====== SafeNet eToken 5110 ======
{{ :informatique:safenet_etoken_5110.jpg?direct&300|SafeNet eToken 5110}}
* Product brief by Gemalto https://www.linux.org/attachments/safenet-etoken-5110-product-brief-pdf.3477/ ou https://cpl.thalesgroup.com/sites/default/files/content/product_briefs/field_document/2022-09/safenet-etoken-5110-pb.pdf
* Digicert knowledge base [[https://knowledge.digicert.com/solution/initialize-safenet-etoken-5110cc.html|Initialize a SafeNet eToken 5110CC]]
* Safenet Authenfication Client (SAC) [[https://support.globalsign.com/ssl/ssl-certificates-installation/safenet-drivers#Linux%20Ubuntu|Linux SafeNet drivers]] sur globalsign.com (Ubuntu 20.04 et 22.04, CentOS 8 et 9, Debian et RedHat 32 et 64 bit)
* Configure Firefox & Chrome avec le driver SAC "Safenet Authenfication Client" https://github.com/Synehan/safenet-linux
* dépendance avec "libnss3" (Network Security Service libraries)
* Using Safenet eToken 5110 With Fedora https://sztsian.github.io/2022/02/21/Using-Safenet-eToken-5110-With-Fedora.html
* Using Tokens in Ubuntu with PGP https://craftware.xyz/securitybricks/2017/07/17/using-tokens-in-Ubuntu-with-pgp.html
* Version "5110 CC" Acheté 37 € (2023-08) sur https://qscd.eu
* Voir aussi [[/informatique/safenet_etoken_5300|SafeNet eToken 5300]]
* API et normes compatibles : PKCS#11, Microsoft CAPI, PC/SC, stockage de certificats X.509 v3, SSL v3, IPSec/IKE, MS mini-lecteur, CNG
* Taille de la mémoire: 80 k
* Spécifications ISO compatibles : Conforme aux spécifications ISO 7816-1 à 4
* Certification de résistance à l’eau IP X7 – IEC 60529
* Connecteur USB USB type A ; compatible avec USB 1.1 et 2.0 (haut débit)
* Boîtier Plastique dur moulé, inviolable
* Algorithmes de sécurité embarqués
* Hachage : SHA-1, SHA-256, SHA-384, SHA-512
* RSA : RSA jusqu’à 4096 bits
* RSA OAEP et RSA PSS
* P-256 bits ECDSA, ECDH. P-384 & P-521 bits ECDSA, ECDH disponibles par le biais d’une configuration personnalisée
* Génération de paires de clés asymétrique (RSA jusqu’à 4096 bits et courbes elliptiques jusqu’à 521 bits)
* Symétrique : AES pour une messagerie sécurisée et 3DES pour la stimulation/réponse de Windows uniquement
* Certifications de sécurité: [[/glossaire/cc#commons_criteriacriteres_communs|CC EAL5+]]
* Plateforme de la carte à puce: IDPrime MD 940
===== Insertion port USB =====
Ubuntu Linux 6.2.0-26-generic
kernel: usb 3-1: new full-speed USB device number 5 using xhci_hcd
kernel: usb 3-1: New USB device found, idVendor=0529, idProduct=0620, bcdDevice= 0.01
kernel: usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
kernel: usb 3-1: Product: Token JC
kernel: usb 3-1: Manufacturer: SafeNet
mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"
mtp-probe: bus: 3, device: 5 was not an MTP device
systemd[1]: Reached target Smart Card.
systemd[1782]: Reached target Smart Card.
mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"
mtp-probe: bus: 3, device: 5 was not an MTP device
===== Safenet Authenfication Client (SAC) =====
Safenet Authenfication Client (SAC) [[https://support.globalsign.com/ssl/ssl-certificates-installation/safenet-drivers#Linux%20Ubuntu|Linux SafeNet drivers]] sur globalsign.com (Ubuntu 20.04 et 22.04, CentOS 8 et 9, Debian et RedHat 32 et 64 bit).
