Skip to content

Latest commit

 

History

History
368 lines (337 loc) · 15.8 KB

Aktiv-Co.-Rutoken-ECP.md

File metadata and controls

368 lines (337 loc) · 15.8 KB

Aktiv Co. Rutoken ECP

Aktiv Co. offers the Rutoken ECP, an USB crypto token with 64K memory and support for RSA keys up to 2048bit key length.

Rutoken ECP

  • USB IDs: 0a89:0030
  • Memory: 64K
  • ATRs:

On-board cryptographic functions

Authentication

  • 3 categories of owners: Administrator, User, Guest
  • 2 Global PIN-codes: Administrator and User
  • Local PIN-codes
  • Combined authentication
  • The possibility of simultaneous control of the access rights by the 7 Local PIN-codes

File system features

  • File structure of ISO/IEC 7816-4
  • The level of subdirectory - limited by space available for file system
  • Number of file objects inside directory - up to 255, inclusive
  • Using files Rutoken Special File (RSF-files) to store keys and PIN-codes
  • Storage of private and symmetric keys, without the possibility of exports from device
  • Predefined directory for storing different kinds of key information (RSF-files) and automatic selection of the predefined directories
  • The total amount of memory for file structure - 64 kB

Examples of usage

Initialize

$ pkcs15-init --erase-card -p rutoken_ecp
$ pkcs15-init --create-pkcs15 --so-pin "87654321" --so-puk ""
$ pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "12345678" --puk "" --so-pin "87654321" --finalize
$ pkcs15-tool -D
Using reader with a card: Aktiv Rutoken ECP 00 00
PKCS#15 Card [Rutoken ECP]:
	Version        : 0
	Serial number  : 000000002CDB7256
	Manufacturer ID: Aktiv Co.
	Last update    : 20121114083252Z
	Flags          : EID compliant

PIN [Security Officer PIN]
	Object Flags   : [0x3], private, modifiable
	ID             : 01
	Flags          : [0x99], case-sensitive, unblock-disabled, initialized, soPin
	Length         : min_len:8, max_len:32, stored_len:32
	Pad char       : 0x00
	Reference      : 1
	Type           : ascii-numeric

PIN [User PIN]
	Object Flags   : [0x3], private, modifiable
	ID             : 02
	Flags          : [0x19], case-sensitive, unblock-disabled, initialized
	Length         : min_len:4, max_len:32, stored_len:32
	Pad char       : 0x00
	Reference      : 2
	Type           : ascii-numeric

Generate private key

$ pkcs15-init -G rsa/1024 --auth-id 02 --label "My Private Key" --public-key-label "My Public Key"
Using reader with a card: Aktiv Rutoken ECP 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]: 
$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
	Object Flags   : [0x3], private, modifiable
	Usage          : [0x4], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength      : 1024
	Key ref        : 1 (0x1)
	Native         : yes
	Path           : 3f001000100060020001
	Auth ID        : 02
	ID             : 04830838b7c9752bd0e90c96a88b989a80f45181
	GUID           : {04830838-b7c9-752b-d0e9-0c96a88b989a}

Generate openssl certificate request

$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
	Object Flags   : [0x3], private, modifiable
	Usage          : [0x4], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength      : 1024
	Key ref        : 1 (0x1)
	Native         : yes
	Path           : 3f001000100060020001
	Auth ID        : 02
	ID             : 04830838b7c9752bd0e90c96a88b989a80f45181
	GUID           : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> 
OpenSSL> req -engine pkcs11 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -out req.csr -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]"
engine "pkcs11" set.
PKCS#11 token PIN: 
OpenSSL> quit
$ cat req.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAlJVMQ8wDQYDVQQIDAZNb3Njb3cxDzAN
BgNVBAcMBk1vc2NvdzEOMAwGA1UECgwFS09SVVMxCzAJBgNVBAsMAklUMRcwFQYD
VQQDDA5TZXJnZXkgU2FmYXJvdjEhMB8GCSqGSIb3DQEJARYScy5zYWZhcm92QG1h
aWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpY0LM0eBDKATrR47f
oFnzVrMVEl+oeLx8ffAUDRIsKyILBDEOrhj3wD/8qNSBXl0CTXRL1jPJ/Cmjy6si
+AJtVCbnuhe2LP064kcbj17eurAuAhPwKMlLhjchsPoEcjN22fQYAie+XN+atTtW
auFanOV6valVGsyboScbPyDbeQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAE0gR
T3KHARExb0aFBEl9x6+oPPQSJfE/qh5S0vc7d68JEnjSwkx4Zdy9CQW+ympHpRde
t5Dn68Xs3OjXUOJ6rEsAQcgya3PVcgjljY46555bFBz5V9LIOh+qTREGKpvOMTdO
XUFiwTApskr8pn8Gc2mFV1cA+dEf3S9XNluNVKA=
-----END CERTIFICATE REQUEST-----

If you have errors when loading engine - check the location of directory of engine_pkcs11.so (for example: /usr/lib/engines/engine_pkcs11.so) and use it further when loading engine.

