suse:nitrokey:start

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen Revision Vorhergehende Überarbeitung
Nächste Überarbeitung		 Vorhergehende Überarbeitung
suse:nitrokey:start [05.08.2020 21:03. ] – [SSH-Verbindung aufbauen] djangosuse:nitrokey:start [30.08.2020 11:17. ] (aktuell) – [ED25519-Schlüssel generieren] django
Zeile 370: Zeile 370:
  
 Zum Schluss verlassen wir das Programm **gpg2** mit ''**quit**''. Zum Schluss verlassen wir das Programm **gpg2** mit ''**quit**''.
-  gpg/card> quit</code>+  gpg/card> quit
  
-Fragen wir nun erneut mit den Befehl ''**gpg2 --card-status**'' welcher Schlüssel-Typ eingestellt ist, finden wir unsere geänderten Werte.+Fragen wir nun erneut mit den Befehl ''**gpg2 %%--%%card-status**'' welcher Schlüssel-Typ eingestellt ist, finden wir unsere geänderten Werte.
    $ gpg2 --card-status | grep Key\ attributes    $ gpg2 --card-status | grep Key\ attributes
  
Zeile 436: Zeile 436:
 gpg: key 9308FC78386863AC marked as ultimately trusted gpg: key 9308FC78386863AC marked as ultimately trusted
 gpg: revocation certificate stored as '/home/django/.gnupg/openpgp-revocs.d/3E61A50347B523824132EC069308FC78386863AC.rev' gpg: revocation certificate stored as '/home/django/.gnupg/openpgp-revocs.d/3E61A50347B523824132EC069308FC78386863AC.rev'
-public and secret key created and signed.<code>+public and secret key created and signed.</code>
  
 Fragen wir nun den Inhalt der SmartCard mit dem Befehl ''**verify**'' ab, finden wir unsere gerade erstellten Schlüssel. Fragen wir nun den Inhalt der SmartCard mit dem Befehl ''**verify**'' ab, finden wir unsere gerade erstellten Schlüssel.
Zeile 971: Zeile 971:
  
