Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
suse:nitrokey:start [05.08.2020 21:03. ] – [SSH-Verbindung aufbauen] django | suse:nitrokey:start [30.08.2020 11:17. ] (aktuell) – [ED25519-Schlüssel generieren] django | ||
---|---|---|---|
Zeile 370: | Zeile 370: | ||
Zum Schluss verlassen wir das Programm **gpg2** mit '' | Zum Schluss verlassen wir das Programm **gpg2** mit '' | ||
- | gpg/ | + | gpg/ |
- | Fragen wir nun erneut mit den Befehl '' | + | Fragen wir nun erneut mit den Befehl '' |
$ gpg2 --card-status | grep Key\ attributes | $ gpg2 --card-status | grep Key\ attributes | ||
Zeile 436: | Zeile 436: | ||
gpg: key 9308FC78386863AC marked as ultimately trusted | gpg: key 9308FC78386863AC marked as ultimately trusted | ||
gpg: revocation certificate stored as '/ | gpg: revocation certificate stored as '/ | ||
- | public and secret key created and signed.< | + | public and secret key created and signed.</code> |
Fragen wir nun den Inhalt der SmartCard mit dem Befehl '' | Fragen wir nun den Inhalt der SmartCard mit dem Befehl '' | ||
Zeile 971: | Zeile 971: | ||
+ | ==== Nitrokey Start und X.509 / S/MIME ==== | ||
+ | === micro-ca-tool === | ||
+ | == Vorbereitung == | ||
+ | $ mkdir ~/nitrokey | ||
+ | |||
+ | $ cd ~/nitrokey | ||
+ | |||
+ | $ git clone https:// | ||
+ | |||
+ | $ ln -s ~/ | ||
+ | |||
+ | $ micro-ca-tool -h | ||
+ | < | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | " | ||
+ | | ||
+ | | ||
+ | [#] Version: 0.1 | ||
+ | |||
+ | Welcome to µ-CA. | ||
+ | This tool will help you to perform basic tasks with your CA: | ||
+ | * Create CA as files | ||
+ | * or Create CA on a SmartCard | ||
+ | * or Create CA as files and store on SmartCard | ||
+ | * Create intermediate CA | ||
+ | * Sign other certificates | ||
+ | * Backup CA key with n-of-m scheme key sharing | ||
+ | * Create client certificates | ||
+ | * Basic SmartCard functions: Info, Read, Write, Generate keys, Reset | ||
+ | |||
+ | SECURITY NOTE: This tool handles secret keys. As such it is best to follow the | ||
+ | following guidelines: | ||
+ | * Use this tool only on single-user and non-networked systems. | ||
+ | * Make sure files are stored on an encrypted filesystem only. E.g. copy this | ||
+ | script to a crypto-container. | ||
+ | * Do not leave unencrypted private keys when done. Better encrypt them for | ||
+ | backup or store them on an HSM. | ||
+ | * When done, unmount the encrypted filesystem. | ||
+ | |||
+ | [#] Usage: / | ||
+ | [#] | ||
+ | [#] | ||
+ | [#] | ||
+ | [#] optional [< | ||
+ | |||
+ | == PIN Setzen == | ||
+ | Zunächst setzen wir die Admin und anschließend die User PIN. | ||
+ | $ micro-ca-tool gpg pin | ||
+ | < | ||
+ | | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | " | ||
+ | | ||
+ | | ||
+ | [#] Version: 0.1 | ||
+ | gpg: OpenPGP Karte Nr. D276000124010200FFFE432438190000 erkannt | ||
+ | |||
+ | 1 - change PIN | ||
+ | 2 - unblock PIN | ||
+ | 3 - change Admin PIN | ||
+ | 4 - set the Reset Code | ||
+ | Q - quit | ||
+ | |||
+ | Ihre Auswahl?</ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | /* | ||
+ | https:// | ||
+ | |||
+ | $ openpgp-tool | ||
+ | |||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | |||
+ | [django@T410 Schreibtisch]$ gpg2 --card-status | ||
+ | Reader ...........: | ||
+ | Application ID ...: D276000124010200FFFE432108430000 | ||
+ | Version ..........: 2.0 | ||
+ | Manufacturer .....: unmanaged S/N range | ||
+ | Serial number ....: 43210843 | ||
+ | Name of cardholder: [nicht gesetzt] | ||
+ | Language prefs ...: [nicht gesetzt] | ||