Generate self-signed certificate

$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
	Object Flags   : [0x3], private, modifiable
	Usage          : [0x4], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength      : 1024
	Key ref        : 1 (0x1)
	Native         : yes
	Path           : 3f001000100060020001
	Auth ID        : 02
	ID             : 04830838b7c9752bd0e90c96a88b989a80f45181
	GUID           : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -x509 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181  -keyform engine -out ca.crt -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]"
engine "pkcs11" set.
PKCS#11 token PIN: 
OpenSSL> quit
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MIICiTCCAfICCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
UlUxDzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVL
T1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJ
KoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDg1MTMyWhcN
MTIxMjE0MDg1MTMyWjCBiDELMAkGA1UEBhMCUlUxDzANBgNVBAgMBk1vc2NvdzEP
MA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAV
BgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZA
bWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtH
jt+gWfNWsxUSX6h4vHx98BQNEiwrIgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPL
qyL4Am1UJue6F7Ys/TriRxuPXt66sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1
O1Zq4Vqc5Xq9qVUazJuhJxs/INt5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlmet
AeeNkdUjCiP3nk8PJ5lW8d+ohl55W6gsi4pRvLwXH/CsKzU3scNbPKnEQz1FGpfZ
xHp+LB1jZSUci1r6saQKkDFLXLQqIedRhR2Bevx5msw+ydM3GwwRW9K0IumwrYwp
9IGRsBOT1s7eTZfYNURmqdhP5hIdgo3dJ4utr1c=
-----END CERTIFICATE-----

Sign certificate

$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
	Object Flags   : [0x3], private, modifiable
	Usage          : [0x4], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength      : 1024
	Key ref        : 1 (0x1)
	Native         : yes
	Path           : 3f001000100060020001
	Auth ID        : 02
	ID             : 04830838b7c9752bd0e90c96a88b989a80f45181
	GUID           : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> ca -engine pkcs11 -keyfile slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181  -keyform engine -cert ca.crt -in req.csr -out tester.crt
Using configuration from /etc/pki/tls/openssl.cnf
engine "pkcs11" set.
PKCS#11 token PIN: 
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Nov 14 09:04:44 2012 GMT
            Not After : Nov 14 09:04:44 2013 GMT
        Subject:
            countryName               = RU
            stateOrProvinceName       = Moscow
            organizationName          = KORUS
            organizationalUnitName    = IT
            commonName                = Sergey Safarov
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DD:47:C4:DB:57:4B:04:BB:67:82:5A:88:DF:93:1C:6D:E2:CB:58:0F
            X509v3 Authority Key Identifier: 
                DirName:/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]
                serial:8F:30:77:60:57:FA:D0:06

Certificate is to be certified until Nov 14 09:04:44 2013 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
OpenSSL> quit
$ cat tester.crt 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=RU, ST=Moscow, L=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov/[email protected]
        Validity
            Not Before: Nov 14 09:04:44 2012 GMT
            Not After : Nov 14 09:04:44 2013 GMT
        Subject: C=RU, ST=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov/[email protected]
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:a9:63:42:cc:d1:e0:43:28:04:eb:47:8e:df:a0:
                    59:f3:56:b3:15:12:5f:a8:78:bc:7c:7d:f0:14:0d:
                    12:2c:2b:22:0b:04:31:0e:ae:18:f7:c0:3f:fc:a8:
                    d4:81:5e:5d:02:4d:74:4b:d6:33:c9:fc:29:a3:cb:
                    ab:22:f8:02:6d:54:26:e7:ba:17:b6:2c:fd:3a:e2:
                    47:1b:8f:5e:de:ba:b0:2e:02:13:f0:28:c9:4b:86:
                    37:21:b0:fa:04:72:33:76:d9:f4:18:02:27:be:5c:
                    df:9a:b5:3b:56:6a:e1:5a:9c:e5:7a:bd:a9:55:1a:
                    cc:9b:a1:27:1b:3f:20:db:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DD:47:C4:DB:57:4B:04:BB:67:82:5A:88:DF:93:1C:6D:E2:CB:58:0F
            X509v3 Authority Key Identifier: 
                DirName:/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]
                serial:8F:30:77:60:57:FA:D0:06

