PIVKey on Linux

Avatar
Taglio Support
Follow

To use PIVKey on Linux systems requires CCID support (for the USB tokens) and installation of PIV Middleware.

CCID

PCSCLite is the most widely used package for support of CCID compatible readers and tokens, and is part of most Linux distributions. PIVKey tokens are supported by PCSCLite version 1.4.19 and later. On UBUNTU PCSCLite can be found here:

http://packages.ubuntu.com/libccid

Rather than installing the latest version, however, we recommend that you modify the configuration file for the default installation on your platform. For example, you can edit the CCID config file on UBUNTU as followed:

gksudo gedit /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist 

Make the following changes:

Find: <key>ifdVendorID</key>
Append:
<string>0x096e</string>
<string>0x096e</string>
 
Find: <key>ifdProductID</key>
Append:
<string>0x080f</string>
<string>0x0603</string>
 
Fine:<key>ifdFriendlyName</key>
Append:
<string>PIVKey Token </string>
<string>PIVKey Token </string>

You will need restart PCSC after making the changes.

You can check if CCID is recognizing PIVKey by running pcsc_scan from the Terminal:

PIV Middleware

There are a wide variety of commercial middleware packages for PIV on Linux. In addition there is an open source package called OpenSC that support PIV. OpenSC provides some tools, and most importantly a PKCS11 library that allows PIV cards to be used by applications like Firefox and SSH.

On UBUNTU the OpenSC package can be found here:

http://packages.ubuntu.com/opensc

After installing, you may have to configure OpenSC to recognize the PIVKey. Newer versions of OpenSC identify devices using the PIV applet OID and should be recognized automatically. Older versions use the card ATR.

To find out the ATR of your pivkey, run opensc-tool:

$ opensc-tool -a
Using reader with a card: PIVKey Token 00 00
3b:9f:95:81:31:fe:9f:00:66:46:53:05:10:00:11:71:df:00:00:00:00:00:02

Add this ATR to the OpenSC config file on UBUNTU as followed:

gksudo gedit /etc/opensc/opensc.conf

look for the following section:

# PIV cards need an entry similar to this one:

and add the PIVKey ATR.  For example the following:

card_atr 3B:9F:95:81:31:FE:9F:00:66:46:53:05:10:00:11:71:DF:00:00:00:00:00:02 {
name = "PIVKey";
driver = "piv";
}

To test the installation, you can, for example, run OpenSC piv-tool to find out the serial number of the card:

piv-tool -c piv --serial
Using reader with a card: PIVKey Token 00 00
73 01 AE FB 92 58 12 46 B2 E8 E6 2E 7F 16 E3 78 s....X.F.......x

To use PIVkey with a PKCS11 applications like Firefox, use the OpenSC PKCS11 lib. On UBUNTU the pkcs11 library can be found here:

/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

To use Firefox with the PIVKey:

  1. Open the Firefox preferences dialog. Choose "Advanced" > "Encryption" > "Security Devices"
  2. Choose "Load"
  3. Enter a name for the security module, for example PIVKey Driver
  4. Choose "Browse..." to find the location of the PKCS11 module, for example /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so on UBUNTU,

Note:  OpenSC PIV tool cannot be used to load PIV certificates to the card. Rather, the standard PIVKey Admin Tool on Windows must be used to load certificates to the card.

For more information on OpenSC, see here: https://github.com/OpenSC/OpenSC/wiki

 

 

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk