[Smartsign-devel] Sign-MCard 0.1.5 released.
Status: Pre-Alpha
Brought to you by:
kefren
Menu
▾
▴
[Smartsign-devel] Sign-MCard 0.1.5 released.
|
From: Tommaso C. <ke...@ti...> - 2003-02-06 21:02:08
|
Hi all, a new release of the Sign-MCard package is available for download from the Smart Sign web site: http://smartsign.sourceforge.net In the new release, the loadkey_mcard utility can load both a private key and a public key certificate on the card at once. Further details follow. Please, submit any comments to the Smart Sign mailing lists: mailto:sma...@li... mailto:sma...@li... Bye, T. -- Sign/verify command line utilities for M.U.S.C.L.E. Cards ============================================================ This package provides a couple of command line utilities that allow you to calculate a digital signature of a generic file using the key and public key certificate stored on your smart card, and verify it against the original file. Actually the verify utility does not need any smartcard. An additional utility, `loadkey_mcard', is provided in order to easily transfer an already generated private key from your host machine to the smartcard. REQUIREMENTS ------------------------------------------------------------ This package requires PCSC-Lite from M.U.S.C.L.E. project and MuscleCard framework (release 1.0.1, actually) with proper smartcard reader's driver installed for your reader and card's plugin for your card. It also requires a MuscleCard supported card, that is a card for which a MuscleCard plugin has been developed (Schlumberger's Cyberflex 32K MuscleCard Applet or Gemplus' 211/PK with MuscleCard Applet or Cryptoflex 16K, actually). Please, check out the MuscleCard web site for an up-to-date list of supported cards: http://www.musclecard.com. This utility compiles correctly on RedHat 6.x based systems, but not on a RedHat 7.2 system, because on these systems OpenSSL comes in the "Engine" flavour. Compilation is still possible on such systems by using a custom OpenSSL installation without the "Engine" capability. The custom installation path can be specified with the `--with-openssl=' switch to the configure script. This utility can also work without smartcards at all, if the user's private key and certificate are stored on the hard disk as files in standard OpenSSL format. In this case, MuscleCard and PCSC Lite are still required to be installed on your system in order to link the executables. USAGE ------------------------------------------------------------ Just type: user > sign_mcard --help user > verify_mcard --help Here is an example usage: user > sign_mcard -in file.txt -out file.p7 -sc Please, enter smartcard PIN: ******* ... In order to load an already existing private key from your host machine to your smartcard, type: user > loadkey_mcard <keyfile.der> -kn <key_nb> -pn <pin_nb> Key file must be DER-encoded. In order to use digital signatures, you also have to load onto your smartcard your public key certificate, DER-encoded. You can do it by using XCardII from the MuscleCard site. Now you can also use loadkey_mcard to load a DER-encoded certificate on your card. Type: user > loadkey_mcard <keyfile.der> -kn <key_nb> -pn <pin_nb> \ -cf <certfile.der> -co <certOID> The certOID argument must match the "-cert sc:oid" argument to sign_mcard. PKCS#11 COMPATIBILITY ----------------------------------------------------------- Sign-MCard can be used in a compatible way with both the PKCS#11 module from the Smart Sign project, (Card-Edge-Token), and the PKCS#11 module from the MuscleCardFramework package. You only need to supply proper certificate-oid and key-num parameters to the sign_mcard program. ** Card-Edge-Token from Smart Sign ** The certificate object ID, supplied to sign_mcard by means of the "-cert sc:oid" option, must be the same as specified in the [SC_TOKEN] section of the gpkcs11.rc configuration file, in a line that looks like: CertificateOID cert Private key number, supplied to sign_mcard by means of the "-sc:num" option, must be the same as specified in the [SC_TOKEN] section of the gpkcs11.rc configuration file, in a line that looks like: # Key numbers to be used as user keys PrivateKeyNumber 0 ** PKCS#11 Module from MuscleCardFramework ** This module allows storage of multiple keys/certificates onto a same card. Key pairs 0-1,2-3,4-5,6-7 correspond to certificates object IDs "c0", "c1", "c2", "c3". The certificate object ID and key numbers at sign_mcard invokation must be set accordingly. Please, note that you can only use with sign_mcard keypairs and certificates generated with this PKCS#11 module, but you cannot use with the same module a keypair/certificate loaded with the loadkey_mcard utility. LICENSE ------------------------------------------------------------ This package has been obtained as a modification of the OpenSSL utility "sign" by Eric Young. Changes have been done by Tommaso Cucinotta as part of the SmartSign project (http://smartsign.sourceforge.net). Before compiling and using this package, please assure to agree with the terms stated into the LICENSE file. All of the additional modules that were necessary to integrate the MUSCLE Card framework into this package, provided as separate files, are part of the SmartSign project and retain the original SmartSign software license. As a further note, please note that redistribution of this package is only allowed if the original authors, enumerated in the AUTHORS file, are clearly cited in every documentation and advertising material that is eventually added to the package itself. INSTALLATION ------------------------------------------------------------ (see also the REQUIREMENTS section) user > ./configure user > make root # make install TECHNICAL NOTES ------------------------------------------------------------ The signing utility relies on the user's private key being stored onto the smartcard. Use of such key should be PIN protected. The PIN number of the required PIN for using the key is deduced from the key ACL. It also supports an ACL requiring no PIN at all. In this case, the user is not prompted for a PIN, but a warning message is printed. It also relies on the user's public key certificate to be stored DER-encoded into an object. This object does not need to be PIN protected. Default key number, object identifier and PIN number are customizable by editing the proper section of Makefile.in, then (re-)configuring. The default values are also overridable by using command line options. See the help message from sign_mcard for details. The verify utility does not require the smartcard at all. It only needs the original data, the root public key cert and the PKCS#7 signature of the data. The signature is stored as a PKCS#7 blob and includes the user's public key certificate. |
