Hello,I have a smart card for digital signatures bought from one of our national providers and I wish to use it in Debian GNU/Linux 8. Unfortunately I haven't been able to do so.
I've spent the last few days. I need it because I wish to submit my tax forms online, and I'm required to sign them with an approved device.The card is sold by DigiSign Romania.In hopes of better support in the future, I'm giving some information bellow:lsusb Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching HubBus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hubBus 001 Device 009: ID 12d1:1569 Huawei Technologies Co., Ltd.Bus 001 Device 005: ID 1bcf:2c08 Sunplus Innovation Technology Inc.Bus 001 Device 004: ID 8087:07da Intel Corp.Bus 001 Device 003: ID 08ff:168f AuthenTec, Inc. AES1660 Fingerprint SensorBus 001 Device 002: ID 8087:0024 Intel Corp.
To use a SafeNet eToken to store MPKI Admin ID when running a MAC install the SafeNet Authentication Client for.
Integrated Rate Matching HubBus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hubBus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hubBus 003 Device 022: ID 18d1:4ee3 Google Inc. Nexus 4 (tether)Bus 003 Device 027: ID 0529:0620 Aladdin Knowledge Systems Token JCBus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hubopensc-tool -l # Detected readers (pcsc)Nr. I've started working on the driver. I'm following the tutorial from 1 however, when I run./bootstrap. I get: libtoolize: copying file `m4/ltobsolete.m4'autoreconf: running: /usr/bin/autoconf -forceconfigure.ac:104: error: possibly undefined macro: ACDEFINEIf this token and others are legitimate, please use m4patternallow.See the Autoconf documentation.configure.ac:236: error: possibly undefined macro: ACMSGERRORconfigure.ac:329: error: possibly undefined macro: ACCHECKLIBautoreconf: /usr/bin/autoconf failed with exit status: 1I'm running Debian Jessie.1. I have collected more information about the token. I made it work on Debian 8 by installing the proprietary drivers (updated for Debian 8).
At the heart of it's core resides the powerful libtorrent BitTorrent library. BitRocket is a native open source BitTorrent client for Mac OS X. Download bitrocket 0.3.332 for mac.
Is it a requirement that you use the token used for your taxes with its existing certificates and keys?If not, I would suggest buying some other card that has Linux, Windows and MacOS support either from thevendor or open source.If you need to use that card, you either need to find documentation on the application that is usedon that card. A card is like a computer, the ATR describes some attributes about card, but not theprogram it is running. Many governments that issue cards to citizens have some public documentationon how the application on the card works. It usually describes the APDUs and file formats.If you can find a working PKCS#11 module, great. The SAC file I looked contained /usr/lib/libeTPkcs11.so.Based on the SafenetAuthenticationClient. Look for other SafenetAuthenticationClient packages fromGemAlto. The module is a PKCS#11 module.
Mozilla, SSH and PAM can use PKCS#11 modules so its a good standardto use.OpenSC has many utilities that can work directly with most PKCS#11 modules and OpenSC has its own opensc-pkcs11.sothat can work with cards (with selected applications) that OpenSC supports.(OpenSC also has utilities and other drivers that bypass PKCS#11 and only work with cards supported by OpenSC.)All smartcard middleware use PCSC, this includes Windows, Linux and Mac. If you need to write OpenSC support forsome card and application a APDU trace of a working card can help. If the card works on Windows a USB trace withthe APDUs can also help. But some cards are now using Secure Messaging so the data in these traces is encryptedand not very helpful.On 5/1/2016 4:40 PM, Ioan Eugen Stan wrote:have you tried version 9 from the link I gave?—You are receiving this because you are subscribed to this thread.Reply to this email directly or view it on GitHubDouglas E. /usr/lib/libeTPkcs11.so makes both pkcs11-tool and Thunderbird crash: % pkcs11-tool -module /usr/lib/libeTPkcs11.so -Opkcs11-tool: CRYPTO/Crypto.c:247: initopensslcrypto: Assertion `lib' failed.zsh: abort pkcs11-tool -module /usr/lib/libeTPkcs11.so -OHowever, /usr/lib/x8664-linux-gnu/opensc-pkcs11.so seems to be accepted by Thunderbird (token shows up), and makes pkcs11-tool exit normally (and even make the token blink!).