+ | Sex ..............: | ||
+ | URL of public key : [nicht gesetzt] | ||
+ | Login data .......: [nicht gesetzt] | ||
+ | Signature PIN ....: zwingend | ||
+ | Key attributes ...: rsa2048 rsa2048 rsa2048 | ||
+ | Max. PIN lengths .: 127 127 127 | ||
+ | PIN retry counter : 3 3 3 | ||
+ | Signature counter : 0 | ||
+ | Signature key ....: [none] | ||
+ | Encryption key....: [none] | ||
+ | Authentication key: [none] | ||
+ | General key info..: [none] | ||
+ | [django@T410 Schreibtisch]$ gpg2 --card-edit | ||
+ | |||
+ | Reader ...........: | ||
+ | Application ID ...: D276000124010200FFFE432108430000 | ||
+ | Version ..........: 2.0 | ||
+ | Manufacturer .....: unmanaged S/N range | ||
+ | Serial number ....: 43210843 | ||
+ | Name of cardholder: [nicht gesetzt] | ||
+ | Language prefs ...: [nicht gesetzt] | ||
+ | Sex ..............: | ||
+ | URL of public key : [nicht gesetzt] | ||
+ | Login data .......: [nicht gesetzt] | ||
+ | Signature PIN ....: zwingend | ||
+ | Key attributes ...: rsa2048 rsa2048 rsa2048 | ||
+ | Max. PIN lengths .: 127 127 127 | ||
+ | PIN retry counter : 3 3 3 | ||
+ | Signature counter : 0 | ||
+ | Signature key ....: [none] | ||
+ | Encryption key....: [none] | ||
+ | Authentication key: [none] | ||
+ | General key info..: [none] | ||
+ | |||
+ | gpg/ | ||
+ | |||
+ | Reader ...........: | ||
+ | Application ID ...: D276000124010200FFFE432108430000 | ||
+ | Version ..........: 2.0 | ||
+ | Manufacturer .....: unmanaged S/N range | ||
+ | Serial number ....: 43210843 | ||
+ | Name of cardholder: [nicht gesetzt] | ||
+ | Language prefs ...: [nicht gesetzt] | ||
+ | Sex ..............: | ||
+ | URL of public key : [nicht gesetzt] | ||
+ | Login data .......: [nicht gesetzt] | ||
+ | Signature PIN ....: zwingend | ||
+ | Key attributes ...: rsa2048 rsa2048 rsa2048 | ||
+ | Max. PIN lengths .: 127 127 127 | ||
+ | PIN retry counter : 3 3 3 | ||
+ | Signature counter : 0 | ||
+ | Signature key ....: [none] | ||
+ | Encryption key....: [none] | ||
+ | Authentication key: [none] | ||
+ | General key info..: [none] | ||
+ | |||
+ | gpg/ | ||
+ | Admin-Befehle sind erlaubt | ||
+ | |||
+ | gpg/ | ||
+ | quit Menü verlassen | ||
+ | admin Zeige Admin-Befehle | ||
+ | help Diese Hilfe zeigen | ||
+ | list Alle vorhandenen Daten auflisten | ||
+ | name | ||
+ | url Schlüssel-holen-URL ändern | ||
+ | fetch Holen des Schlüssels mittels der URL auf der Karte | ||
+ | login Ändern der Logindaten | ||
+ | lang | ||
+ | sex Ändern des Geschlechts des Kartenbesitzers | ||
+ | cafpr Ändern des CA-Fingerabdrucks | ||
+ | forcesig | ||
+ | generate | ||
+ | passwd | ||
+ | verify | ||
+ | unblock | ||
+ | factory-reset | ||
+ | kdf-setup | ||
+ | key-attr | ||
+ | |||
+ | gpg/ | ||
+ | Familienname des Kartenbesitzers: | ||
+ | Vorname des Kartenbesitzers: | ||
+ | |||
+ | gpg/ | ||
+ | Spracheinstellungende | ||
+ | |||
+ | gpg/ | ||
+ | Geschlecht: (Männlich (M), Weiblich (F) oder Leerzeichen): | ||
+ | |||
+ | gpg/ | ||
+ | gpg: OpenPGP Karte Nr. D276000124010200FFFE432108430000 erkannt | ||
+ | |||
+ | 1 - change PIN | ||
+ | 2 - unblock PIN | ||
+ | 3 - change Admin PIN | ||
+ | 4 - set the Reset Code | ||
+ | Q - quit | ||
+ | |||
+ | Ihre Auswahl? 3 | ||
+ | PIN changed. | ||
+ | |||
+ | 1 - change PIN | ||
+ | 2 - unblock PIN | ||
+ | 3 - change Admin PIN | ||
+ | 4 - set the Reset Code | ||
+ | Q - quit | ||
+ | |||
+ | Ihre Auswahl? 1 | ||
+ | Error changing the PIN: Nutzungsvorraussetzungen nicht erfüllt | ||
+ | |||
+ | 1 - change PIN | ||
+ | 2 - unblock PIN | ||
+ | 3 - change Admin PIN | ||
