| Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente |
| informatique:pkcs [22/04/2010 17:07] – cyrille | informatique:pkcs [27/08/2023 11:31] (Version actuelle) – [Chiffrement et déchiffrement avec Javascript dans navigateur] cyrille |
|---|
| * PKCS#9: Selected Attribute Types | * PKCS#9: Selected Attribute Types |
| * PKCS#10: Certification Request Syntax Standard | * PKCS#10: Certification Request Syntax Standard |
| * PKCS#11: Cryptographic Token Interface Standard | * [[#pkcs_11_-_cryptographic_token_interface_standard|PKCS#11]]: Cryptographic Token Interface Standard |
| * [[#pkcs_12_-_personnal_information_exchange_syntax_standard|PKCS#12]]: Personal Information Exchange Syntax Standard | * [[#pkcs_12_-_personnal_information_exchange_syntax_standard|PKCS#12]]: Personal Information Exchange Syntax Standard |
| * PKCS#13: Elliptic Curve Cryptography Standard | * PKCS#13: Elliptic Curve Cryptography Standard |
| * PKCS#15: Cryptographic Token Information Format Standard | * PKCS#15: Cryptographic Token Information Format Standard |
| |
| Voir aussi : | Voir [[/glossaire/pkcs|/glossaire/pkcs]] pour des liens de références. |
| * [[http://en.wikipedia.org/wiki/PKCS|Wikipedia]] | |
| * [[/glossaire/IGC|Infrastructure de Gestion de Clefs (IGC)]] | |
| * [[/informatique/igc|/informatique/igc (Infrastructure de Gestion de Clefs)]] | |
| |
| ===== PKCS#7 - Cryptographic Message Syntax Standard ===== | ===== PKCS#7 - Cryptographic Message Syntax Standard ===== |
| |
| Exemple d'un mail signé avec Thunderbird : {{documentation:technologies:crypto:mail_signe.txt|mail_signe.txt}} | Exemple d'un mail signé avec Thunderbird : {{documentation:technologies:crypto:mail_signe.txt|mail_signe.txt}} |
| | |
| | ra |
| | ===== PKCS#11 - Cryptographic Token Interface Standard ===== |
| | |
| | * API Mozilla, approvisionnement PKCS [[https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/pkcs11|]] |
| | * exemple avec la webextension [[https://github.com/open-eid/firefox-pkcs11-loader/blob/master/webextension/background.js|firefox-pkcs11-loader]] par la "Estonian Information System Authority" |
| | * Chromium [[https://www.chromium.org/developers/design-documents/chaps-technical-design/#pkcs-11-software-mechanisms|PKCS #11 Software Mechanisms]] and [[https://www.chromium.org/developers/design-documents/chaps-technical-design/#resources|Resources]] |
| | * Chrome does not provide a mechanism to specify a PKCS#11 provider, only Firefox does. |
| | * Use any of the available chrome extension like |
| | * [[https://chrome.google.com/webstore/detail/signerdigital-digital-sig/glghokcicpikglmflbbelbgeafpijkkf|Signer.Digital Chrome Extension]] (Digital Signature of eReturns, PDF & Web User Auth, RSA Encryption/Decryption, Certificate Enrollment/Download on Smartcard) |
| | * ''wget'' et ''curl'' permettent l'authentification depuis un token pkcs11 [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-applications-to-use-cryptographic-hardware-through-pkcs-11_security-hardening#configuring-applications-to-authenticate-using-certificates-from-smart-cards_configuring-applications-to-use-cryptographic-hardware-through-pkcs-11|6.3. Configuring applications to authenticate using certificates from smart cards (RedHat)]] |
| | * [[https://github.com/OpenSC/OpenSC/wiki|OpenSC]] provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the standard APIs to smart cards |
| | * OpenSC [[https://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/tools/tools.html|tools]] comme gérer les tokens PKCS#11 et PKCS#15 |
| | |
| | Token products: |
| | * **[[/informatique/SafeNet eToken 5110|SafeNet eToken 5110]]** (37 €) |
| | * Product brief by Gemalto https://www.linux.org/attachments/safenet-etoken-5110-product-brief-pdf.3477/ |
| | * Digicert knowledge base [[https://knowledge.digicert.com/solution/initialize-safenet-etoken-5110cc.html|Initialize a SafeNet eToken 5110CC]] |