    Signature Algorithm: sha1WithRSAEncryption
        14:4b:39:32:81:37:aa:95:8f:db:f8:42:64:21:32:6f:11:ad:
        8e:c1:ef:bf:20:93:e2:6f:66:80:fc:f6:af:ad:5c:80:6f:98:
        1f:28:ea:14:87:f9:6c:5d:59:2c:0a:42:fd:a1:ed:34:f5:4b:
        c5:7c:5e:2f:16:48:27:a1:c5:b8:0d:f3:64:d0:7f:f6:55:fc:
        36:3c:30:bf:7f:e9:62:23:e6:4f:45:76:43:9f:ae:a7:b4:5a:
        ca:e7:98:f3:6e:09:91:58:f3:4b:6f:36:e3:88:fc:48:54:95:
        a7:be:58:b8:97:86:5c:57:7e:cb:c4:0a:f2:d6:ac:c3:90:11:
        2b:00
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCUlUx
DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JV
UzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZI
hvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDkwNDQ0WhcNMTMx
MTE0MDkwNDQ0WjB3MQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ4wDAYD
VQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92
MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtHjt+gWfNWsxUSX6h4vHx98BQNEiwr
IgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPLqyL4Am1UJue6F7Ys/TriRxuPXt66
sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1O1Zq4Vqc5Xq9qVUazJuhJxs/INt5
AgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3UfE21dLBLtnglqI35Mc
beLLWA8wgacGA1UdIwSBnzCBnKGBjqSBizCBiDELMAkGA1UEBhMCUlUxDzANBgNV
BAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkG
A1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkB
FhJzLnNhZmFyb3ZAbWFpbC5jb22CCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFAAOB
gQAUSzkygTeqlY/b+EJkITJvEa2Owe+/IJPib2aA/PavrVyAb5gfKOoUh/lsXVks
CkL9oe009UvFfF4vFkgnocW4DfNk0H/2Vfw2PDC/f+liI+ZPRXZDn66ntFrK55jz
bgmRWPNLbzbjiPxIVJWnvli4l4ZcV37LxAry1qzDkBErAA==
-----END CERTIFICATE-----

Store certificate

$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
	Object Flags   : [0x3], private, modifiable
	Usage          : [0x4], sign
	Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength      : 1024
	Key ref        : 1 (0x1)
	Native         : yes
	Path           : 3f001000100060020001
	Auth ID        : 02
	ID             : 04830838b7c9752bd0e90c96a88b989a80f45181
	GUID           : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ pkcs15-init --store-certificate tester.crt --auth-id 02 --id 04830838b7c9752bd0e90c96a88b989a80f45181 --format pem
$ pkcs15-tool --read-certificate 04830838b7c9752bd0e90c96a88b989a80f45181
Using reader with a card: Aktiv Rutoken ECP 00 00
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCUlUx
DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JV
UzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZI
hvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDkwNDQ0WhcNMTMx
MTE0MDkwNDQ0WjB3MQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ4wDAYD
VQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92
MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtHjt+gWfNWsxUSX6h4vHx98BQNEiwr
IgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPLqyL4Am1UJue6F7Ys/TriRxuPXt66
sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1O1Zq4Vqc5Xq9qVUazJuhJxs/INt5
AgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3UfE21dLBLtnglqI35Mc
beLLWA8wgacGA1UdIwSBnzCBnKGBjqSBizCBiDELMAkGA1UEBhMCUlUxDzANBgNV
BAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkG
A1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkB
FhJzLnNhZmFyb3ZAbWFpbC5jb22CCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFAAOB
gQAUSzkygTeqlY/b+EJkITJvEa2Owe+/IJPib2aA/PavrVyAb5gfKOoUh/lsXVks
CkL9oe009UvFfF4vFkgnocW4DfNk0H/2Vfw2PDC/f+liI+ZPRXZDn66ntFrK55jz
bgmRWPNLbzbjiPxIVJWnvli4l4ZcV37LxAry1qzDkBErAA==
-----END CERTIFICATE-----

Notes

  • When initializing with pkcs15-init tool, a PUK code must not be present (press enter when asked or use --puk "").
  • Card can be erased with pkcs15-init --erase-card (including all keys) without any authentication.