Saturday, October 29. 2016
Integration of the DNIe 3.0 is ongoing
After knowing that I could successfully integrate the changes for DNIe 3.0 into the current OpenSC code. You can find and compile a working branch following this procedure:
git clone https://github.com/rickyepoderi/OpenSC.git cd OpenSC git checkout dnie30 ./bootstrap configure --enable-dnie-ui --prefix=/where/you/want make make install
In order to compile the code you need the auto-tools, pcsclite and openssl development packages. The --enable-dnie-ui option makes the DNIe driver to ask (pinentry is needed) for a confirmation before signing with the non-repudiation key.
For a week more or less I have been updating the bug about DNIe 3.0 integration. Sadly there has been a lot of noise with a non-related issue and the integration does not move forward much. But, for the moment, two people have tested the code with the DNIe 2.0 and five more with DNIe 3.0 (I personally can only test with DNIe 3.0 because my previous DNIe was kept in the police station when I renewed it). An here it is the main part in this entry, if you are Spanish, use linux, have a working card reader and know a bit about these things (you have to be able to compile it)...
You can test it quite easily with a few commands after the compilation.
Check the DNIe is inserted and everything is working. If the information is not displayed something is wrong with your setup.
./dnie-tool -a Using reader with a card: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 DNIe Number: XXXXXXXXX SurName: MARTIN Name: RICARDO IDESP: XXXXXXXXX DNIe Version: DNIe 04.10 B5 H 0155 EXP 2-(5.2-0) Serial number: XXXXXXXXXXXXXX
Check the login is working (from this test on you are really checking the integration).
./pkcs11-tool -l -I Cryptoki version 2.20 Manufacturer OpenSC Project Library OpenSC smartcard framework (ver 0.16) Using slot 0 with a present token (0x0) Logging in to "PIN1 (DNI electrónico)". Please enter User PIN: XXXXXXXX
Check the objects are read from the card.
./pkcs11-tool -l -O Using slot 0 with a present token (0x0) Logging in to "PIN1 (DNI electrónico)". Please enter User PIN: XXXXXXXX Private Key Object; RSA label: KprivAutenticacion ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Usage: sign Certificate Object, type = X.509 cert label: CertAutenticacion ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Public Key Object; RSA 2048 bits label: CertAutenticacion ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Usage: encrypt, verify Certificate Object, type = X.509 cert label: CertCAIntermediaDGP ID: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ Public Key Object; RSA 2048 bits label: CertCAIntermediaDGP ID: KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK Usage: encrypt, verify Private Key Object; RSA label: KprivFirmaDigital ID: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Usage: sign, non-repudiation Certificate Object, type = X.509 cert label: CertFirmaDigital ID: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Public Key Object; RSA 2048 bits label: CertFirmaDigital ID: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY Usage: encrypt, verify Data object 25997200 label: 'DG1' application: '' app_id:
flags: modifiable ... Check that you can sign something. You need to pass the ID of the KprivFirmaDigital displayed in the previous point. The garbled data is the signature itself.
./pkcs11-tool -d YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY -s Using slot 0 with a present token (0x0) Logging in to "PIN1 (DNI electrónico)". Please enter User PIN: XXXXXXXX Using signature algorithm RSA-PKCS Sample data to sign T���N�A�ђ��T�G��*���>��K!�~C@zF��- ɾ���mSe���ո��`�#凒!��PR.1�Yt~����\j�7F�3S� z���k���@ѷd��Q2��U3w8���\h]"J7�F��ϫNR]E&�����)�"]4"7{W�XoC�`jf**iq��Ók++('j� ?nR�k�(�3�$ǥ���s2�����%[�� ~�=I0�e}D$;�!���
If you prefer I developed a little C program that makes all these tests one by one. It uses the PKCS#11 library generated by the OpenSC and checks all the cases described above plus a weird one in which two processes use the card at the same time (the idea is one process steals the secure channel to the other). I have just uploaded the code to a repo. There you can find instructions to compile and use it (I think it is not very complicated).
You can comment here or in the bug if it is working or not for you. But please, if you do not know what we are talking about, or you are not sure if you have done it in the proper way, just contain your impulse of sharing your experience and wait for a final integration.
Thanks in advance!
Comments