-1

In my project I'm trying to use a smart card for the purpose of creating digital signature for a specific data.

I'm working with the smart card reader ACR38U-I1 and Linux OS (more precisely with the Raspbian OS)

I already installed all the needed drivers for this device and additional libraries such as pcsc, pcsc-lite ...

Also I got private/public gpg keypair for making the digital signature. As I understand the concept of making digital signature using smart card I have to write the private key to this card and read it when I need to create a signature.

And in this situation I faced with a problem that I don't know how to do this.

I opened pcsc-lite documentation [1] and couldn't find a write methods or examples how to write data to card https://pcsclite.alioth.debian.org/api/group__API.html [1]

I'll be grateful if somebody could direct me on the right way.

Remi Guan
  • 21,506
  • 17
  • 64
  • 87
Tequila
  • 726
  • 7
  • 23
  • *As I understand the concept of making digital signature using smart card I have to write the private key to this card and read it when I need to create a signature.* - that's not how smart cards should be used for signing. Yes, you write the private key onto the card. But it should be a region on the card one can only write to, the key should only be used by an application on the card which generates signatures. – mkl Nov 12 '15 at 07:29
  • You mean I must write an application that will be executed right on the smart card ? I thought I can do it in my application that uses this smart card reader. Is it possible ? – Tequila Nov 12 '15 at 07:38
  • *I thought I can do it in my application that uses this smart card reader. Is it possible ?* - If your smart card offers you such a read/write data bin, you can do so. But in that case the smart card would not offer the security one expects from a smart card. A PKCS12 file on your hard drive would offer the same small degree of security. – mkl Nov 12 '15 at 09:59
  • Which card are you using? – vlp Nov 12 '15 at 10:34

2 Answers2

2

The typical approach is:

  • generate the key (pair) on the smart card; this has the advantage, that no malicious software will be able to grab the private key since it will never leave the card.

  • send the command to generate a signature to the card, e.g. with the hash value of the data to sign

Reading the key from the smart card discards all the security a smart card provides. The most common way to generate a signature is using a PKCS 11 software, but it may be difficult to find one for Raspbian. I would recommend to find a card directly supported by GPG. That way you will not need to learn in detail about all the necessary topics.

guidot
  • 5,095
  • 2
  • 25
  • 37
  • According to this http://gnupg-pkcs11.sourceforge.net/man.html gpg protocol is compatible with PKCS 11. In that case my smart card should support pgp too. – Tequila Nov 12 '15 at 11:02
  • But when I run command gpg --card-status in terminal it detects my card reader but don't see inserted smart card – Tequila Nov 12 '15 at 11:22
  • @tequila: From these facts I would conclude, that your card is NOT supported by gpg. By the way, for a card fresh from the factory this is to be expected. You need a capable platform and an appropriate personalization. For a start see this [specification](http://www.g10code.com/docs/openpgp-card-3.0.pdf). – guidot Nov 12 '15 at 13:12
1

(Wanted to write a comment, but it got quite long...)

(EDIT: While writing this I did not realize that you are working in a non-x86 environment, so this answer is probably useless unless you have a choice to go for x86 (intel edison maybe?))

This is not a solution, but might be a good direction (I have no experience with this particular card):

There is a PKCS#11 driver for the card which probably provides some access to its services (pkcs11 is a standardized API to access cryptographic tokens, see here).

With this driver (assuming it works and provides appropriate mechanisms) you have some choices to continue:

  • use it directly from c code (works for me)

  • use a python wrapper (have no experience with this way, but your question implies python is desired)

  • use openssl (see e.g. here or here -- this worked for me some time ago)

  • use it with gpg (never tried and would not recommend at all)

It might be a good idea to verify first that the pkcs11 driver is working (you can do that using firefox browser, see e.g. here).

Additional notes:

  • I recommend to initialize the card and generate the keys with vendor provided utilities and use the pkcs11 driver only to actually sign some data (this way avoids many troublesome parts).

  • Do google for pkcs11 and related stuff, this "extended comment" is just an another "point of view"

Good luck!

vlp
  • 7,811
  • 2
  • 23
  • 51
  • Thanks a lot! I'm already installed PyKCS11 to my raspbian os (wrapper for PKCS 11 on the Python). And will move into this direction – Tequila Nov 13 '15 at 04:23
  • @Tequila I have googled [this](http://forum.rutoken.ru/topic/1718/) and [this](https://www.opensc-project.org/opensc/wiki/AktivRutokenECP) -- maybe the `opensc-pkcs11.so` will be able to handle your token under arm (so you would not need the pkcs11 driver from the vendor page which is x86 only). – vlp Nov 13 '15 at 07:08