I was looking through the documentation of SGX and could not find any description of how to access the contents of a TPM. According to their claims that should although be possible!?
Has anyone experience in this?
Related
I'm building an application can interact with tpm chip via PKCS#11, generate private key (stored in tpm), import certificate which according the private key, sign data,... I want to use tpm chip like a hsm.
So, someone can help me! What's name of PKCS#11 driver can help me interact with tpm?
OR What's I must do to make the PKCS#11 driver? I have build OpenCryptoki and Trousers on Centos 6.5 but after build successful I don't know what's file in OpenCrptoki or Trousers is PKCS11 driver!
Thanks!
Opencryptoki should support TPM via TrouSerS (see e.g. here, here, here).
There is a simple-tpm-pk11 project which takes a straighter approach and might be interesting for you -- see this interesting article on author's blog.
Disclaimer: I have never used TPM for doing crypto so please do validate my thoughts.
PS: I forgot to say that opencryptoki PKCS#11 driver usually resides in /usr/lib/opencryptoki/libopencryptoki.so.
In last couple months while learning to develop Java Card applets I managed to develop ISO 7816 compatible file system applet. I successfully implemented most of the standardized APDU commands from 7816-4, -8, -9 standards (I used other available functional descriptions and standards like OpenPGP applet, IAS ECC, MUSCLE, CoolKey etc. to help me understand former standards).
Now I am trying to develop PKCS#11 implementation for this my own applet. I am familiar with using OpenSC tools for already supported cards (opensc-tool, opensc-explorer, pkcs15-init, pkcs15-tool etc.). But I would like to develop driver for this applet for OpenSC.
I browsed information available on their project site on github and found some documentation on implementing custom driver for OpenSC (entersafe card example, and general suggestions for card driver implementation). Also I found that on gooze.eu there were available some tutorials on OpenSC, but this site is no longer available.
So my questions are:
Where can I find some more information on OpenSC API in order to understand available driver code and to manage to develop my own?
Any general overview of API, about OpenSC architecture, description of available functions (description on intended usage of structures and functions such as sc_format_apdu, sc_transpit_apdu, sc_card_operatins as an example etc.) to give me a jumpstart for understanding OpenSC source code and implementing a card driver.
Are there any man pages for OpenSC API (googling I was able to find some, but very incomplete and sporadic).
Any information would be very helpful.
Why don't you either use IsoApplet (that has both JavaCard applet and OpenSC driver) or if you want to develop your own, learn from its source code.
Also, if you have studied the standards and existing applets (and drivers) you should have enough domain knowledge to get an idea of what some of the API functions do. If not, keep your code somewhere in public and you can (hopefully) get support from the OpenSC developers via mailing list.
I've a PKCS-11 supported smartcard? I just want to check that my the smartcard is working fine or not. How can check it on Ubuntu? Please guide me. what software I can use? how what steps should I follow?
It is important to understand that PKCS#11 standard just defines the C language API to access smartcards and other types of cryptographic hardware (or even software). It is usually hardware vendor who provides software library (.dll for windows, .so for unix etc.) that implements PKCS#11 API and is able to access the hardware (smartcard in your case). Your application usually loads PKCS#11 library and uses PKCS#11 API functions it provides.
In most cases it is the best to use PKCS#11 library provided by your smartcard vendor but there are also many independent software vendors such as A.E.T. or Aloaha who provide smartcard middleware (software package that usually contains PKCS#11 library) that can access a bunch of widely used smartcards. You can also take a look at OpenSC project which provides an open source PKCS#11 library that supports many popular smartcards and USB tokens.
Now let's get back to your questions:
Do I have a PKCS-11 supported smartcard?
You have to check whether there exists a library (open source or commercial) that implements PKCS#11 API and supports your smartcard. If you can find such a library then the answer is yes.
How can I check it on Ubuntu?
If you already have PKCS#11 library then you can install "opensc" package which provides command line application called "pkcs11-tool". You can use following command to list readers and cards accessible via your PKCS#11 library:
pkcs11-tool --module your_pkcs11_library.so --list-slots
If you want to use PKCS#11 library provided by OpenSC project then just replace "your_pkcs11_library.so" with "opensc-pkcs11.so".
What software I can use?
PKCS#11 is widely supported standard so this question is hard to answer. I guess you would like to use open source applications with your smartcard because you have mentioned Ubuntu so here is the short list of well known applications that support PKCS#11:
Mozilla Firefox - supports digital signature and client authentication
Mozilla Thunderbird - supports digital signing of e-mails
LibreOffice - supports digital signing of documents
TrueCrypt - supports disk encryption
OpenVPN - supports client authentication
OpenSSH - supports client authentication
To verify Ubuntu sees your smartcard reader and identity card:
Install libusb-1.0-0-dev pcsc-lite pcscd pcsc-tools
The following tools will be installed:
pcscd - systemctl status pcscd - sometimes the card reader crashes this daemon, so you may need to restart it.
opensc-explorer - it searches and displays smartcard readers attached
opensc-tool - Options will provide detailed information about your smartcard reader.
pcsc_scan - will show you smartcard reader and its status. It should show your identity card inserted, as well as when you take it out. If it displays waiting on reader - restart the pcscd service and try again.
The following link describes this more in detail and setting up firefox/chrome for certificates
https://cubiclenate.com/linux/applications/utilities/dod-cac-ubuntu-linuxmint/
I want to develop an application for firefox os. But i'm unable to find any tutorial for accessing its device specific features. Pls suggest me a good tutorial for it. thank you
At the MDN you will find documentation about WebAPIs. WebAPIs are the way to access device's capabilities in app code.
Regards,
I am new to javacard programming.While working with owner pin in my javacard application, I referred that "PIN interface which is in javacard framework package does not make any assumptions about where the data for the PIN value comparison is stored".
And I want to know the following,
Can I get the exact location where my owner pin is stored? If I can how to do that? How to export my updated owner pin?
I have an applet of my javacard application. Now how can I load & install into my javacard.I know there are tools available and come with the smartcard itself. But I want to install without tool and only through apdu commands. Is there any procedure to do that? If so how to do that?
Sorry, you cannot retrieve the OwnerPIN, probably because of security reasons. You will have to implement the PIN interface yourself if you want to do that, but there are about 8 pitfalls in the implementation regarding side channel attacks and such. If you can't think of about 8 attacks, don't go there. Generally, retrieving the PIN as data is not what you should want.
Of course there is a procedure to do that: create your own GlobalPlatform API - you might want to look at open source examples though, such as gjp.
As an extreme hack, you could store the PIN in as the value of a secret key object (which are generally well protected).
Regarding the installation of applets I have a good and bad news for you:
The general process of command for installing is standardized by Global Platform, however that refers only to those commands you send to the Cardmanager-Applet.
However AFAIK there is no vendor independent standard of the Cardmanager-AID. Additionally you have to authenticate yourself to the Cardmanager applet before you can use it. On developer cards this is usually a simple key like 404142434445464748494a4b4c4d4e4f (hex) as used for example by JCOP cards for the first DES key.
Additionally this authentication key can be changed by the card owner. Therefore on non-developer cards you don't have access to the Cardmanager.