% pkcs11-tool -module /usr/lib/x8664-linux-gnu/opensc-pkcs11.so -ONo slot with a token was found.Thus pcscd, does nothing either: # pcscd -d -a# echo $?1At least opensc-tool does work: % opensc-tool -l# Detected readers (pcsc)Nr. Card Features Name0 Yes AKS ifdh Main Interface 00 00I'll keep looking around. I am not even sure what I am looking for: should 'Log In' become enabled in Mozilla's 'Security devices' interface?Anyway, your help is greatly appreciated!
On 5/2/2016 1:40 PM, Quentin Santos wrote: /usr/lib/libeTPkcs11.so makes both pkcs11-tool and Thunderbird crash: % pkcs11-tool -module /usr/lib/libeTPkcs11.so -O pkcs11-tool: CRYPTO/Crypto.c:247: initopensslcrypto: Assertion `lib' failed. Zsh: abort pkcs11-tool -module /usr/lib/libeTPkcs11.so -O OK, libeTPkcs11.so was part of the SAC package someone else said might work. I just got one of these, the v9 tool kit works with it. Adding lsusb output to help direct search results here. Dengert, thanks!
' CRYPTO/Crypto.c:247: initopensslcrypto: Assertion lib failed.' Slack is doing different because there is a security concern here. There is even a Slackie spec that user and group pcscd should have a certain UID&GID and pcscd should be run only under this credentials, with no root privileges. In fact, all the device system doesn't need privileges. The SlackBuild script takes care of ownership and access right of ordinary folders used by pcscd.Even if I use my computer as desktop, I work as an ordinary user and all processes run like that, never had a problem.From SACTools, info about token:HW ver: 4.29FW ver: 1.0Product name: eToken PRO Java 72K OS755Model Token 4.29.1.1.1.0Card type: Java cardOS version: eToken Java Applet 1.1.25Supported key size: 2048 bits. #EXEMPLOS PARA GERAR CHAVE PRIVADA NO ETOKENthe Aladdin initialization doesn't do a pkcs15/opensc compatible setup.
The pkcs11 tools should be capable of working with the eTpkcs11.dll, then the openssl engine should, in theory, be able to load it (eTpkcs11.dll) to accomplish everything (?) that could be accomplished with a key initialized with the opensc code.Have you tried using the pkcs11-spy dll to trace the pkcs11 activity between the pkcs11-tool.exe (or the openssl enginepkcs11) and the eTpkcs11.dll?As Nils mentioned, the opensc initialization is pkcs15 compatible, while the etoken's native setup isn't, so this successful result won't help you unless you can move everything over to opensc. Since there's not currently a MS-compatiable Cryptographic Service Provider(?) for opensc, this can be a problem integrating with MS software. 'C:Program FilesOpenSC ProjectOpenSCtoolspkcs11-tool ' -module 'C:windowssystem32eTPKCS11.dll ' -login -testUsing slot 0 with a present token (0x0)Logging in to 'fer-etoken'.Please enter User PIN: CSeedRandom and CGenerateRandom: seems to be OKDigests: all 4 digest functions seem to work MD5: OK SHA-1: OKSignatures (currently only for RSA)Signatures: no private key found in this slotVerify (currently only for RSA) No private key found for testingKey unwrap (currently only for RSA)Decryption (currently only for RSA)No errors. 'C:Program FilesOpenSC ProjectOpenSCtoolspkcs11-tool ' -module 'C:windowssystem32eTPKCS11.dll ' -LAvailable slots:Slot 0 (0x0): AKS ifdh 0 token label: fer-etoken token manufacturer: SafeNet, Inc. token model: eToken token flags: login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version: 4.30 firmware version: 1.0 serial num: 01c5f0a2 pin min/max: 6/16Slot 1 (0x1): AKS ifdh 1 (empty)Slot 2 (0x2): Rainbow Technologies iKeyVirtualReader 0 (empty)Slot 3 (0x3): Rainbow Technologies iKeyVirtualReader 1 (empty). 'C:Program FilesOpenSC ProjectOpenSCtoolsopensc-tool ' -c gpk -list-algorithmsUsing reader with a card: AKS ifdh 0Algorithm: rsaKey length: 512Flags: padding ( pkcs1 ansi iso9796 ) hashes ( sha1 MD5 md5-sha1 )RSA public exponent: 65537 Algorithm: rsaKey length: 768Flags: padding ( pkcs1 ansi iso9796 ) hashes ( sha1 MD5 md5-sha1 )RSA public exponent: 65537Algorithm: rsaKey length: 1024Flags: padding ( pkcs1 ansi iso9796 ) hashes ( sha1 MD5 md5-sha1 )RSA public exponent: 65537Gerando par de chaves dentro do eToken.