Configure Firefox & Chrome avec le driver SAC "Safenet Authenfication Client" https://github.com/Synehan/safenet-linux
(dépendance avec "libnss3" Network Security Service libraries)
SAC PKCS#11 middleware (Safenet Authentication Client) is a PKCS#11 library that can be used to access different Gemalto smart card from applications supporting the PKCS#11 API.
Nécessite 2 autre paquets :
* libccid : PC/SC driver for USB CCID smart card readers
* pcscd : Middleware to access a smart card using PC/SC (daemon side)
Lintian output :
E: copyright-not-using-common-license-for-lgpl
E: lacks-versioned-link-to-shared-library usr/lib/libIDClassicSISTokenEngine.so.10 usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 libIDClassicSISTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPVSlotEngine.so.10 usr/lib/libIDPVSlotEngine.so.10.8.1050 libIDPVSlotEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimePKCS11.so.10 usr/lib/libIDPrimePKCS11.so.10.8.1050 libIDPrimePKCS11.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeSISTokenEngine.so.10 usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 libIDPrimeSISTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeTokenEngine.so.10 usr/lib/libIDPrimeTokenEngine.so.10.8.1050 libIDPrimeTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libSACLog.so.10 usr/lib/libSACLog.so.10.8.1050 libSACLog.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libeTokenHID.so.10 usr/lib/libeTokenHID.so.10.8.1050 libeTokenHID.so.10
E: misplaced-extra-member-in-deb _gpgorigin (unexpected _member at position 3)
W: executable-stack-in-shared-library usr/lib/libSACUI.so.10.8.1050
W: hardening-no-pie [usr/bin/SACMonitor]
W: hardening-no-pie [usr/bin/SACSrv]
W: hardening-no-pie [usr/bin/SACTools]
W: hardening-no-pie [usr/lib/SAC/SACUIProcess]
W: killall-is-dangerous [prerm:5]
W: link-to-shared-library-in-wrong-package usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 usr/lib/libIDClassicSISTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPVSlotEngine.so.10.8.1050 usr/lib/libIDPVSlotEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimePKCS11.so.10.8.1050 usr/lib/libIDPrimePKCS11.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 usr/lib/libIDPrimeSISTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeTokenEngine.so.10.8.1050 usr/lib/libIDPrimeTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libSACLog.so.10.8.1050 usr/lib/libSACLog.so
W: link-to-shared-library-in-wrong-package usr/lib/libSACUI.so.10.8.1050 usr/lib/libSACUI.so
W: link-to-shared-library-in-wrong-package usr/lib/libeTPKCS15.so.10.8.1050 usr/lib/libeTPKCS15.so
W: link-to-shared-library-in-wrong-package usr/lib/libeToken.so.10.8.1050 usr/lib/libeToken.so
W: link-to-shared-library-in-wrong-package usr/lib/libeTokenHID.so.10.8.1050 usr/lib/libeTokenHID.so
W: missing-systemd-service-for-init.d-script safenetauthenticationclient [etc/init.d/safenetauthenticationclient]
W: no-manual-page usr/bin/SACMonitor
W: no-manual-page usr/bin/SACSrv
W: no-manual-page usr/bin/SACTools
W: package-name-doesnt-match-sonames libIDClassicSISTokenEngine10 libIDPVSlotEngine10 libIDPrimePKCS11-10 libIDPrimeSISTokenEngine10 libIDPrimeTokenEngine10 libSACLog10 libSACUI10 libeTPKCS15-10 libeToken10 libeTokenHID10
Ajout du module SafeNet ''/usr/lib/libIDPrimePKCS11.so'' dans Firefox :
{{:informatique:crypto:safenet_5110_firefox_-_1.png?direct&600|}}
{{:informatique:crypto:safenet_5110_firefox_-_2.png?direct&600|}}
Chrome / Chromium ne propose pas d'interface graphique, il faut passer par la ligne de commande :
