cards.
61 - PC/SC is a standard used in the Windows world. But the pcsc-lite software
62   implements this standard for Unix and Mac OS X, too, and many drivers
63   are available for it. Some are open source, many are binary only.
64 - OpenCT is an open source software implementing smart card drivers for
65   many smart card readers and usb tokens. OpenCT does not follow any
66   standard, but instead it is small, lean, and still has everything
67   needed to do the job. OpenCT is only available on Linux and Unix-like
68   operating systems, but not on Windows.
69
70If OpenCT supports your reader, it is the recommended choice to use.
71Otherwise if there is a driver for pcsc-lite, that is your best alternative.
72
73Note: it is possible to use OpenCT both directly with OpenSC,
74but you can also create a chain OpenCT -> PC/SC-Lite -> OpenSC.
75Such a chain is only recommended, if applications other than OpenSC
76need to access the same readers and smart cards, too. Otherwise
77it adds an overhead and is not tested very much.
78
79Note also that OpenSC can use both, OpenCT and PC/SC-Lite at the
80same time. So if both are turned on, that is fine.
81
82To use OpenSC with GnuPG, first compile the assuan library, then compile
83OpenSC with support for Assuan, and then compile GnuPG with OpenSC. This
84only works with development versions of GnuPG (1.9.*) and has not been
85well tested. Feedback is very welcome. Other than to use OpenSC with
86GnuPG, the Assuan support is not needed.
87
88PAM support allowes you to use a smart card and the opensc PAM module
89to log into your system. If enabled, the pam module has two flavors:
90it can compare a key on a smart card to a certificate stored localy,
91or it can communicate with an LDAP server to check the key and
92certificate stored on a smart card. The former mode requires only
93PAM support, the later is only available, if OpenSC is compiled with
94LDAP and PAM support enabled.
95
96Now if your configuration is similar, you can compile the software.
97
98$ make
99$ su root
100
101and install the software as root
102# make install
103
104usualy opensc is fine without any config file, still you can install it:
105
106# cp etc/opensc.conf.example /etc/opensc.conf
107# cp etc/scldap.conf.example /etc/scldap.conf
108
109If you have some reason to edit the config file, feel free to do so.
110But most users are fine without.
111
112OpenSC is now fully installed. Have fun.
113
114Some usual commands include:
115
116$ opensc-tool --list-readers
117Readers known about:
118Nr.    Driver     Name
1190      openct     Towitoko Chipdrive Micro
1201      openct     Aladdin eToken PRO
1212      openct     OpenCT reader (detached)
1223      openct     OpenCT reader (detached)
1234      openct     OpenCT reader (detached)
124
125You can see, openct claims five slots, but only two are used.
126This is done to support hotplugging. If you are using OpenCT
127and PC/SC-Lite, please use this test often to make sure you
128are using some openct driver directly, and not indirectly
129via openct. In theory both should work fine, but if you have
130some problems, please test this.
131
132$ opensc-tool --reader 1 --atr
1333B E2 00 FF C1 10 31 FE 55 C8 02 9C ;.....1.U...
134
135OpenCT can give you the atr as well.
136
137$ opensc-explorer
138
139Is a tool to explore the smart card - list directories, change
140directories, look at files, and so on. If this doesn't work,
141do not panic. Many cards simply do not support this, they
142have no "ls" command. Many other tools will still work.
143
144
145Quick start guide to initializing a card
146========================================
147
148If opensc and openct are both installed and can see the reader
149and the card, you might want to start formatting it, creating
150an pkcs#15 structure, adding a user name and pin, generate a key,
151create a certificate and use it everywhere. Here is the quick guide.
152
153You can add "-v" to all of these commands, to get a more verbose
154output. Adding "-v" more than once will enable debugging or increase
155the debugging level.
156
157$ pkcs15-init --create-pkcs15
158New Security Officer PIN (Optional - press return for no PIN).
159Please enter Security Officer PIN:
160Please type again to verify:
161Unblock Code for New User PIN (Optional - press return for no PIN).