+ | 4 - set the Reset Code | ||
+ | Q - quit | ||
+ | |||
+ | Ihre Auswahl? | ||
+ | |||
+ | 1 - change PIN | ||
+ | 2 - unblock PIN | ||
+ | 3 - change Admin PIN | ||
+ | 4 - set the Reset Code | ||
+ | Q - quit | ||
+ | |||
+ | Ihre Auswahl? q | ||
+ | |||
+ | gpg/ | ||
+ | |||
+ | Reader ...........: | ||
+ | Application ID ...: D276000124010200FFFE432108430000 | ||
+ | Version ..........: 2.0 | ||
+ | Manufacturer .....: unmanaged S/N range | ||
+ | Serial number ....: 43210843 | ||
+ | Name of cardholder: Michael Nausch | ||
+ | Language prefs ...: de | ||
+ | Sex ..............: | ||
+ | URL of public key : [nicht gesetzt] | ||
+ | Login data .......: [nicht gesetzt] | ||
+ | Signature PIN ....: zwingend | ||
+ | Key attributes ...: rsa2048 rsa2048 rsa2048 | ||
+ | Max. PIN lengths .: 127 127 127 | ||
+ | PIN retry counter : 3 3 3 | ||
+ | Signature counter : 0 | ||
+ | Signature key ....: [none] | ||
+ | Encryption key....: [none] | ||
+ | Authentication key: [none] | ||
+ | General key info..: [none] | ||
+ | |||
+ | gpg/ | ||
+ | |||
+ | |||
+ | $ opensc-explorer | ||
+ | OpenSC Explorer version 0.19.0 | ||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | Failed to connect to card: Reader in use by another application | ||
+ | |||
+ | |||
+ | $ opensc-explorer | ||
+ | OpenSC Explorer version 0.19.0 | ||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | OpenSC [3F00]> | ||
+ | |||
+ | |||
+ | $ openpgp-tool --erase | ||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | Erase card | ||
+ | |||
+ | |||
+ | $ opensc-explorer | ||
+ | OpenSC Explorer version 0.19.0 | ||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | OpenSC [3F00]> help | ||
+ | Supported commands: | ||
+ | echo [< | ||
+ | ls [< | ||
+ | find [<start id> [<end id> | ||
+ | find_tags [<start tag> [<end tag> | ||
+ | cd {.. | <file id> | aid:<DF name> | ||
+ | cat [<file id> | sfi:<sfi id> | ||
+ | info [<file id> | ||
+ | create <file id> < | ||
+ | mkdir <file id> < | ||
+ | delete <file id> | ||
+ | rm <file id> | ||
+ | verify {CHV|KEY|AUT|PRO}< | ||
+ | change CHV<pin ref> [[<old pin>] <new pin> | ||
+ | unblock CHV<pin ref> [< | ||
+ | put <file id> [<input file> | ||
+ | get <file id> [<output file> | ||
+ | do_get <hex tag> [<output file> | ||
+ | do_put <hex tag> < | ||
+ | erase erase card | ||
+ | random < | ||
+ | update_record <file id> <rec no> <rec offs> < | ||
+ | update_binary <file id> < | ||
+ | apdu < | ||
+ | asn1 [<file id> | ||
+ | sm open|close | ||
+ | debug [< | ||
+ | quit quit this program | ||
+ | exit quit this program | ||
+ | help show this help | ||
+ | OpenSC [3F00]> exit | ||
+ | |||
+ | |||
+ | Pairs of key & certificate from P12 file: | ||
+ | $ pkcs15-init --verbose --delete-objects privkey, | ||
+ | Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00 | ||
+ | Connecting to card in reader Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00... | ||
+ | Using card driver OpenPGP card. | ||
+ | Found OpenPGP card | ||
+ | User PIN required. | ||
+ | Please enter User PIN [Admin PIN]: | ||
+ | About to delete object(s). | ||
+ | NOTE: couldn' | ||
+ | NOTE: couldn' | ||
+ | Deleted 0 objects | ||
+ | About to store private key. | ||
+ | error: | ||
+ | Please enter passphrase to unlock secret key: | ||
+ | Importing 3 certificates: | ||
+ | 0: / | ||
+ | 1: / | ||
+ | 2: / | ||
+ | Failed to store private key: Invalid arguments | ||
+ | |||
+ | Vermutliche Ursache, private key zu groß! | ||
+ | |||
+ | */ | ||
+ | |||
+ | ... coming soon! | ||
+ | |||
+ | |||
+ | |||
+ | # zypper install opensc |