Table des matières

SafeNet eToken 5110

SafeNet eToken 5110

Insertion port USB

Ubuntu Linux 6.2.0-26-generic

kernel: usb 3-1: new full-speed USB device number 5 using xhci_hcd
kernel: usb 3-1: New USB device found, idVendor=0529, idProduct=0620, bcdDevice= 0.01
kernel: usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
kernel: usb 3-1: Product: Token JC
kernel: usb 3-1: Manufacturer: SafeNet
mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"
mtp-probe: bus: 3, device: 5 was not an MTP device
systemd[1]: Reached target Smart Card.
systemd[1782]: Reached target Smart Card.
mtp-probe: checking bus 3, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb3/3-1"
mtp-probe: bus: 3, device: 5 was not an MTP device

Safenet Authenfication Client (SAC)

Safenet Authenfication Client (SAC) Linux SafeNet drivers sur globalsign.com (Ubuntu 20.04 et 22.04, CentOS 8 et 9, Debian et RedHat 32 et 64 bit).

Configure Firefox & Chrome avec le driver SAC “Safenet Authenfication Client” https://github.com/Synehan/safenet-linux (dépendance avec “libnss3” Network Security Service libraries)

SAC PKCS#11 middleware (Safenet Authentication Client) is a PKCS#11 library that can be used to access different Gemalto smart card from applications supporting the PKCS#11 API.

Nécessite 2 autre paquets :

Lintian output :

E: copyright-not-using-common-license-for-lgpl
E: lacks-versioned-link-to-shared-library usr/lib/libIDClassicSISTokenEngine.so.10 usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 libIDClassicSISTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPVSlotEngine.so.10 usr/lib/libIDPVSlotEngine.so.10.8.1050 libIDPVSlotEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimePKCS11.so.10 usr/lib/libIDPrimePKCS11.so.10.8.1050 libIDPrimePKCS11.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeSISTokenEngine.so.10 usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 libIDPrimeSISTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libIDPrimeTokenEngine.so.10 usr/lib/libIDPrimeTokenEngine.so.10.8.1050 libIDPrimeTokenEngine.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libSACLog.so.10 usr/lib/libSACLog.so.10.8.1050 libSACLog.so.10
E: lacks-versioned-link-to-shared-library usr/lib/libeTokenHID.so.10 usr/lib/libeTokenHID.so.10.8.1050 libeTokenHID.so.10
E: misplaced-extra-member-in-deb _gpgorigin (unexpected _member at position 3)
W: executable-stack-in-shared-library usr/lib/libSACUI.so.10.8.1050
W: hardening-no-pie [usr/bin/SACMonitor]
W: hardening-no-pie [usr/bin/SACSrv]
W: hardening-no-pie [usr/bin/SACTools]
W: hardening-no-pie [usr/lib/SAC/SACUIProcess]
W: killall-is-dangerous [prerm:5]
W: link-to-shared-library-in-wrong-package usr/lib/libIDClassicSISTokenEngine.so.10.8.1050 usr/lib/libIDClassicSISTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPVSlotEngine.so.10.8.1050 usr/lib/libIDPVSlotEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimePKCS11.so.10.8.1050 usr/lib/libIDPrimePKCS11.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeSISTokenEngine.so.10.8.1050 usr/lib/libIDPrimeSISTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libIDPrimeTokenEngine.so.10.8.1050 usr/lib/libIDPrimeTokenEngine.so
W: link-to-shared-library-in-wrong-package usr/lib/libSACLog.so.10.8.1050 usr/lib/libSACLog.so
W: link-to-shared-library-in-wrong-package usr/lib/libSACUI.so.10.8.1050 usr/lib/libSACUI.so
W: link-to-shared-library-in-wrong-package usr/lib/libeTPKCS15.so.10.8.1050 usr/lib/libeTPKCS15.so
W: link-to-shared-library-in-wrong-package usr/lib/libeToken.so.10.8.1050 usr/lib/libeToken.so
W: link-to-shared-library-in-wrong-package usr/lib/libeTokenHID.so.10.8.1050 usr/lib/libeTokenHID.so
W: missing-systemd-service-for-init.d-script safenetauthenticationclient [etc/init.d/safenetauthenticationclient]
W: no-manual-page usr/bin/SACMonitor
W: no-manual-page usr/bin/SACSrv
W: no-manual-page usr/bin/SACTools
W: package-name-doesnt-match-sonames libIDClassicSISTokenEngine10 libIDPVSlotEngine10 libIDPrimePKCS11-10 libIDPrimeSISTokenEngine10 libIDPrimeTokenEngine10 libSACLog10 libSACUI10 libeTPKCS15-10 libeToken10 libeTokenHID10