162Please enter User unblocking PIN (PUK):
163Please type again to verify:
164
165This created an empty pkcs15 structure. You can't do much without it.
166Also I entered a pin for the security officer, and an unblocking pin.
167As a general rule, the SO pin is required everytime you change the
168card, but only the user pin is required to use it.
169
170$ pkcs15-init --store-pin --auth-id 01 --label "Andreas Jellinghaus"
171New User PIN.
172Please enter User PIN:
173Please type again to verify:
174Unblock Code for New User PIN (Optional - press return for no PIN).
175Please enter User unblocking PIN (PUK):
176Please type again to verify:
177Security officer PIN required.
178Please enter Security officer PIN:
179
180I created a user with my name on it, so it is easier to see who uses
181this card. The security officer pin is required as this changes the
182card. However later to use it, the security officer pin will never
183work, there is no way for the security officer to get to my key.
184Also I need to remember my unblocking pin, as only I can reset it,
185the security officer cannot.
186
187$ pkcs15-init --generate-key rsa/1024 --auth-id 01
188Security officer PIN required.
189Please enter Security officer PIN:
190User PIN required.
191Please enter User PIN:
192Security officer PIN required.
193Please enter Security officer PIN:
194
195This created an RSA key that I as User can use.
196Lets create a new self-signed certificate with it.
197To do this, we use openssl.
198
199$ openssl
200OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/opensc/engine_pkcs11.so \
201        -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
202(dynamic) Dynamic engine loading support
203[Success]: SO_PATH:/home/aj/opentest/lib/opensc/engine_pkcs11.so
204[Success]: ID:pkcs11
205[Success]: LIST_ADD:1
206[Success]: LOAD
207Loaded: (pkcs11) pkcs11 engine
208OpenSSL>
209
210It is important to enter the whole long command in one single command
211line. I usualy copy&paste the command, to make sure I don't mistype
212anything. This command loads the opensc engine, so openssl can delegate
213some work from your computers cpu to the smart card.
214
215OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509
216SmartCard PIN:
217You are about to be asked to enter information that will be incorporated
218into your certificate request.
219What you are about to enter is what is called a Distinguished Name or a DN.
220There are quite a few fields but you can leave some blank
221For some fields there will be a default value,
222If you enter '.', the field will be left blank.
223-----
224Country Name (2 letter code) [AU]:.
225State or Province Name (full name) [Some-State]:.
226Locality Name (eg, city) []:.
227Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
228Organizational Unit Name (eg, section) []:.
229Common Name (eg, YOUR name) []:Andreas Jellinghaus
230Email Address []:aj@dungeon.inka.de
231
232Please enter the following 'extra' attributes
233to be sent with your certificate request
234A challenge password []:
235An optional company name []:
236OpenSSL>
237
238So now I have a signed certificate. Remove the final "-x509" if you want
239a certificate signing request only. In that case, send the request
240to the CA, wait till you get it back, signed, and proceed as normal.
241
242Now store the certificate side by side with the key. It is important
243to save the certificate under the same ID as the key. You can get
244a list of all keys and their details (including the ID) with:
245
246$ pkcs15-tool --list-keys
247Private RSA Key [Private Key]
248        Com. Flags  : 3
249        Usage       : [0x4], sign
250        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
251        ModLength   : 1024
252        Key ref     : 16
253        Native      : yes
254        Path        : 3F005015
255        Auth ID     : 01
256        ID          : 45
257
258So lets store the key:
259$ pkcs15-init --store-certificate req.pem --auth-id 01 --id 45 --format pem
260Security officer PIN required.
261Please enter Security officer PIN:
262
263Now we are ready to go. If you want to add more certificates (e.g. the root
264certificate of the CA that signed your key, or some intermediate certificates
265in the chain to the root CA) simply put those into pem files, and add them
266to id 46, 47 and so on.
267
Note: See TracBrowser for help on using the browser.