From Fedora Project Wiki
Line 89: | Line 89: | ||
* Check and make sure nss can see them | * Check and make sure nss can see them | ||
<pre> | <pre> | ||
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so | |||
WARNING: Performing this operation while the browser is running could cause | |||
corruption of your security databases. If the browser is currently running, | |||
you should exit browser before continuing this operation. Type | |||
'q <enter>' to abort, or <enter> to continue: | |||
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list | eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list | ||
Line 114: | Line 121: | ||
token: OpenSC Card (Fedora Signing Card | token: OpenSC Card (Fedora Signing Card | ||
----------------------------------------------------------- | ----------------------------------------------------------- | ||
Module "opensc-pkcs11" added to database. | |||
eddie:~/db$ | eddie:~/db$ | ||
</pre> | </pre> |
Revision as of 18:55, 9 October 2012
So you're stuck with Secure Boot and you want to use Smart Cards
Card Initialization
Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.
Install the following packages:
- pesign
- pcsc-lite-ccid
- pcsc-tools
- pcsc-lite
- opensc
Use openssl to generate a signing key ("fedora.p12" from here on out)
eddie:~$ mkdir db eddie:~$ cd db eddie:~/db$ openssl genrsa -out fedora.key 2048 Generating RSA private key, 2048 bit long modulus ............................................................................. ..........................................................................+++ ...........+++ e is 65537 (0x10001) eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:Massachusetts Locality Name (eg, city) [Default City]:Cambridge Organization Name (eg, company) [Default Company Ltd]:Fedora Project Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:Fedora Signing Key Email Address []:pjones@fedoraproject.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:fooo An optional company name []: eddie:~/db$ openssl rsa -in fedora.key -pubout -out fedora.pub eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt -extensions extendedKeyUsage=1.3.6.1.4.1.311.10.3.1 Signature ok subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org Getting Private key eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes Enter Export Password: Verifying - Enter Export Password: eddie:~/db$
Copy fedora.pub to some place for safe keeping.
Initialize two smart cards
- Make sure pcscd is running
service pcscd start
- Insert your Smart Card
- Initialize each card as a pkcs15 card
# CDW Part #1537376. PIN=12345678 PUK=43218765 SOPIN=87654321 SOPUK=56781234 CARDLABEL="Fedora Signing Card" # Format (wipe) the card. # opensc-tool --list-algorithms cardos-tool -f # Create the PKCS#15 structures, set the security officer PIN and unlock code. pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK # Create a user PIN and unlock code. pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
- Import the signing key to each of the smart cards
# Import a PKCS12 bundle. pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK # List the contents. pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
- Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. opensc-pkcs11 library name: /usr/lib64/pkcs11/opensc-pkcs11.so slots: 2 slots attached status: loaded slot: Virtual hotplug slot token: slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader token: OpenSC Card (Fedora Signing Card ----------------------------------------------------------- Module "opensc-pkcs11" added to database. eddie:~/db$
- Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signing Card" -c "/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org" --sign -i unsigned.efi -o signed.efi Enter Password or Pin for "OpenSC Card (Fedora Signing Card": eddie:~/db$
- For the love of god remove every file that was generated
eddie:~/db$ cd .. eddie:~$ rm -rf db