Table des matières
SafeNet eToken 5110
- Digicert knowledge base Initialize a SafeNet eToken 5110CC
- Safenet Authenfication Client (SAC) Linux SafeNet drivers sur globalsign.com (Ubuntu 20.04 et 22.04, CentOS 8 et 9, Debian et RedHat 32 et 64 bit)
- Configure Firefox & Chrome avec le driver SAC “Safenet Authenfication Client” https://github.com/Synehan/safenet-linux
- dépendance avec “libnss3” (Network Security Service libraries)
- Using Safenet eToken 5110 With Fedora https://sztsian.github.io/2022/02/21/Using-Safenet-eToken-5110-With-Fedora.html
- Using Tokens in Ubuntu with PGP https://craftware.xyz/securitybricks/2017/07/17/using-tokens-in-Ubuntu-with-pgp.html
- Version “5110 CC” Acheté 37 € (2023-08) sur https://qscd.eu
- Voir aussi SafeNet eToken 5300
- API et normes compatibles : PKCS#11, Microsoft CAPI, PC/SC, stockage de certificats X.509 v3, SSL v3, IPSec/IKE, MS mini-lecteur, CNG
- Taille de la mémoire: 80 k
- Spécifications ISO compatibles : Conforme aux spécifications ISO 7816-1 à 4
- Certification de résistance à l’eau IP X7 – IEC 60529
- Connecteur USB USB type A ; compatible avec USB 1.1 et 2.0 (haut débit)
- Boîtier Plastique dur moulé, inviolable
- Algorithmes de sécurité embarqués
- Hachage : SHA-1, SHA-256, SHA-384, SHA-512
- RSA : RSA jusqu’à 4096 bits
- RSA OAEP et RSA PSS
- P-256 bits ECDSA, ECDH. P-384 & P-521 bits ECDSA, ECDH disponibles par le biais d’une configuration personnalisée
- Génération de paires de clés asymétrique (RSA jusqu’à 4096 bits et courbes elliptiques jusqu’à 521 bits)
- Symétrique : AES pour une messagerie sécurisée et 3DES pour la stimulation/réponse de Windows uniquement
- Certifications de sécurité: CC EAL5+
- Plateforme de la carte à puce: IDPrime MD 940
Insertion port USB
Ubuntu Linux 6.2.0-26-generic
kernel: usb 3-1: new full-speed USB device number 5 using xhci_hcd kernel: usb 3-1: New USB device found, idVendor=0529, idProduct=0620, bcdDevice= 0.01 kernel: usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0 kernel: usb 3-1: Product: Token JC kernel: usb 3-1: Manufacturer: SafeNet mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1" mtp-probe: bus: 3, device: 5 was not an MTP device systemd[1]: Reached target Smart Card. systemd[1782]: Reached target Smart Card. mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1" mtp-probe: bus: 3, device: 5 was not an MTP device
Safenet Authenfication Client (SAC)
Safenet Authenfication Client (SAC) Linux SafeNet drivers sur globalsign.com (Ubuntu 20.04 et 22.04, CentOS 8 et 9, Debian et RedHat 32 et 64 bit).
Configure Firefox & Chrome avec le driver SAC “Safenet Authenfication Client” https://github.com/Synehan/safenet-linux (dépendance avec “libnss3” Network Security Service libraries)
SAC PKCS#11 middleware (Safenet Authentication Client) is a PKCS#11 library that can be used to access different Gemalto smart card from applications supporting the PKCS#11 API.
Nécessite 2 autre paquets :
- libccid : PC/SC driver for USB CCID smart card readers
- pcscd : Middleware to access a smart card using PC/SC (daemon side)
Lintian output :
E: copyright-not-using-common-license-for-lgpl E: lacks-versioned-link-to-shared-library usr/lib/libIDClassicSISTokenEngine.so.10 usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 libIDClassicSISTokenEngine.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libIDPVSlotEngine.so.10 usr/lib/libIDPVSlotEngine.so.10.8.1050 libIDPVSlotEngine.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimePKCS11.so.10 usr/lib/libIDPrimePKCS11.so.10.8.1050 libIDPrimePKCS11.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeSISTokenEngine.so.10 usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 libIDPrimeSISTokenEngine.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeTokenEngine.so.10 usr/lib/libIDPrimeTokenEngine.so.10.8.1050 libIDPrimeTokenEngine.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libSACLog.so.10 usr/lib/libSACLog.so.10.8.1050 libSACLog.so.10 E: lacks-versioned-link-to-shared-library usr/lib/libeTokenHID.so.10 usr/lib/libeTokenHID.so.10.8.1050 libeTokenHID.so.10 E: misplaced-extra-member-in-deb _gpgorigin (unexpected _member at position 3) W: executable-stack-in-shared-library usr/lib/libSACUI.so.10.8.1050 W: hardening-no-pie [usr/bin/SACMonitor] W: hardening-no-pie [usr/bin/SACSrv] W: hardening-no-pie [usr/bin/SACTools] W: hardening-no-pie [usr/lib/SAC/SACUIProcess] W: killall-is-dangerous [prerm:5] W: link-to-shared-library-in-wrong-package usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 usr/lib/libIDClassicSISTokenEngine.so