  
 +==== Nitrokey Start und X.509 / S/MIME ====
 +=== micro-ca-tool ===
 +== Vorbereitung ==
 +   $ mkdir ~/nitrokey
 +
 +   $ cd  ~/nitrokey
 +
 +   $ git clone https://github.com/sektioneins/micro-ca-tool.git
 +
 +   $ ln -s ~/nitrokey/micro-ca-tool/micro-ca-tool ~/bin/micro-ca-tool
 +
 +   $ micro-ca-tool -h
 +<code>                 mmm    mm         mmmmmmm               ""#
 +           m"   "   ##            #     mmm    mmm     #
 + #   #         #       #  #           #    #" "#  #" "#    #
 + #   #   """   #       #mm#   """     #    #   #  #   #    #
 + #mmm#        "mmm" #    #          #    "#m#"  "#m#"    "mm
 + #
 + "               (C) 2015 SektionEins GmbH / Ben Fuhrmannek
 +                 https://sektioneins.com/
 +                 https://github.com/sektioneins/micro-ca-tool
 +[#] Version: 0.1
 +
 +Welcome to µ-CA.
 +This tool will help you to perform basic tasks with your CA:
 +* Create CA as files
 +* or Create CA on a SmartCard
 +* or Create CA as files and store on SmartCard
 +* Create intermediate CA
 +* Sign other certificates
 +* Backup CA key with n-of-m scheme key sharing
 +* Create client certificates
 +* Basic SmartCard functions: Info, Read, Write, Generate keys, Reset
 +
 +SECURITY NOTE: This tool handles secret keys. As such it is best to follow the 
 +following guidelines:
 +* Use this tool only on single-user and non-networked systems.
 +* Make sure files are stored on an encrypted filesystem only. E.g. copy this 
 +script to a crypto-container.
 +* Do not leave unencrypted private keys when done. Better encrypt them for 
 +backup or store them on an HSM.
 +* When done, unmount the encrypted filesystem.
 +
 +[#] Usage: /home/django/bin/micro-ca-tool [-c <config>] [-v] [-h] [<menu> <submenu>]
 +[#]   -c  specify alternative config file
 +[#]   -v  be verbose
 +[#]   -h  show this help message
 +[#]  optional [<menu> <submenu>] directly calls a function, then exits.</code>
 +
 +== PIN Setzen ==
 +Zunächst setzen wir die Admin und anschließend die User PIN.
 +   $ micro-ca-tool gpg pin
 +<code>                 mmm    mm         mmmmmmm               ""#
 +           m"   "   ##            #     mmm    mmm     #
 + #   #         #       #  #           #    #" "#  #" "#    #
 + #   #   """   #       #mm#   """     #    #   #  #   #    #
 + #mmm#        "mmm" #    #          #    "#m#"  "#m#"    "mm
 + #
 + "               (C) 2015 SektionEins GmbH / Ben Fuhrmannek
 +                 https://sektioneins.com/
 +                 https://github.com/sektioneins/micro-ca-tool
 +[#] Version: 0.1
 +gpg: OpenPGP Karte Nr. D276000124010200FFFE432438190000 erkannt
 +
 +1 - change PIN
 +2 - unblock PIN
 +3 - change Admin PIN
 +4 - set the Reset Code
 +Q - quit
 +
 +Ihre Auswahl?</code>
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +/*
 +https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card
 +
 +   $ openpgp-tool
 +
 +  Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +
 +[django@T410 Schreibtisch]$ gpg2 --card-status
 +Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Application ID ...: D276000124010200FFFE432108430000
 +Version ..........: 2.0
 +Manufacturer .....: unmanaged S/N range
 +Serial number ....: 43210843
 +Name of cardholder: [nicht gesetzt]
 +Language prefs ...: [nicht gesetzt]
 +Sex ..............: unbestimmt
 +URL of public key : [nicht gesetzt]
 +Login data .......: [nicht gesetzt]
 +Signature PIN ....: zwingend
 +Key attributes ...: rsa2048 rsa2048 rsa2048
 +Max. PIN lengths .: 127 127 127
 +PIN retry counter : 3 3 3
 +Signature counter : 0
 +Signature key ....: [none]
 +Encryption key....: [none]
 +Authentication key: [none]
 +General key info..: [none]
 +[django@T410 Schreibtisch]$ gpg2 --card-edit
 +
 +Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Application ID ...: D276000124010200FFFE432108430000
 +Version ..........: 2.0
 +Manufacturer .....: unmanaged S/N range
 +Serial number ....: 43210843
 +Name of cardholder: [nicht gesetzt]
 +Language prefs ...: [nicht gesetzt]
 +Sex ..............: unbestimmt
 +URL of public key : [nicht gesetzt]
 +Login data .......: [nicht gesetzt]
 +Signature PIN ....: zwingend
 +Key attributes ...: rsa2048 rsa2048 rsa2048
 +Max. PIN lengths .: 127 127 127
 +PIN retry counter : 3 3 3
 +Signature counter : 0
 +Signature key ....: [none]
 +Encryption key....: [none]
 +Authentication key: [none]
 +General key info..: [none]
 +
 +gpg/card> 
 +
 +Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Application ID ...: D276000124010200FFFE432108430000
 +Version ..........: 2.0
 +Manufacturer .....: unmanaged S/N range
 +Serial number ....: 43210843
 +Name of cardholder: [nicht gesetzt]
 +Language prefs ...: [nicht gesetzt]
 +Sex ..............: unbestimmt
 +URL of public key : [nicht gesetzt]
 +Login data .......: [nicht gesetzt]
 +Signature PIN ....: zwingend
 +Key attributes ...: rsa2048 rsa2048 rsa2048
 +Max. PIN lengths .: 127 127 127
 +PIN retry counter : 3 3 3
 +Signature counter : 0
 +Signature key ....: [none]
 +Encryption key....: [none]
 +Authentication key: [none]
 +General key info..: [none]
 +
 +gpg/card> admin
 +Admin-Befehle sind erlaubt
 +
 +gpg/card> help
 +quit           Menü verlassen
 +admin          Zeige Admin-Befehle
 +help           Diese Hilfe zeigen
 +list           Alle vorhandenen Daten auflisten
 +name           Kartenbesitzernamen ändern
 +url            Schlüssel-holen-URL ändern
 +fetch          Holen des Schlüssels mittels der URL auf der Karte
 +login          Ändern der Logindaten
 +lang           Ändern der Spracheinstellungen
 +sex            Ändern des Geschlechts des Kartenbesitzers
 +cafpr          Ändern des CA-Fingerabdrucks
 +forcesig       Umschalten des "Signature-force-PIN"-Schalters
 +generate       neue Schlüssel erzeugen
 +passwd         Menü für Ändern oder Entsperren der PIN
 +verify         überprüfe die PIN und liste alle Daten auf
 +unblock        die PIN mit dem Rückstellcode wieder freigeben
 +factory-reset  alle Schlüssel und Daten löschen
 +kdf-setup      Einrichten der KDF zur Authentifizierung
 +key-attr       Das Schlüsselattribut ändern
 +
 +gpg/card> name
 +Familienname des Kartenbesitzers:Nausch
 +Vorname des Kartenbesitzers:Michael
 +
 +gpg/card> lang
 +Spracheinstellungende
 +
 +gpg/card> sex
 +Geschlecht: (Männlich (M), Weiblich (F) oder Leerzeichen): m
 +
 +gpg/card> passwd
 +gpg: OpenPGP Karte Nr. D276000124010200FFFE432108430000 erkannt
 +
 +1 - change PIN
 +2 - unblock PIN
 +3 - change Admin PIN
 +4 - set the Reset Code
 +Q - quit
 +
 +Ihre Auswahl? 3
 +PIN changed.
 +
 +1 - change PIN
 +2 - unblock PIN
 +3 - change Admin PIN
 +4 - set the Reset Code
 +Q - quit
 +
 +Ihre Auswahl? 1
 +Error changing the PIN: Nutzungsvorraussetzungen nicht erfüllt
 +
 +1 - change PIN
 +2 - unblock PIN
 +3 - change Admin PIN
 +4 - set the Reset Code
 +Q - quit
 +
 +Ihre Auswahl? 
 +
 +1 - change PIN
 +2 - unblock PIN
 +3 - change Admin PIN
 +4 - set the Reset Code
 +Q - quit
 +
 +Ihre Auswahl? q
 +
 +gpg/card> list
 +
 +Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Application ID ...: D276000124010200FFFE432108430000
 +Version ..........: 2.0
 +Manufacturer .....: unmanaged S/N range
 +Serial number ....: 43210843
 +Name of cardholder: Michael Nausch
 +Language prefs ...: de
 +Sex ..............: männlich
 +URL of public key : [nicht gesetzt]
 +Login data .......: [nicht gesetzt]
 +Signature PIN ....: zwingend
 +Key attributes ...: rsa2048 rsa2048 rsa2048
 +Max. PIN lengths .: 127 127 127
 +PIN retry counter : 3 3 3
 +Signature counter : 0
 +Signature key ....: [none]
 +Encryption key....: [none]
 +Authentication key: [none]
 +General key info..: [none]
 +
 +gpg/card> quit
 +
 +
 +$ opensc-explorer
 +OpenSC Explorer version 0.19.0
 +Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Failed to connect to card: Reader in use by another application
 +
 +
 +$ opensc-explorer
 +OpenSC Explorer version 0.19.0
 +Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +OpenSC [3F00]> 
 +
 +
 +$ openpgp-tool --erase
 +Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Erase card
 +
 +
 +$ opensc-explorer
 +OpenSC Explorer version 0.19.0
 +Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +OpenSC [3F00]> help
 +Supported commands:
 +  echo [<string> ..]                         display arguments
 +  ls [<pattern> ..]                          list files in the current DF
 +  find [<start id> [<end id>]]               find all files in the current DF
 +  find_tags [<start tag> [<end tag>]]        find all tags of data objects in the current context
 +  cd {.. | <file id> | aid:<DF name>       change to another DF
 +  cat [<file id> | sfi:<sfi id>            print the contents of an EF
 +  info [<file id>                          display attributes of card file
 +  create <file id> <size>                    create a new EF
 +  mkdir <file id> <size>                     create a new DF
 +  delete <file id>                           remove an EF/DF
 +  rm <file id>                               remove an EF/DF
 +  verify {CHV|KEY|AUT|PRO}<key ref> [<pin> present a PIN or key to the card
 +  change CHV<pin ref> [[<old pin>] <new pin> change a PIN
 +  unblock CHV<pin ref> [<puk> [<new pin>]]   unblock a PIN
 +  put <file id> [<input file>              copy a local file to the card
 +  get <file id> [<output file>             copy an EF to a local file
 +  do_get <hex tag> [<output file>          get a data object
 +  do_put <hex tag> <data>                    put a data object
 +  erase                                      erase card
 +  random <count>                             obtain <count> random bytes from card
 +  update_record <file id> <rec no> <rec offs> <data>  update record
 +  update_binary <file id> <offs> <data>      update binary
 +  apdu <data>                              send a custom apdu command
 +  asn1 [<file id>                          decode an ASN.1 file
 +  sm open|close                              call SM 'open' or 'close' handlers, if available
 +  debug [<value>                           get/set the debug level
 +  quit                                       quit this program
 +  exit                                       quit this program
 +  help                                       show this help
 +OpenSC [3F00]> exit
 +
 +
 +Pairs of key & certificate from P12 file:
 +$ pkcs15-init --verbose --delete-objects privkey,pubkey --id 3 --store-private-key michael.nausch.p12 --format pkcs12 --auth-id 3 --verify-pin
 +Using reader with a card: Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00
 +Connecting to card in reader Nitrokey Nitrokey Start (FSIJ-1.2.10-43210843) 00 00...
 +Using card driver OpenPGP card.
 +Found OpenPGP card
 +User PIN required.
 +Please enter User PIN [Admin PIN]: 
 +About to delete object(s).
 +NOTE: couldn't find privkey 03 to delete
 +NOTE: couldn't find pubkey 03 to delete
 +Deleted 0 objects
 +About to store private key.
 +error:23076071:PKCS12 routines:PKCS12_parse:mac verify failure
 +Please enter passphrase to unlock secret key: 
 +Importing 3 certificates:
 +  0: /C=DE/CN=Michael Robert Nausch/emailAddress=michael@nausch.org
 +  1: /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign
 +  2: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign PersonalSign 2 CA - SHA256 - G3
 +Failed to store private key: Invalid arguments
 +
 +Vermutliche Ursache, private key zu groß!
 +
 +*/
 +
 +... coming soon!
 +
 +
 +
 +# zypper install opensc
  • suse/nitrokey/start.1596661412.txt.gz
  • Zuletzt geändert: 05.08.2020 21:03.
  • von django