[Pki-users] Provisioning smart cards - is there a piece missing?

Andrew C. Dingman andrew at dingman.tech
Fri Mar 15 19:55:10 UTC 2019 

On Wed, 2019-03-06 at 16:08 -0800, Andrew C. Dingman wrote:
> Hi, All,
> 
> I'm working on a project for which we need to take blank smart cards
> and configure them to be used as authentication tokens in a pure RHEL
> environment. Given a token with the appropriate certificate loaded,
> we
> have all the client pieces working, but where we stumble is on
> getting
> the cards set up in the first place.
> 
> The three steps I can't seem to accomplish with OpenSC on RHEL are
> generating a keypair, generating the corresponding certificate, and
> then loading the issued certificate onto the card. I can make all of
> that happen with a YubiKey 5, but only using a vendor-specific tool:
> 
>    # Generate the keypair
>    yubico-piv-tool -a generate -s 9a -A RSA3072 \
>                    --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" >
>    "${WORKDIR}/9a.key"
>    # Create a CSR
>    yubico-piv-tool -a verify -a request -s 9a \
>                    --pin="${TOKEN_PIN}" --key="${TOKEN_MK}" \
>                    -S "/CN=${IdMuid}/O=${IdMRealm}/" <
>    "${WORKDIR}/9a.key" > "${WORKDIR}/9a.csr"
>    # Submit the CSR to IPA
>    ipa cert-request "${WORKDIR}/9a.csr" --principal="${IdMuid}" \
>        --profile-id=IECUserRoles --certificate-
> out="${WORKDIR}/9a.crt"
> 
>    # Load certificate onto card
>    yubico-piv-tool -a import-certificate -s 9a --pin="${TOKEN_PIN}" \
>                    --key="${TOKEN_MK}" < "${WORKDIR}/9a.crt"
> 
> But if I try to replace the calls to yubico-piv-tool above with calls
> to opensc's piv-tool or pkcs11-tool, I just get errors about the
> operation not being supported by the card -- whether I use a YubiKey,
> a
> G&D SmartCafe card, or a Gemalto card. I also get those errors from
> the
> Taglio PIV_II, but their documentation straight up says you have to
> use
> Windows to provision them.
> 
> I suspect what's going on here is that the card vendors aren't
> implementing the provisioning operations through standard interfaces
> and I lack either the right PKCS11 module for the card, or some
> equivalent to the yubico-piv-tool that the other token vendors would
> need to supply. Can anyone confirm that? Or otherwise tell me what
> I'm
> missing?
> 
> We're pretty flexible about tokens; anything acceptable for US
> government use and shaped like a card rather than a USB device is
> acceptable for the project, but we don't want any Windows in the
> provisioning process. So if you know a particular smart card model
> that
> you know can be provisioned entirely on RHEL, that would be really
> useful information for us. I think the Aventra MyEID likely can based
> on their site and the OpenSC documentation, but I'm not entirely
> certain it's FIPS certified for more than the RNG.
> 
> Thanks for any insight you can offer!

Following up my own post, I have now received some of the Aventra MyEID
cards I mentioned, and they do indeed work in a pure RHEL environment.
Given the tools I used, probably any RHEL >= 7.4, though I only tested
on 7.6.

One interesting thing about the card: Although the process below lets
me create a functional card for login purposes, ESC completely refuses
to touch these cards when they are blank. The format button stays
greyed out and no certificates show up even though the blank card is
shown. Formatting with pcks15-init still doesn't give me any option to
enroll. I'm not sure we care about the KRA, TPS, or other features we'd
get by using Certificate System rather than the embedded Dogtag in IPA,
but it does seem odd. Insight would be most welcome.

Eventually I'll make a blog post or article or something of it, but in
the meantime here's what I did:

[admin at client1 ~]$ sudo pkcs15-init -C --pin ${USERPIN} --puk
${USERPUK} --so-pin ${SOPIN} --so-puk ${SOPUK} 
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin at client1 ~]$ pkcs15-init -P -a 1 -l "${PINLABEL}" --pin
${USERPIN} --puk ${USERPUK} --so-pin ${SOPIN}
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin at client1 ~]$ mkdir nssdb
[admin at client1 ~]$ certutil -N -d nssdb --empty-password
[admin at client1 ~]$ modutil -dbdir nssdb/ -add OpenSC -libfile
/lib64/opensc-pkcs11.so 

WARNING: Performing this operation while the browser is running could
cause
corruption of your security databases. If the browser is currently
running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "OpenSC" added to database.
[admin at client1 ~]$ certutil -d nssdb/ -h "${PINLABEL} (MyEID)" -R -k
rsa -g 2048 -s 'CN=demo,O=EXAMPLE.COM' -7 demo at example.com -a -o
demo.csr
Enter Password or Pin for "Auth PIN (MyEID)":

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

Enter Password or Pin for "Auth PIN (MyEID)":
Enter Password or Pin for "Auth PIN (MyEID)":
[admin at client1 ~]$ ipa cert-request demo.csr --principal=demo --
profile-id=IECUserRoles --certificate-out=demo.crt
  Issuing CA: ipa
  Certificate:
MIIEHzCCAwegAwIBAgIBEzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkN
PTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MDMxNDIzMDQwOFoXDT
IxMDMxNDIzMDQwOFowJTEUMBIGA1UECgwLRVhBTVBMRS5DT00xDTALBgNVBAMMBGRlbW8wg
gEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCKw5juUA5bmsUp+xlIrVk+hZagqEXt
H5TCjOa9fVnRQPe2bvcR0MIBDBw9/T5tqYVDfzfgONJGon3mO/w7GuopbgxaOarZ14SHqVM
Jqg/VlJCYKwfoGz7YyrXTXC4B7esLgX5RqyDl1V5LMQz4/TL2tODwU18kONjLDE+lsW1G96
+G2GVwKs+yvrMrVBwqXp36Zpt1TZqlDryQvRRvRBvL6SGPz4/vBtGhG4x7l9uqOKnOUZ1SM
lY302W2gnF6PKXIyWiBcTesMkxUgsgx0+FVndXSxfJXgTri1K88nnidS+B1l0hEdVzuhrYB
zlowbUO0SRsugD5E10apgFTQfaPZAgMBAAGjggFHMIIBQzAfBgNVHSMEGDAWgBSVA8nOdcq
JNFk760TBl25ZP0V/lzA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcG
EtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIK
wYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhh
bXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTE
eMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBTxuwDHkq/a2cVK5Z
KWCwgxJigqRTAbBgNVHREEFDASgRBkZW1vQGV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA
4IBAQCEPMZH2ZpvtGZ9+fCXtum2Nu2SP6gtp9OwiOOfhmNVI0NsxMFpumxTQZJEU9cMhi9i
+0LNJU4VB0Kd1T9XO+KZQvpRSpT7j7QR7DPQpOQ+ECUOgVp7hg4j3GeQkII7PcRIwTlAj5j
qljVUGO43LVgzoIk5eyXuH8Hu7VRKcCyH79xkqQFpAYUg9JzttaRuzcjRY0IaNyV/634nQc
doJHLuS9dCHuXG6RtFlU/lu+wi3Am2aWtHmPsoEIXTyFtXxlIu6Utu2t0EHEDBoh/30t2gF
7fwKKYwdiRD/jNzsWGvhgfgBbWDO5hIGk3Ko080TNAkE59Kn0yMBgbeFS0vE8Lt
  Subject: CN=demo,O=EXAMPLE.COM
  Subject email address: demo at example.com
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Thu Mar 14 23:04:08 2019 UTC
  Not After: Sun Mar 14 23:04:08 2021 UTC
  Serial number: 19
  Serial number (hex): 0x13
[admin at client1 ~]$ openssl x509 -inform pem -in demo.crt -outform der
-out demo.der
[admin at client1 ~]$ pkcs11-tool -w demo.der -y cert --pin ${USERPIN} 
Using slot 1 with a present token (0x4)
Created certificate:
Certificate Object; type = X.509 cert
  label:      Certificate
  ID:         6034d6b339a90c169ecbee2f151a33ec7445a4b7
[admin at client1 ~]$ pkcs15-init -F
Using reader with a card: Generic Smart Card Reader Interface [Smart
Card Reader Interface] (20070818000000000) 01 00
[admin at client1 ~]$

More information about the Pki-users mailing list