W: link-to-shared-library-in-wrong-package usr/lib/libIDPVSlotEngine.so.10.8.1050 usr/lib/libIDPVSlotEngine.so W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimePKCS11.so.10.8.1050 usr/lib/libIDPrimePKCS11.so W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 usr/lib/libIDPrimeSISTokenEngine.so W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeTokenEngine.so.10.8.1050 usr/lib/libIDPrimeTokenEngine.so W: link-to-shared-library-in-wrong-package usr/lib/libSACLog.so.10.8.1050 usr/lib/libSACLog.so W: link-to-shared-library-in-wrong-package usr/lib/libSACUI.so.10.8.1050 usr/lib/libSACUI.so W: link-to-shared-library-in-wrong-package usr/lib/libeTPKCS15.so.10.8.1050 usr/lib/libeTPKCS15.so W: link-to-shared-library-in-wrong-package usr/lib/libeToken.so.10.8.1050 usr/lib/libeToken.so W: link-to-shared-library-in-wrong-package usr/lib/libeTokenHID.so.10.8.1050 usr/lib/libeTokenHID.so W: missing-systemd-service-for-init.d-script safenetauthenticationclient [etc/init.d/safenetauthenticationclient] W: no-manual-page usr/bin/SACMonitor W: no-manual-page usr/bin/SACSrv W: no-manual-page usr/bin/SACTools W: package-name-doesnt-match-sonames libIDClassicSISTokenEngine10 libIDPVSlotEngine10 libIDPrimePKCS11-10 libIDPrimeSISTokenEngine10 libIDPrimeTokenEngine10 libSACLog10 libSACUI10 libeTPKCS15-10 libeToken10 libeTokenHID10
Ajout du module SafeNet /usr/lib/libIDPrimePKCS11.so dans Firefox :
Chrome / Chromium ne propose pas d'interface graphique, il faut passer par la ligne de commande :
pkcs11-register
$ pkcs11-register Added OpenSC smartcard framework (0.22) to /home/user/.pki/nssdb/pkcs11.txt Added OpenSC smartcard framework (0.22) to /home/user/.mozilla/firefox/CyrilleGiquello/pkcs11.txt Added OpenSC smartcard framework (0.22) to /home/user/.thunderbird/CyrilleGiquello/pkcs11.txt $ pkcs11-register -m /usr/lib/libIDPrimePKCS11.so Added Gemalto PKCS11 (10.8) to /home/cyrille/.pki/nssdb/pkcs11.txt Added Gemalto PKCS11 (10.8) to /home/cyrille/.mozilla/firefox/CyrilleGiquello/pkcs11.txt Added Gemalto PKCS11 (10.8) to /home/cyrille/.thunderbird/CyrilleGiquello/pkcs11.txt
Essai ...
Install des outils linux standards
sudo apt-get install libccid pcscd opensc libpcsclite1 pcsc-tools libengine-pkcs11-openssl
Avant d'installer SAC (SafeNet tools & drivers) :
$ pkcs11-tool --show-info Cryptoki version 3.0 Manufacturer OpenSC Project Library OpenSC smartcard framework (ver 0.22) Using slot 0 with a present token (0x0) $ pkcs11-tool --list-slots Available slots: Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00 (token not recognized)
Installation de SAC safenetauthenticationclient_10.8.1050_amd64.deb.
$ pkcs11-tool --module /usr/lib/libeToken.so --show-info
Cryptoki version 2.20
Manufacturer SafeNet, Inc.
Library SafeNet eToken PKCS#11 (ver 10.8)
Using slot 0 with a present token (0x0)
$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
token label : Card #00D7E011831A61E9
token manufacturer : Gemalto
token model : ID Prime MD
token flags : login required, rng, token initialized, PIN initialized, other flags=0x200
hardware version : 0.0
firmware version : 0.0
serial num : 00D7E011831A61E9
pin min/max : 4/16
Slot 1 (0x1):
(empty)
Slot 2 (0x2):
(empty)
Slot 3 (0x3):
(empty)
Slot 4 (0x4):
(empty)
Slot 5 (0x5):
(empty)
Slot 6 (0x6):
(empty)
Slot 7 (0x7):
(empty)
$ pkcs11-tool --module /usr/lib/libeToken.so --list-mechanisms
Using slot 0 with a present token (0x0)
Supported mechanisms:
DES3-MAC, keySize={24,24}, verify
DES3-MAC-GENERAL, keySize={24,24}, verify
AES-MAC, keySize={16,32}, verify
AES-MAC-GENERAL, keySize={16,32}, verify
DES3-CBC, keySize={24,24}, encrypt, wrap, unwrap
DES3-CBC-PAD, keySize={24,24}, encrypt, wrap, unwrap
AES-CBC, keySize={16,32}, encrypt, wrap, unwrap
AES-CBC-PAD, keySize={16,32}, encrypt, wrap, unwrap
AES-CTR, keySize={16,32}, encrypt, wrap, unwrap
mechtype-0x1088, keySize={16,32}, encrypt, wrap, unwrap
RSA-PKCS-KEY-PAIR-GEN, keySize={2048,4096}, hw, generate_key_pair
RSA-PKCS, keySize={2048,4096}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
RSA-PKCS-OAEP, keySize={2048,4096}, hw, encrypt, decrypt, wrap, unwrap
RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA1-RSA-PKCS-PSS, keySize={2048,4096}, verify
SHA256-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA384-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA512-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
SHA1-RSA-PKCS, keySize={2048,4096}, verify
SHA256-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
SHA384-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
