Using smart cards with applications

This is an incomplete list of (mostly open source) end-user applications that are capable of working with smart cards initialized and/or supported by OpenSC, grouped by function. Software development libraries and helpers are listed on DeveloperInformation page.

Connection authentication + encryption

Web browsers / HTTPS

•  Mozilla Firefox - See MozillaSteps for instructions
•  Safari (on Mac OS X) - requires [OpenSC Mac OS X installer] and works transparently

SSH

• See SecureShell for instructions on how to use OpenSSH or Putty

VPN

•  OpenVPN (SSL VPN) supports PKCS#11 for client authentication.  Documentation
•  strongSwan (IPSec VPN) supports PKCS#11 modules for RSA keys so it can be used with OpenSC.  Documentation and  installation instructions. StrongSwan has limitations in PKCS#11 slot ID length, see  this post on opensc-devel for more information.
•  Openswan 2.4.X includes code to link directly against libopensc, this has been deprecated with OpenSC versions from 0.12 onwards.  README.x509 has a chapter 8 about smart card support. Openswan 2.6.X seem to have PKCS#11 support but there is no visible documentation.

Misc

• WiFi WPA authentication

Data signing + encryption

E-mail / S/MIME

•  Mozilla Thunderbird and derivates (like  Trustedbird) - see MozillaSteps for instructions
•  Evolution - see EvolutionSteps for instructions

Application specific document signing

•  OpenOffice internal  digital signatures
  • Built-in support in OpenOffice.org  http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
•  PDF
  •  Sinadura - a multiplatform PDF signing application with PKCS#11 support. Source code  available under GPL. Mostly targeting Spanish speaking people.
  •  OpenSignature - a multiplatform PDF signing application with smart card support. Source code is available under GPL. Mostly targets Italian speaking people.
  •  jPdfSign - a commandline application written in Java which allows to add an invisible signature to PDF documents. The private key for signing the PDF document have to be stored in an password protected PKCS#12 file or in a PKCS#11 compatible hardware-tokens.
• Generic
  •  Cryptonit is a multiplatform open source (GPL) signing and (de)crypting software with PKCS#11 support that generates PKCS#7 containers.

Legally binding (non-repudiation) signature software

• !DigiDocClient3 (also known as qdigidoc) implements DigiDoc/BDOC format (a  XAdES profile) and available as LGPL  source or  multiplatform binary from  https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus. This obsoletes gdigidoc.
  • DigiDoc is the official legally binding signature format used in Estonia (and Latvia and Lithuania) See  http://wpki.eu for more information
  • Companion utility, !DigiDoc3Crypto provides encryption functionality.
•  j4sign (freesign) is a multiplatform open source legal signature software with PKCS#11 support. Currently in Italian.

Local authentication / login

• Linux/ PAM
  •  pam_pkcs11 - feature-ritch PAM module, supporting LDAP, OCSP, X509 checks.
    •  Tutorial on pam_pkcs11 and pam_krb5
  • pam_p11 - a simple PAM module for RSA public key authentication.
• Mac OS X
  • Possible, but complicated and fragile. Documentation available for  10.4 and [10.5+]

Disk encryption

•  TrueCrypt can use PKCS#11 tokens as keyfile stores. NB! TrueCrypt does not use asymmetric keys generated on the card but stores symmetric keys as data files in the token! This requires write access to the token and keyfiles are extracted in plaintext on every use.
•  Linux disk encryption

Miscellaneous applications

•  GnuPG can be configured to work with whatever smart card that provides a PKCS#11 library. See  gnupg-pkcs11 for more information. Be aware - configuring and using this solution is not trivial.
• HBCI Home banking

PKI/CA

•  EJBCA is a complete open source J2EE implementation of CA and RA software. It supports PKCS#11 for CA key storage. Compatibility with issuing OpenSC created smart cards for end users has been tested. Using OpenSC cards to store CA keys are yet to be tested.
•  OpenCA is an open source CA offering PKI services. It includes code to use the command line tools of OpenSC in a scripted way, no PKCS#11 support.
•  XCA is an open source CA GUI using OpenSSL and QT4. It supports PKCS#11 to manage and use keys and certificates on smart cards.

Work in progress

The following projects are working on adding PKCS#11 support into their software. People who feel comfortable working with source code can check out the latest snapshots.

CA

•  gnoMint is an X.509 Certification Authority management tool. Currently, it has two different interfaces: one for GTK/Gnome environments, and another one for command-line. Windows port soon (patch submitted). Import/Export? to pkcs12 format. Will soon include some OpenSC support.