| | * **[[/informatique/SafeNet eToken 5300|Gemalto SafeNet eToken 5300]]** (49 €) |
| | * La technologie basée sur certificat génère et enregistre les données d'accès personnelles d'un utilisateur, comme les clés privées, mots de passe et certificats numériques, au sein de l'environnement sécurisé de la puce Smartcard. |
| | * fiche vendeur https://www.qscd.eu/usb-tokens/gemalto-safenet-etoken-5300-mini/ |
| | * **Nitrokey Start** (29 €) |
| | * Cryptographic algorithms: RSA 2048 bit, RSA 4096 bit, ECC 256 bit EdDSA, ECDSA (with NIST P256 and secp256k1), ECDH (with X25519, NIST P256 and secp256k1), MD5, RIPEMD-160, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 |
| | * Storage capacity: 3 keys (decryption, signing, authentication) |
| | * [[https://www.nitrokey.com/files/doc/Nitrokey_Start_factsheet.pdf|Fact sheet]] |
| | * [[https://www.nitrokey.com/fr#comparison|Nitrokey]] products |
| | * [[https://docs.nitrokey.com/fr/start/linux/|Documentation]] dont linux et en français |
| | * OpenSC compatible |
| | * **Feitian ePass2003** (9 £) |
| | * Onboard key-generation, digital signature and crypto operations, PKCS#11, Onboard RSA, ECC, AES, SHA-1, SHA-2, X.509 Certificate Storage, 64KB EEPROM |
| | * OpenSC compatible |
| | * [[https://www.microcosm.com/it-security-hardware/pki-tokens|fiche produit]] |
| | |
| | Token sellers: |
| | * https://www.bechtle.com/fr/finder?query=etoken&origin=searchbar |
| | * https://www.qscd.eu/search/?string=Gemalto+SafeNet+eToken |
| | * https://www.javacardos.com – dedicated to building a comprehensive Java Card platform. |
| | * http://www.aventra.fi – ships from Finland, Aventra-MyEID-PKI-card card |
| | * http://www.cryptoshop.com – ships from Austria |
| | * http://shop.kernelconcepts.de/ – ships from Germany, OpenPGP v2 card and CryptoStick token |
| | * http://www.logidata-int.fr – ships from France |
| | * http://www.smartcardfocus.com – ships from UK |
| | |
| | Fournisseurs de signature électronique "officielle" hardware (avec token usb) |
| | * [[signature_electronique#token_officiel_en_france|]] |
| | * https://www.chambersign.fr/p-offre-cci-store/ |
| | |
| | Pour des **essais de manips avec pkcs#11**, OpenSC (pkcs-tool) et OpenSSL voir la page du token [[/informatique/SafeNet eToken 5110|SafeNet eToken 5110]]. |
| | |
| | ==== Chiffrement et déchiffrement avec Javascript dans navigateur ==== |
| | |
| | Questions/discussions |
| | * https://github.com/OpenSC/OpenSC/discussions/2839 |
| | * https://www.developpez.net/forums/d2154735/javascript/general-javascript/cryptographie-navigateur-web-token-pkcs11/ |
| | * [What about a WASM API](https://github.com/ThalesGroup/pycryptoki/issues/42) at ThalesGroup/pycryptoki |
| | |
| | Thales propose une [[https://github.com/ThalesGroup/pycryptoki|API en Python]] |
| | * https://github.com/ThalesGroup/pycryptoki/blob/master/docs/getting_started.rst |
| | * https://pycryptoki.readthedocs.io/en/latest/ |
| | |
| | [[https://web-eid.eu/|Web eID]]: electronic ID smart cards on the Web |
| | * Utilise la Browser Native Messaging API |
| | * Exemple avec [[https://github.com/web-eid/web-eid-authtoken-validation-php/blob/main/examples/public/js/web-eid.js|Javascript et Php]] |
| | |
| | Les technos pour permettre l'usage d'un eToken: |
| | * Ne pourrait-on pas faire la même chose avec WASM ? |
| | * [[https://github.com/bytecodealliance/wasm-micro-runtime/blob/main/doc/export_native_api.md|Export native API to WASM application]] |
| | * Browser Native Messaging |
| | * https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_messaging |
| | * C'est la techno utilisée par [[https://libersign.libriciel.fr/updates.json|libersign]] de [[https://www.libriciel.fr|Libriciel]] |
| | |
| |
| ===== PKCS#12 - Personnal Information Exchange Syntax Standard ===== | ===== PKCS#12 - Personnal Information Exchange Syntax Standard ===== |