Ajout du module SafeNet /usr/lib/libIDPrimePKCS11.so dans Firefox :

Chrome / Chromium ne propose pas d'interface graphique, il faut passer par la ligne de commande :

pkcs11-register

$ pkcs11-register
Added OpenSC smartcard framework (0.22) to /home/user/.pki/nssdb/pkcs11.txt
Added OpenSC smartcard framework (0.22) to /home/user/.mozilla/firefox/CyrilleGiquello/pkcs11.txt
Added OpenSC smartcard framework (0.22) to /home/user/.thunderbird/CyrilleGiquello/pkcs11.txt

$ pkcs11-register -m /usr/lib/libIDPrimePKCS11.so
Added Gemalto PKCS11 (10.8) to /home/cyrille/.pki/nssdb/pkcs11.txt
Added Gemalto PKCS11 (10.8) to /home/cyrille/.mozilla/firefox/CyrilleGiquello/pkcs11.txt
Added Gemalto PKCS11 (10.8) to /home/cyrille/.thunderbird/CyrilleGiquello/pkcs11.txt

Essai ...

Install des outils linux standards

sudo apt-get install libccid pcscd opensc libpcsclite1 pcsc-tools libengine-pkcs11-openssl

Avant d'installer SAC (SafeNet tools & drivers) :

$ pkcs11-tool --show-info
Cryptoki version 3.0
Manufacturer     OpenSC Project
Library          OpenSC smartcard framework (ver 0.22)
Using slot 0 with a present token (0x0)

$ pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
  (token not recognized)

Installation de SAC safenetauthenticationclient_10.8.1050_amd64.deb.

$ pkcs11-tool --module /usr/lib/libeToken.so --show-info
Cryptoki version 2.20
Manufacturer     SafeNet, Inc.
Library          SafeNet eToken PKCS#11 (ver 10.8)
Using slot 0 with a present token (0x0)

$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
  token label        : Card #00D7E011831A61E9
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00D7E011831A61E9
  pin min/max        : 4/16
Slot 1 (0x1): 
  (empty)
Slot 2 (0x2): 
  (empty)
Slot 3 (0x3): 
  (empty)
Slot 4 (0x4): 
  (empty)
Slot 5 (0x5): 
  (empty)
Slot 6 (0x6): 
  (empty)
Slot 7 (0x7): 
  (empty)

$ pkcs11-tool --module /usr/lib/libeToken.so --list-mechanisms
Using slot 0 with a present token (0x0)
Supported mechanisms:
  DES3-MAC, keySize={24,24}, verify
  DES3-MAC-GENERAL, keySize={24,24}, verify
  AES-MAC, keySize={16,32}, verify
  AES-MAC-GENERAL, keySize={16,32}, verify
  DES3-CBC, keySize={24,24}, encrypt, wrap, unwrap
  DES3-CBC-PAD, keySize={24,24}, encrypt, wrap, unwrap
  AES-CBC, keySize={16,32}, encrypt, wrap, unwrap
  AES-CBC-PAD, keySize={16,32}, encrypt, wrap, unwrap
  AES-CTR, keySize={16,32}, encrypt, wrap, unwrap
  mechtype-0x1088, keySize={16,32}, encrypt, wrap, unwrap
  RSA-PKCS-KEY-PAIR-GEN, keySize={2048,4096}, hw, generate_key_pair
  RSA-PKCS, keySize={2048,4096}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
  RSA-PKCS-OAEP, keySize={2048,4096}, hw, encrypt, decrypt, wrap, unwrap
  RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
  SHA1-RSA-PKCS-PSS, keySize={2048,4096}, verify
  SHA256-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
  SHA384-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
  SHA512-RSA-PKCS-PSS, keySize={2048,4096}, hw, sign, verify
  SHA1-RSA-PKCS, keySize={2048,4096}, verify
  SHA256-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
  SHA384-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
  SHA512-RSA-PKCS, keySize={2048,4096}, hw, sign, verify
  ECDSA-KEY-PAIR-GEN, keySize={256,256}, hw, generate_key_pair, EC F_P, EC OID, EC uncompressed
  ECDSA, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
  ECDSA-SHA1, keySize={256,256}, verify, EC F_P, EC OID, EC uncompressed
  ECDSA-SHA256, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
  ECDSA-SHA384, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
  mechtype-0x80000045, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
  ECDSA-SHA512, keySize={256,256}, hw, sign, verify, EC F_P, EC OID, EC uncompressed
  ECDH1-DERIVE, keySize={256,256}, hw, derive, EC F_P, EC OID, EC uncompressed
  DES3-KEY-GEN, keySize={24,24}, generate
  AES-KEY-GEN, keySize={16,32}, generate
  PBE-SHA1-DES3-EDE-CBC, keySize={24,24}, generate
  GENERIC-SECRET-KEY-GEN, keySize={112,2048}, generate
  PBA-SHA1-WITH-SHA1-HMAC, keySize={160,160}, generate
  PKCS5-PBKD2, generate
  SHA-1-HMAC-GENERAL, keySize={112,2048}, verify
  SHA-1-HMAC, keySize={112,2048}, verify
  mechtype-0x252, keySize={112,2048}, verify
  SHA256-HMAC, keySize={112,2048}, verify
  mechtype-0x262, keySize={112,2048}, verify
  SHA384-HMAC, keySize={112,2048}, verify
  mechtype-0x272, keySize={112,2048}, verify
  SHA512-HMAC, keySize={112,2048}, verify
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  mechtype-0x80006001, keySize={24,24}, generate

