From Fedora Project Wiki
Line 1: Line 1:
=== So you're stuck with Secure Boot and you want to use Smart Cards ===
=== So you're stuck with Secure Boot and you want to use Smart Cards ===


== Card Initialization ==
== Initial card setup ==


Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
Procure some PKCS15 smart cards.  Do not get Java Cards.  Get "eToken" cards.  They're CDW Part #1537376 .  I'm sorry you'll have to deal with CDW but that's life sometimes.
Line 13: Line 13:
* nss-tools
* nss-tools


Use openssl to generate a signing key ("fedora.p12" from here on out)
= Create the CA =
 
# Use nss-tools' certutil to generate a CA key ("fedora-ca.p12")
<pre>
<pre>
eddie:~$ mkdir db
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
eddie:~/db$ certutil -d $PWD -N
Generating RSA private key, 2048 bit long modulus
Enter a password which will be used to encrypt your keys.
.............................................................................
The password should be at least 8 characters long,
..........................................................................+++
and should contain at least one non-alphabetic character.
...........+++
 
e is 65537 (0x10001)
Enter new password: <just hit enter here>
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr
Re-enter password: <just hit enter here>
You are about to be asked to enter information that will be incorporated
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot CA" -n Fedora\ CA -x --keyUsage certSigning,crlSigning --nsCertType objectSigningCA -t ,,c -k rsa -g 2048
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
A random seed must be generated that will be used in the
There are quite a few fields but you can leave some blank
creation of your key. One of the easiest ways to create a
For some fields there will be a default value,
random seed is to use the timing of keystrokes on a keyboard.
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
Email Address []:pjones@fedoraproject.org


Please enter the following 'extra' attributes
To begin, type keys on the keyboard until this progress meter
to be sent with your certificate request
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
A challenge password []:fooo
 
An optional company name []:
 
eddie:~/db$ openssl rsa -in fedora.key -pubout -outform DER -out fedora.pub
Continue typing until the progress meter is full:
eddie:~/db$ openssl x509 -req -days 3650 -in fedora.csr -signkey fedora.key -out fedora.crt -extensions extendedKeyUsage=1.3.6.1.4.1.311.10.3.1
 
Signature ok
|type a bunch of crap until OMG IT'S FULL OF STARS|
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
 
Getting Private key
Finished.  Press enter to continue: <just hit enter here>
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
 
Enter Export Password:
 
Verifying - Enter Export Password:
Generating key.  This may take a few moments...
eddie:~/db$
 
eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
</pre>
</pre>
Copy fedora.pub to some place for safe keeping.
# List the certificates to be sure
<pre>
eddie:~/db$ certutil -d $PWD -L


Initialize two smart cards
Certificate Nickname                                        Trust Attributes
* Make sure pcscd is running
                                                            SSL,S/MIME,JAR/XPI
 
Fedora CA                                                    u,u,cu
</pre>
 
# Initialize smart cards
<pre>
<pre>
# Make sure pcscd is running
service pcscd start
service pcscd start
</pre>
</pre>
* Insert your Smart Card
# Insert your Smart Card
* Initialize each card as a pkcs15 card
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
# Initialize each card as a pkcs15 card  
<pre>
<pre>
# CDW Part #1537376.
# CDW Part #1537376.
PIN=12345678
eddie:~/db$ PIN=12345678 # your numbers here
PUK=43218765
eddie:~/db$ PUK=43218765  
SOPIN=87654321
eddie:~/db$ SOPIN=87654321
SOPUK=56781234
eddie:~/db$ SOPUK=56781234
CARDLABEL="Fedora Signing Card"
eddie:~/db$ CARDLABEL="Fedora Signing CA"


# Format (wipe) the card.
# Format (wipe) the card.
# opensc-tool --list-algorithms
# opensc-tool --list-algorithms
cardos-tool -f
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok


# Create the PKCS#15 structures, set the security officer PIN and unlock code.
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00


# Create a user PIN and unlock code.
# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
</pre>
</pre>
* Import the signing key to each of the smart cards
# Import the CA key to the smart card
<pre>
<pre>
# Import a PKCS12 bundle.
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
eddie:~/db$ pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA


# List the contents.
# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      Private Key
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:        de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify
 
</pre>
</pre>
* Check and make sure nss can see them
# Check and make sure nss can see them
<pre>
<pre>
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
Line 121: Line 150:


slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signing Card
token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type $PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u
</pre>
# Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
# Remove stuff we don't want the world to see
<pre>
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
</pre>
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
<pre>
eddie:~/db$ certutil -d $PWD -L
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
eddie:~/db$  
eddie:~/db$  
</pre>
</pre>
* Make sure signing works
 
= Create the signing cards =
 
# Add the opensc-pkcs11 module to the local database
<pre>
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so
 
WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type
'q <enter>' to abort, or <enter> to continue:
 
Module "opensc-pkcs11" added to database.
</pre>
# Create a signing key
<pre>
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.
 
To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
 
 
Continue typing until the progress meter is full:
 
|************************************************************|
 
Finished.  Press enter to continue:
 
 
Generating key.  This may take a few moments...
 
Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
</pre>
# List the certificates to be sure
<pre>
eddie:~/db$ certutil -d $PWD -L
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
Fedora                                                      u,u,u
</pre>
 
# Insert your Smart Card
# Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK.  Write them down.
# Initialize each card as a pkcs15 card
<pre>
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here
eddie:~/db$ PUK=43218765
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signer"
 
# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok
 
# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
 
</pre>
# Import the CA key to the smart card
<pre>
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer
 
# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      Private Key
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:        4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
</pre>
# Check and make sure nss can see them
<pre>
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list
 
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
 
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
 
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
 
  2. opensc-pkcs11
library name: /usr/lib64/opensc-pkcs11.so
slots: 2 slots attached
status: loaded
 
slot: Virtual hotplug slot
token:
 
slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
</pre>
# Remove stuff we don't want the world to see
<pre>
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
</pre>
# Verify that we really removed it from the filesystem because that's '''incredibly important''':
<pre>
<pre>
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signing Card" -c "/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org" --sign -i unsigned.efi -o signed.efi
eddie:~/db$ certutil -d $PWD -L
Enter Password or Pin for "OpenSC Card (Fedora Signing Card":
 
Certificate Nickname                                        Trust Attributes
                                                            SSL,S/MIME,JAR/XPI
 
eddie:~/db$  
eddie:~/db$  
</pre>
</pre>
* For the love of god remove every file that was generated
# Make sure signing works
<pre>
<pre>
eddie:~/db$ cd ..
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
eddie:~$ rm -rf db
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$  
</pre>
</pre>
# Repeat for a second card

Revision as of 16:23, 10 October 2012

So you're stuck with Secure Boot and you want to use Smart Cards

Initial card setup

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc
  • nss-tools

Create the CA

  1. Use nss-tools' certutil to generate a CA key ("fedora-ca.p12")
eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ certutil -d $PWD -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: <just hit enter here>
Re-enter password: <just hit enter here>
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot CA" -n Fedora\ CA -x --keyUsage certSigning,crlSigning --nsCertType objectSigningCA -t ,,c -k rsa -g 2048

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|type a bunch of crap until OMG IT'S FULL OF STARS|

Finished.  Press enter to continue: <just hit enter here>


Generating key.  This may take a few moments...

eddie:~/db$ # we're going to need the DER version of this for shim. '''Store this some place we'll have it later.'''
eddie:~/db$ certutil -d $PWD -L -n "Fedora CA" -r > fedora-ca.cer
eddie:~/db$ pk12util -d $PWD -o fedora-ca.p12 -n "Fedora CA"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora CA                                                    u,u,cu
  1. Initialize smart cards
# Make sure pcscd is running
service pcscd start
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here 
eddie:~/db$ PUK=43218765 
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signing CA"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora-ca.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot CA

# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot CA
  ID:         de6dfac87e0315352e7b9a487377ace2f6354d9b
  Usage:      encrypt, verify

  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signing CA)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signing CA)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <type $PIN here and hit enter>
OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA    u,u,u

  1. Repeat steps 4 through 8 for a second card, omitting "modutil -dbdir /etc/pki/pesign -add ..." which won't need repeating.
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora-ca.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora CA"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 

Create the signing cards

  1. Add the opensc-pkcs11 module to the local database
eddie:~/db$ modutil -dbdir $PWD -add opensc-pkcs11 -libfile /usr/lib64/opensc-pkcs11.so

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc-pkcs11" added to database.
  1. Create a signing key
eddie:~/db$ certutil -d $PWD -S -s "CN=Fedora Secure Boot Signer" -n Fedora --keyUsage digitalSignature --extKeyUsage msCodeSign --nsCertType objectSigning -t ,,u -k rsa -g 2048 -c "OpenSC Card (Fedora Signing CA):/CN=Fedora Secure Boot CA"
 
A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

Enter Password or Pin for "OpenSC Card (Fedora Signing CA)": <enter the CA PIN here>
eddie:~/db$ pk12util -d $PWD -o fedora.p12 -n "Fedora"
Enter password for PKCS12 file: <just hit enter here>
Re-enter password: <just hit enter here>
pk12util: PKCS12 EXPORT SUCCESSFUL
  1. List the certificates to be sure
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Fedora                                                       u,u,u
  1. Insert your Smart Card
  2. Pick 4 random 8-digit numbers for PIN/PUK/SOPIN/SOPUK. Write them down.
  3. Initialize each card as a pkcs15 card
# CDW Part #1537376.
eddie:~/db$ PIN=12345678 # your numbers here 
eddie:~/db$ PUK=43218765 
eddie:~/db$ SOPIN=87654321
eddie:~/db$ SOPUK=56781234
eddie:~/db$ CARDLABEL="Fedora Signer"

# Format (wipe) the card.
# opensc-tool --list-algorithms
eddie:~/db$ cardos-tool -f
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
card in administrative state, ok

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
eddie:~/db$ pkcs15-init -CT --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

# Create a user PIN and unlock code.
eddie:~/db$ pkcs15-init -P -a 1 --pin $PIN --puk $PUK --so-pin $SOPIN --so-puk $SOPUK --label "$CARDLABEL"
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00

  1. Import the CA key to the smart card
# Import a PKCS12 bundle.
eddie:~/db$ pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN --so-pin $SOPIN --so-puk $SOPUK
Using reader with a card: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader [CCID Interface] (21221142203241) 00 00
Importing 1 certificates:
  0: /CN=Fedora Secure Boot Signer

# List the contents.
eddie:~/db$ pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
Using slot 1 with a present token (0x1)
Private Key Object; RSA 
  label:      Private Key
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      sign
Certificate Object, type = X.509 cert
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
Public Key Object; RSA 2048 bits
  label:      /CN=Fedora Secure Boot Signer
  ID:         4e2c97b4e1da4896bf7b5aa7141095cc19eb5eb2
  Usage:      encrypt, verify
  1. Check and make sure nss can see them
eddie:~/db$ modutil -dbdir /etc/pki/pesign/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc-pkcs11
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot
	token: 

	 slot: SCM Microsystems Inc. SCR3340 - ExpressCard54 Smart Card Reader
	token: OpenSC Card (Fedora Signer)
-----------------------------------------------------------
eddie:~/db$ certutil -d /etc/pki/pesign -L -h "OpenSC Card (Fedora Signer)"

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "OpenSC Card (Fedora Signer)": <type the PIN and hit enter>
OpenSC Card (Fedora Signer):/CN=Fedora Secure Boot Signer    u,u,u
  1. Remove stuff we don't want the world to see
eddie:~/db$ rm fedora.p12
eddie:~/db$ certutil -d $PWD -D -n "Fedora"
  1. Verify that we really removed it from the filesystem because that's incredibly important:
eddie:~/db$ certutil -d $PWD -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

eddie:~/db$ 
  1. Make sure signing works
eddie:~/db$ pesign -t "OpenSC Card (Fedora Signer)" -c "/CN=Fedora Secure Boot Signer" --sign -i unsigned.efi -o signed.efi --force
Enter Password or Pin for "OpenSC Card (Fedora Signing Card": <type the PIN and hit enter>
eddie:~/db$ 
  1. Repeat for a second card