SHA512-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
ECDSA-KEY-PAIR-GEN, keySize={256,256}, hw, generate_key_pair, EC F_P, EC OID, EC uncompressed
ECDSA, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA1, keySize={256,256}, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA256, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA384, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
mechtype-0x80000045, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDSA-SHA512, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
ECDH1-DERIVE, keySize={256,256}, hw, derive, EC F_P, EC OID, EC uncompressed
DES3-KEY-GEN, keySize={24,24}, generate
AES-KEY-GEN, keySize={16,32}, generate
PBE-SHA1-DES3-EDE-CBC, keySize={24,24}, generate
GENERIC-SECRET-KEY-GEN, keySize={112,2048}, generate
PBA-SHA1-WITH-SHA1-HMAC, keySize={160,160}, generate
PKCS5-PBKD2, generate
SHA-1-HMAC-GENERAL, keySize={112,2048}, verify
SHA-1-HMAC, keySize={112,2048}, verify
mechtype-0x252, keySize={112,2048}, verify
SHA256-HMAC, keySize={112,2048}, verify
mechtype-0x262, keySize={112,2048}, verify
SHA384-HMAC, keySize={112,2048}, verify
mechtype-0x272, keySize={112,2048}, verify
SHA512-HMAC, keySize={112,2048}, verify
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
mechtype-0x80006001, keySize={24,24}, generate
Utilisation de SAC pour changer les PIN et PUK, renommage du token
$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots Available slots: Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00 token label : CyrilleSN5110 token manufacturer : Gemalto ...
Avec le module /usr/lib/libIDPrimePKCS11.so au lieu de /usr/lib/libeToken.so on obtient un 8eme slot pour “Digital Signature Pin”
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so -L Available slots: Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00 token label : CyrilleSN5110 token manufacturer : Gemalto token model : ID Prime MD token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 00D7E011831A61E9 pin min/max : 4/16 Slot 1 (0x1): (empty) Slot 2 (0x2): (empty) Slot 3 (0x3): (empty) Slot 4 (0x4): (empty) Slot 5 (0x5): (empty) Slot 6 (0x6): (empty) Slot 7 (0x7): (empty) Slot 8 (0x10): SafeNet eToken 5100 [eToken 5110 SC] 00 (Digital Signature Pin) token label : CyrilleSN5110 (Digital Signature token manufacturer : Gemalto token model : ID Prime MD token flags : login required, rng, token initialized, PIN initialized, other flags=0x200 hardware version : 0.0 firmware version : 0.0 serial num : 00D7E011831A61E9 pin min/max : 4/16
Avec opensc-tool de OpenSC
$ opensc-tool -l # Detected readers (pcsc) Nr. Card Features Name 0 Yes SafeNet eToken 5100 [eToken 5110 SC] 00 00 $ opensc-tool --reader 0 --name Unsupported card
Charger la paire de clés et le certificat dans le token
# extraire les clés et le certificat au format DER $ openssl rsa -in privkey.pkey -outform DER -out testkey-key.der $ openssl x509 -in cert.cer -outform DER -out testkey-crt.der $ openssl rsa -in privkey.pkey -pubout -out testkey-public.key # import private key into token $ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-key.der --type privkey --id 1 Using slot 0 with a present token (0x0) Logging in to "CyrilleSN5110". Please enter User PIN: Created private key: Private Key Object; RSA label: ID: 01 Usage: decrypt, sign, unwrap Access: sensitive # import certificat into token $ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-crt.der --type cert --id 1 Using slot 0 with a present token (0x0) Logging in to "CyrilleSN5110". Please enter User PIN: Created certificate: Certificate Object; type = X.509 cert label: subject: DN: emailAddress=cyrille@somewhere.eu ID: 01 # import public key into token $ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-public.key --type pubkey --id 1 Using slot 0 with a present token (0x0) Logging in to "CyrilleSN5110". Please enter User PIN: Created public key: Public Key Object; RSA 2048 bits label: ID: 01 Usage: encrypt, verify, wrap Access: none
Et hop, visualisation du travail avec SAC:
Et avec pkcs-tool (la clé privée n'est pas affichée sans –login)
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --list-objects Using slot 0 with a present token (0x0) Logging in to "CyrilleSN5110". Please enter User PIN: Certificate Object; type = X.509 cert label: subject: DN: emailAddress=cyrille.giquello@internet.net ID: 01 Public Key Object; RSA 2048 bits label: ID: 01 Usage: encrypt, verify, wrap Access: none Private Key Object; RSA label: ID: 01 Usage: decrypt, sign, unwrap Access: sensitive