| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447 | Scute=====This is a PKCS #11 implementation for the GnuPG Agent using the GnuPGSmart Card Daemon.  Currently, only the OpenPGP card is supported.TOC===* Purpose* Prerequisites* Installation* Client Authentication* Troubleshooting* Features and Limitations* Development* Mozilla Bugs* Copyright and LicensePurpose=======Scute enables you to use your OpenPGP smart card for clientauthentication with SSL in Mozilla.  See below for more details on howto get this working.In the future, Scute will enable you to use your OpenPGP smart cardfor email decryption and signing with Thunderbird, using the X.509protocol.Prerequisites=============For the compilation:* libgpg-error 1.4* libassuan 2.0.0At runtime:* Mozilla (or any other supported application using PKCS #11).* GnuPG 2.0, in particular: gpg-agent, scdaemon* PinentryInstallation============To install the PKCS #11 Module, follow the generic installationinstructions in the file INSTALL that accompanies this software.  Youalso need to install the Mozilla Personal Security Manager (PSM),which may come with your GNU/Linux distribution in a package namedmozilla-psm or similar.After installation, you can configure Mozilla to use Scute byvisiting the preferences dialog in the "advanced" category, under"Security Devices".  There you can "load" the module from itsinstalled path, e.g. "/usr/lib/libscute.so".Note that for the module load to complete successfully, the GPG Agentmust be running and available.  On Unix systems this means thatMozilla needs to have the GPG_AGENT_INFO variable set correctly in itsenvironment.Client Authentication=====================For client authentication to work, several steps need to be completed.Depending on your situation, some of these steps may be performed bythird parties, like service providers.  However, they can also all beperformed locally, if use of client authentication with a localservice is desired.For this introduction, we assume an Apache web server with SSL at theserver side, and a connecting client running Firefox.  As acertification authority (CA) we use OpenSSL.  Scute provides a PKCS #11compatible security device to Firefox for client authentication.  Thissecurity device gives Firefox access to the client's OpenPGP smartcard.The Client Perspective----------------------To get things started, we have to prepare an initialised OpenPGP smartcard by uploading an off-card key or generating a key on the card.The card you got may already have been initialised.  Otherwise, youcan find more information on this step in the smartcard HowTo, whichalso documents other basic card operations:http://www.gnupg.org/(en)/howtos/card-howto/en/smartcard-howto.htmlOnce the card is initialised, we have to generate a certificatesigning request (CSR) to get the authentication key of the card(OPENPGP.3, the third key on the card) certified by the CA.  This canbe done with the script "gpgsm-gencert.sh".  For the CSR, adistinguished name (DN) is required.  Your CA will have moreinformation about what this DN should contain.  Below we use anexample for a test-employee "Floppy Head" of the test-CA that shipswith OpenSSL ("Snake Oil, Ltd.").Generating the CSR is then just a matter of answering a few questions:$ gpgsm-gencert.sh > /tmp/floppy.csrKey type [1] RSA [2] existing key [3] OPENPGP.1 [4] OPENPGP.3Your selection: 4You selected: OPENPGP.3Key usage [1] sign, encrypt [2] sign [3] encryptYour selection: 2You selected: signName (DN)> CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XYE-Mail addresses (end with an empty line)> floppy@head.comE-Mail addresses (end with an empty line)>DNS Names (optional; end with an empty line)>URIs (optional; end with an empty line)>Parameters for certificate request to create:     1  Key-Type: card:OPENPGP.3     2  Key-Length:      3  Key-Usage: sign     4  Name-DN: CN=Floppy Head,OU=Webserver Team,O="Snake Oil, Ltd",L=Snake Town,ST=Snake Desert,C=XY     5  Name-Email: floppy@head.comReally create such a CSR? [1] yes [2] noYour selection: 1You selected: yesgpgsm: certificate request createdIt is required to enter the signing PIN of the card to complete thisstep.  The certificate can then be found in the file "/tmp/floppy.csr".This file should then be sent to the CA for certification (see below).The CA will return to the client a certificate "/tmp/floppy.crt", whocan then import the issuer certificate of the CA (in this example, weaccess directly the local server certificate) and its own certificatewith gpgsm:$ gpgsm --import /etc/apache/ssl.crt/snakeoil-ca-rsa.crtgpgsm: total number processed: 1gpgsm:               imported: 1marcus@ulysses:~/g10/projects/pkcs11-for-scdaemon/ca/usercert/card3$ gpgsm --import /tmp/floppy.crtgpgsm: total number processed: 1gpgsm:              unchanged: 1$ gpgsm --list-keys FloppySerial number: 08       Issuer: /CN=Snake Oil CA/OU=Certificate Authority/O=Snake Oil, Ltd/L=Snake Town/ST=Snake Desert/C=XY/EMail=ca@snakeoil.dom      Subject: /CN=Floppy Head/OU=Webserver Team/O=Snake Oil, Ltd/ST=Snake Desert/C=XY     validity: 2006-10-11 13:17:08 through 2007-10-11 13:17:08     key type: 1024 bit RSA  fingerprint: C9:08:0E:86:92:6C:7B:4B:8C:23:1C:9D:D7:15:BF:D4:A4:00:54:11Now the client can configure his web browser.  If desired, the clientcan install the web servers certificate (alternatively, Firefox willask when establishing the initial connection).To actually perform the client authentication, the client needs to setup the web browser for use with Scute.  The Scute PKCS #11 module,installed under /usr/lib/libscute.so by default, needs to be loaded asa security device in Firefox underPreferences->Advanced->Security->Certificates->Security Devices->LoadWhen the security device is loaded, card insertion should cause thesecurity device list be updated with the inserted token (the card), and the certificate that has been imported into gpgsm should be visible under Preferences->Advanced->Security->Certificates->View Certificatesautomatically.Firefox will by default select the certificate to be used for clientauthentication automatically from the list of available certificates.This setting can be changed if desired inPreferences->Advanced->Security->Certificates ("Select oneautomatically" vs. "Ask me every time")When the client then attempts to open the URL "https://localhost/" inthis example, the web server will require SSL authentication, whichcauses Firefox to look (or ask) for a client certificate.  If thecertificate on the card is suitable (or selected), the user will haveto enter the PIN number on the card to sign into the web site.The CA Perspective------------------The CA will have to process the CSR submitted by the client.  Afterverifying the identity of the submitter by some external means, the CAmay use for example this OpenSSL command to create a certificate (weuse the example CA shipping with the Apache SSL module on Ubuntu):# cd /etc/apache/ssl.crt/# openssl ca -in /tmp/floppy.csr -cert /etc/apache/ssl.crt/snakeoil-ca-rsa.crt -keyfile /etc/apache/ssl.key/snakeoil-ca-rsa.key -out /tmp/floppy.crtUsing configuration from /usr/lib/ssl/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 8 (0x8)        Validity            Not Before: Oct 11 13:17:08 2006 GMT            Not After : Oct 11 13:17:08 2007 GMT        Subject:            countryName               = XY            stateOrProvinceName       = Snake Desert            organizationName          = Snake Oil, Ltd            organizationalUnitName    = Webserver Team            commonName                = Floppy Head        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                72:AF:B8:13:3D:3D:9D:02:93:E4:D4:56:0C:06:90:4C:26:85:85:5D            X509v3 Authority Key Identifier:                DirName:/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom                serial:00Certificate is to be certified until Oct 11 13:17:08 2007 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedThe resulting file, "/tmp/floppy.crt" is sent back from the CA to theclient along with the issuer certificate.For more information how to set up and work with a CA using OpenSSL,please see the OpenSSL documentation.The Server Perspective----------------------The service provider will set up an Apache web server with SSLsupport, and configure it to accept certificates from the CA.  Thisstep is quite involved.  Garex has a concise HowTo online athttp://www.garex.net/apache/ about how to do this.  Beside thecreation of a certificate that has its own fully qualified domain name(FQDN) as common name (CN part of the DN), this involves installingthe Apache SSL module and configuration for it, for example inhttpd.conf:SSLEngine onSSLCertificateFile /etc/apache/ssl.crt/server.crtSSLCertificateKeyFile /etc/apache/ssl.key/server.keySSLVerifyClient requireSSLVerifyDepth 1SSLCACertificateFile /etc/apache/ssl.crt/snakeoil-ca-rsa.crtThe file server.key is not protected by a passphrase (if it is, thispassphrase needs to be provided when starting up Apache), andserver.crt has "CN=localhost" as part of its DN for this example.Troubleshooting===============Symptom: Loading the Scute security device in the security devicemanager of Firefox fails with "Unable to load module".Solution: Make sure that Scute is correctly installed, and that alllibraries and executables are available.  Make sure that gpg-agent isrunning and can be found via the environment variable GPG_AGENT_INFO.Symptom: Client authentication fails with "<example.com> has receivedan incorrect or unexpected message.  Error code: -12227".Solution: Make sure that the correct OpenPGP card is inserted and thecertificate available in GPGSM.  Check that the OpenPGP card isdetected correctly in the security device manager and thecorresponding certificate is displayed in the certificate manager ofFirefox.Symptom: The OpenPGP card is detected and displayed in the securitydevice manager in Firefox, but no corresponding certificate isdisplayed in the certificate manager of Firefox.Solution: Make sure that the corresponding certificate is imported inGPGSM.Features and Limitations========================Scute implements version 2.20 of the PKCS #11 specification.The OpenPGP smart card application is supported in read-only mode.The following functions are not supported:* C_Initialize: No support for native thread package.  