From Fedora Project Wiki
| Line 75: | Line 75: | ||
# Create a user PIN and unlock code. | # Create a user PIN and unlock code. | ||
pkcs15-init -P -a 1 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL" | pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL" | ||
</pre> | </pre> | ||
* Import the signing key to each of the smart cards | * Import the signing key to each of the smart cards | ||
Revision as of 18:30, 9 October 2012
So you're stuck with Secure Boot and you want to use Smart Cards
Card Initialization
Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.
Install the following packages:
- pesign
- pcsc-lite-ccid
- pcsc-tools
- pcsc-lite
- opensc
Use openssl to generate a signing key ("fedora.p12" from here on out)
eddie:~$ mkdir db eddie:~$ cd db eddie:~/db$ openssl genrsa -out fedora.key 2048 Generating RSA private key, 2048 bit long modulus ............................................................................. ..........................................................................+++ ...........+++ e is 65537 (0x10001) eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Massachusetts Locality Name (eg, city) [Default City]:Cambridge Organization Name (eg, company) [Default Company Ltd]:Fedora Project Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Fedora Signing Key Email Address []:pjones@fedoraproject.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:fooo An optional company name []: eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt Signature ok subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org Getting Private key eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes Enter Export Password: Verifying - Enter Export Password: eddie:~/db$
Initialize two smart cards
- Make sure pcscd is running
service pcscd start
- Insert your Smart Card
- Initialize each card as a pkcs15 card
# CDW Part #1537376. PIN=12345678 PUK=43218765 SOPIN=87654321 SOPUK=56781234 CARDLABEL="Fedora Signing Card" # Format (wipe) the card. # opensc-tool --list-algorithms cardos-tool -f # Create the PKCS#15 structures, set the security officer PIN and unlock code. pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK # Create a user PIN and unlock code. pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle. pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK # List the contents. pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
- For the love of god remove every file that was generated
eddie:~/db$ cd .. eddie:~$ rm -rf db