* [[https://linuxkamarada.com/en/2019/09/26/setting-up-smart-card-authentication-on-google-chrome-chromium/|Setting up smart card authentication on Google Chrome / Chromium]]
===== pkcs11-register =====
$ pkcs11-register
Added OpenSC smartcard framework (0.22) to /home/user/.pki/nssdb/pkcs11.txt
Added OpenSC smartcard framework (0.22) to /home/user/.mozilla/firefox/CyrilleGiquello/pkcs11.txt
Added OpenSC smartcard framework (0.22) to /home/user/.thunderbird/CyrilleGiquello/pkcs11.txt
$ pkcs11-register -m /usr/lib/libIDPrimePKCS11.so
Added Gemalto PKCS11 (10.8) to /home/cyrille/.pki/nssdb/pkcs11.txt
Added Gemalto PKCS11 (10.8) to /home/cyrille/.mozilla/firefox/CyrilleGiquello/pkcs11.txt
Added Gemalto PKCS11 (10.8) to /home/cyrille/.thunderbird/CyrilleGiquello/pkcs11.txt
===== Essai ... =====
Install des outils linux standards
sudo apt-get install libccid pcscd opensc libpcsclite1 pcsc-tools libengine-pkcs11-openssl
Avant d'installer SAC (SafeNet tools & drivers) :
$ pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.22)
Using slot 0 with a present token (0x0)
$ pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
(token not recognized)
Installation de SAC ''safenetauthenticationclient_10.8.1050_amd64.deb''.
$ pkcs11-tool --module /usr/lib/libeToken.so --show-info
Cryptoki version 2.20
Manufacturer SafeNet, Inc.
Library SafeNet eToken PKCS#11 (ver 10.8)
Using slot 0 with a present token (0x0)
$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
token label : Card #00D7E011831A61E9
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 00D7E011831A61E9
pin min/max : 4/16
Slot 1 (0x1):
(empty)
Slot 2 (0x2):
(empty)
Slot 3 (0x3):
(empty)
Slot 4 (0x4):
(empty)
Slot 5 (0x5):
(empty)
Slot 6 (0x6):
(empty)
Slot 7 (0x7):
(empty)
$ pkcs11-tool --module /usr/lib/libeToken.so --list-mechanisms
Using slot 0 with a present token (0x0)
Supported mechanisms:
DES3-MAC, keySize={24,24}, verify
DES3-MAC-GENERAL, keySize={24,24}, verify
AES-MAC, keySize={16,32}, verify
AES-MAC-GENERAL, keySize={16,32}, verify
DES3-CBC, keySize={24,24}, encrypt, wrap, unwrap
DES3-CBC-PAD, keySize={24,24}, encrypt, wrap, unwrap
AES-CBC, keySize={16,32}, encrypt, wrap, unwrap
AES-CBC-PAD, keySize={16,32}, encrypt, wrap, unwrap
AES-CTR, keySize={16,32}, encrypt, wrap, unwrap
mechtype-0x1088, keySize={16,32}, encrypt, wrap, unwrap
RSA-PKCS-KEY-PAIR-GEN, keySize={2048,4096}, hw, generate_key_pair
RSA-PKCS, keySize={2048,4096}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
RSA-PKCS-OAEP, keySize={2048,4096}, hw, encrypt, decrypt, wrap, unwrap
RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={2048,4096}, verify
SHA256-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA384-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA512-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA1-RSA-PKCS, keySize={2048,4096}, verify
SHA256-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
SHA384-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
SHA512-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
ECDSA-KEY-PAIR-GEN, keySize={256,256}, hw, generate_key_pair, EC F_P, EC OID, EC uncompressed
ECDSA, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA1, keySize={256,256}, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA256, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA384, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
mechtype-0x80000045, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA512, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDH1-DERIVE, keySize={256,256}, hw, derive, EC F_P, EC OID, EC uncompressed
DES3-KEY-GEN, keySize={24,24}, generate
AES-KEY-GEN, keySize={16,32}, generate
PBE-SHA1-DES3-EDE-CBC, keySize={24,24}, generate