Locking  callbacks must be provided if multi-threaded operation is desired.* C_WaitForSlotEvent: Not implemented.  The interface as specified by  PKCS #11 is broken anyway, as the function can not safely be  canceled.  Thus, we require polling.* C_GetOperationState, C_SetOperationState: Not supported.* C_InitToken, C_InitPIN, C_SetPIN: Not supported.  No write  operations are allowed.  To configure the token, please use the  tools accompanying the GnuPG software suite.* C_Login, C_Logout: Not supported.  No login into the token by the  software is required.  Passphrase queries are implemented by the use  of GPG Agent and Pinentry.* C_EncryptInit, C_Encrypt, C_EncryptUpdate, C_EncryptFinal,  C_DigestInit, C_Digest, C_DigestUpdate, C_DigestKey, C_DigestFinal,  C_VerifyInit, C_Verify, C_VerifyUpdate, C_VerifyFinal,  C_VerifyRecoverInit, C_VerifyRec: Not supported.  Only secret key  operations are supported.* C_SignInit, C_Sign: Currently, only signing 36 bytes  (MD5+SHA1) hashes is supported (used for client authentication).* C_DecryptInit, C_Decrypt: Not yet supported, but will be in the  future.* C_SignUpdate, C_SignFinal, C_DecryptUpdate, C_DecryptFinal: No  progressive crypto-operations are supported.* C_SignRecoverInit, C_SignRecover: Not supported.* C_DigestEncryptUpdate, C_DecryptDigestUpdate, C_SignEncryptUpdate,  C_DecryptVerifyUpdate: Dual-purpose cryptographic functions are not  supported.* C_GenerateKey, C_GenerateKeyPair, C_WrapKey, C_UnwrapKey,  C_DeriveKey: Key management functions are not supported.  Please use  the tools accompanying the GnuPG software suite to generate and  import keys for use with the token.* C_SeedRandom, C_GenerateRandom: Not supported at this point.  C_GenerateRandom may be supported in the future, though.* C_CreateObject, C_CopyObject, C_DestroyObject, C_SetAttributeValue:  Only read-only operations are supported on objects.* C_GetObjectSize: Not supported.* CKO_CERTIFICATE:  The label specifies the key on the card used (e.g. OPENPGP.3).  The  ID is the fingerprint.* CKO_PRIVATE_KEY:  The CKA_LOCAL attribute can not be supported by the OpenPGP card.  It is always set to false (as the key on the card may be copied to  the card from an external source).Development===========Scute is single-threaded.  There is a global lock that is taken in allentry points of Scute, except for C_Initialize, C_Finalize,C_GetFunctionList, and stubs.Here are a couple of hints on how to develop PKCS #11 modules forMozilla:libopensc2 ships with a pkcs11-spy library that can be loaded as awrapper around the PKCS #11 library you want to use to log allfunctions invoked by Mozilla.  Here is how to use it: Set the PKCS11SPY_OUTPUT environment variable to a filename. pkcs11-spy appends its log messages at the end of this file.  Set the PKCS11SPY environment variable to the filename of the PKCS #11 module you actually want to use.  Start Mozilla within this environment.There is a different, probably more powerful way to debug Mozilla PKCS#11 libraries.  However, to be able to use it, you need to configureand compile the Mozilla NSS sources with --enable-debug.  Instructionscan be found at:http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn2.htmlHere are a couple of links to more information about implementing aPKCS #11 module for Mozilla:Implementing PKCS #11 for the Netscape Security Library(Caution: The content may be out of date)http://docs.sun.com/source/816-6150-10/index.htmhttp://docs.sun.com/source/816-6150-10/pkcs.htmCommon PKCS #11 Implementation Problemshttp://www.mozilla.org/projects/security/pki/pkcs11/netscape/problems.htmlPKCS #11 Conformance Testinghttp://www.mozilla.org/projects/security/pki/pkcs11/And of course the Mozilla NSS web page:http://www.mozilla.org/projects/security/pki/nss/Mozilla Bugs============Mozilla has a bug that causes the security devices list to becomecorrupt when a security device is unloaded: The wrong entry is removedfrom the list.  This is corrected by waiting for a refresh or closingand reopening the security device manager.Copyright and License=====================Scute is copyrighted by g10 Code GmbH and licensed under the GNUGeneral Pubic License version 2 or later with this exception:  In addition, as a special exception, g10 Code GmbH gives permission  to link this library: with the Mozilla Foundation's code for  Mozilla (or with modified versions of it that use the same license  as the "Mozilla" code), and distribute the linked executables.  You  must obey the GNU General Public License in all respects for all of  the code used other than "Mozilla".  If you modify the software, you  may extend this exception to your version of the software, but you  are not obligated to do so.  If you do not wish to do so, delete this  exception statement from your version and from all source files.g10 Code GmbHmarcus@g10code.com Copyright 2006, 2009 g10 Code GmbH This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved. This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 |