User:Pjones/SecureBootSmartCardDeployment

From FedoraProject

< User:Pjones(Difference between revisions)
Jump to: navigation, search
(Card Initialization)
Line 82: Line 82:
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
 
</pre>
 
</pre>
* Destroy fedora.p12
+
* For the love of god remove every file that was generated
 +
<pre>
 +
eddie:~/db$ cd ..
 +
eddie:~$ rm -rf db
 +
</pre>

Revision as of 18:22, 9 October 2012

So you're stuck with Secure Boot and you want to use Smart Cards

Card Initialization

Procure some PKCS15 smart cards. Do not get Java Cards. Get "eToken" cards. They're CDW Part #1537376 . I'm sorry you'll have to deal with CDW but that's life sometimes.

Install the following packages:

  • pesign
  • pcsc-lite-ccid
  • pcsc-tools
  • pcsc-lite
  • opensc

Use openssl to generate a signing key ("fedora.p12" from here on out)

eddie:~$ mkdir db
eddie:~$ cd db
eddie:~/db$ openssl genrsa -out fedora.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................................
..........................................................................+++
...........+++
e is 65537 (0x10001)
eddie:~/db$ openssl req -new -key fedora.key -out fedora.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Cambridge
Organization Name (eg, company) [Default Company Ltd]:Fedora Project
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Fedora Signing Key
Email Address []:pjones@fedoraproject.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:fooo
An optional company name []:   
eddie:~/db$ openssl x509 -req -days 365 -in fedora.csr -signkey fedora.key -out fedora.crt
Signature ok
subject=/C=US/ST=Massachusetts/L=Cambridge/O=Fedora Project/CN=Fedora Signing Key/emailAddress=pjones@fedoraproject.org
Getting Private key
eddie:~/db/ openssl pkcs12 -export -inkey fedora.key -in fedora.crt -name "Fedora Signing Key" -out fedora.p12 -nodes
Enter Export Password:
Verifying - Enter Export Password:
eddie:~/db$

Initialize two smart cards

  • Make sure pcscd is running
service pcscd start
  • Insert your Smart Card
  • Initialize each card as a pkcs15 card
# CDW Part #1537376.
PIN=12345678
CARDLABEL="Fedora Signing Card"

# Format (wipe) the card.
# opensc-tool --list-algorithms
cardos-tool -f

# Create the PKCS#15 structures, set the security officer PIN and unlock code.
pkcs15-init -CT

# Create a user PIN and unlock code.
pkcs15-init -P -a 1 --pin $PIN --label "$CARDLABEL"
  • Import the signing key to each of the smart cards
# Import a PKCS12 bundle.
pkcs15-init --store-private-key fedora.p12 --format pkcs12 --auth-id 01 --pin $PIN

# List the contents.
pkcs11-tool --module opensc-pkcs11.so -l --pin $PIN -O
  • For the love of god remove every file that was generated
eddie:~/db$ cd ..
eddie:~$ rm -rf db