Utilisation de SAC pour changer les PIN et PUK, renommage du token

$ pkcs11-tool --module /usr/lib/libeToken.so --list-slots
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
  token label        : CyrilleSN5110
  token manufacturer : Gemalto
...

Avec le module /usr/lib/libIDPrimePKCS11.so au lieu de /usr/lib/libeToken.so on obtient un 8eme slot pour “Digital Signature Pin”

$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so -L
Available slots:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
  token label        : CyrilleSN5110
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00D7E011831A61E9
  pin min/max        : 4/16
Slot 1 (0x1): 
  (empty)
Slot 2 (0x2): 
  (empty)
Slot 3 (0x3): 
  (empty)
Slot 4 (0x4): 
  (empty)
Slot 5 (0x5): 
  (empty)
Slot 6 (0x6): 
  (empty)
Slot 7 (0x7): 
  (empty)
Slot 8 (0x10): SafeNet eToken 5100 [eToken 5110 SC] 00  (Digital Signature Pin)
  token label        : CyrilleSN5110 (Digital Signature
  token manufacturer : Gemalto
  token model        : ID Prime MD
  token flags        : login required, rng, token initialized, PIN initialized, other flags=0x200
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 00D7E011831A61E9
  pin min/max        : 4/16

Avec opensc-tool de OpenSC

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             SafeNet eToken 5100 [eToken 5110 SC] 00 00

$ opensc-tool --reader 0 --name
Unsupported card

Charger la paire de clés et le certificat dans le token

# extraire les clés et le certificat au format DER
$ openssl rsa -in privkey.pkey -outform DER -out testkey-key.der
$ openssl x509 -in cert.cer -outform DER -out testkey-crt.der
$ openssl rsa -in privkey.pkey -pubout -out testkey-public.key
 
# import private key into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-key.der --type privkey --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN: 
Created private key:
Private Key Object; RSA 
  label:      
  ID:         01
  Usage:      decrypt, sign, unwrap
  Access:     sensitive
 
# import certificat into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-crt.der --type cert --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN: 
Created certificate:
Certificate Object; type = X.509 cert
  label:      
  subject:    DN: emailAddress=cyrille@somewhere.eu
  ID:         01
 
# import public key into token
$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --write-object testkey-public.key --type pubkey --id 1
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN: 
Created public key:
Public Key Object; RSA 2048 bits
  label:      
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     none

Et hop, visualisation du travail avec SAC:

Et avec pkcs-tool (la clé privée n'est pas affichée sans –login)

$ pkcs11-tool --module /usr/lib/libIDPrimePKCS11.so --login --list-objects
Using slot 0 with a present token (0x0)
Logging in to "CyrilleSN5110".
Please enter User PIN: 
Certificate Object; type = X.509 cert
  label:      
  subject:    DN: emailAddress=cyrille.giquello@internet.net
  ID:         01
Public Key Object; RSA 2048 bits
  label:      
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     none
Private Key Object; RSA 
  label:      
  ID:         01
  Usage:      decrypt, sign, unwrap
  Access:     sensitive