GENERIC-SECRET-KEY-GEN, keySize={112,2048}, generate
PBA-SHA1-WITH-SHA1-HMAC, keySize={160,160}, generate
PKCS5-PBKD2, generate
SHA-1-HMAC-GENERAL, keySize={112,2048}, verify
SHA-1-HMAC, keySize={112,2048}, verify
mechtype-0x252, keySize={112,2048}, verify
SHA256-HMAC, keySize={112,2048}, verify
mechtype-0x262, keySize={112,2048}, verify
SHA384-HMAC, keySize={112,2048}, verify
mechtype-0x272, keySize={112,2048}, verify
SHA512-HMAC, keySize={112,2048}, verify
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
mechtype-0x80006001, keySize={24,24}, generate
Utilisation de SAC pour changer les PIN et PUK, renommage du token
$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
token label : CyrilleSN5110
token manufacturer : Gemalto
...
Avec le module ''/usr/lib/libIDPrimePKCS11.so'' au lieu de ''/usr/lib/libeToken.so'' on obtient un 8eme slot pour "Digital Signature Pin"
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so -L
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
token label : CyrilleSN5110
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 00D7E011831A61E9
pin min/max : 4/16
Slot 1 (0x1):
(empty)
Slot 2 (0x2):
(empty)
Slot 3 (0x3):
(empty)
Slot 4 (0x4):
(empty)
Slot 5 (0x5):
(empty)
Slot 6 (0x6):
(empty)
Slot 7 (0x7):
(empty)
Slot 8 (0x10): SafeNet eToken 5100 [eToken 5110 SC] 00 (Digital Signature Pin)
token label : CyrilleSN5110 (Digital Signature
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 00D7E011831A61E9
pin min/max : 4/16
Avec ''opensc-tool'' de [[https://github.com/OpenSC/OpenSC/wiki|OpenSC]]
$ opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes SafeNet eToken 5100 [eToken 5110 SC] 00 00
$ opensc-tool --reader 0 --name
Unsupported card
===== Charger la paire de clés et le certificat dans le token =====
* [[https://sztsian.github.io/2022/03/12/Generate-Key-Pair-With-OpenSSL-And-Import-To-PKCS11-Token.html|Generate Key Pair With OpenSSL And Import To PKCS#11 Token]]
* https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
# extraire les clés et le certificat au format DER
$ openssl rsa -in privkey.pkey -outform DER -out testkey-key.der
$ openssl x509 -in cert.cer -outform DER -out testkey-crt.der
$ openssl rsa -in privkey.pkey -pubout -out testkey-public.key
# import private key into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-key.der --type privkey --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN:
Created private key:
Private Key Object; RSA
label:
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive
# import certificat into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-crt.der --type cert --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN:
Created certificate:
Certificate Object; type = X.509 cert
label:
subject: DN: emailAddress=cyrille@somewhere.eu
ID: 01
# import public key into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-public.key --type pubkey --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN:
Created public key:
Public Key Object; RSA 2048 bits
label:
ID: 01
Usage: encrypt, verify, wrap
Access: none
Et hop, visualisation du travail avec SAC:
{{:informatique:crypto:safenet_5110_avec_certificat.png?direct&600|}}
Et avec ''pkcs-tool'' (la clé privée n'est pas affichée sans ''--login'')
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --list-objects
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN:
Certificate Object; type = X.509 cert
label:
subject: DN: emailAddress=cyrille.giquello@internet.net
ID: 01
Public Key Object; RSA 2048 bits
label:
ID: 01
Usage: encrypt, verify, wrap
Access: none
Private Key Object; RSA
label:
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive