Have you got a NHS Smartcard?
Yes? Useless, isn't it! Despite the huge push in NPfIT, the push towards a useful system seems still stationary, at just past the starting post. However, do not dispair - this site will allow you to use your card for something interesting, if not excessively useful...
What is it?
pkcs11-tool reports 'GemSAFE on GPK16000'. This is, apparently, unlikely, as these cards have not been available for a long time. Currently unknown how to identify appropriately.
What can the card do?
> pkcs11-tool -M Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest RSA-PKCS, sign, verify, unwrap, decrypt SHA1-RSA-PKCS, sign, verify MD5-RSA-PKCS, sign, verify RSA-PKCS-KEY-PAIR-GEN, keypairgen
What Data is on my NHS Smartcard?
Windows reports a total of 9 objects stored on the NHS SmartCard:-
> pcks15-tool -D PKCS#15 Card [GemSAFE]: Version : 0 Serial number : 00400032cxxxxxx9 Manufacturer ID: GemSAFE on GPK16000 Flags : PIN [pin] Com. Flags: 0x1 ID : 01 Flags : [0x22], local, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 0 Type : ascii-numeric Path : 3f000200 Private RSA Key [AUTH key] Com. Flags : 0 Usage : [0x37], encrypt, decrypt, sign, wrap, unwrap Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 1024 Key ref : 0 Native : yes Path : 0009 Auth ID : 01 ID : 01 X.509 Certificate [User certificate] Flags : 0 Authority: no Path : ID : 01
> pkcs11-tool -OIL Cryptoki version 2.11 Manufacturer OpenSC (www.opensc-project.org) Library smart card PKCS#11 API (ver 1.0) Available slots: Slot 0 O2 Micro Oz776 00 00 token label: GemSAFE (pin) token manuf: GemSAFE on GPK16000 token model: PKCS #15 SCard token flags: rng, login required, PIN initialized, token initialized serial num : 00400032cxxxxxx9 Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Private Key Object; RSA label: AUTH key ID: 01 Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: User certificate ID: 01 Public Key Object; RSA 1024 bits label: User certificate ID: 01 Usage: encrypt, verify
Alternatively, using the GemSafe Toolbox under windows:-
Card Serial Number: 14621476F1xxxxxx Card Total Public Memory: 6068 byte Card Total Private Memory: 2800 byte Card Free Public Memory: 3692 byte Card Free Private Memory: 2513 byte User is logged in User PIN is initialized. Number of incorrect presentations after which User PIN will be blocked: 3 Number of incorrect presentations after which Administrator PIN will be blocked: 3 Number of object found: 9 X509 Certificate - Real size: 1016 - Version: X509v3 - Serial number: hex:42:12:0A:65 - This certificate is valid from Wed Sep 19 10:36:41 2007 to Sat Sep 19 11:06:41 2009 - This certificate belongs to: 204551xxxxxx_Test_User People nhs - This certificate was issued by: NHS Level 1B CA nhs X509 Certificate - Real size: 894 - Version: X509v3 - Serial number: hex:40:CE:AE:5B - This certificate is the default certificate. - This certificate is valid from Wed Sep 19 10:36:37 2007 to Sat Sep 19 11:06:37 2009 - This certificate belongs to: 204551xxxxxx People nhs - This certificate was issued by: NHS Level 1A CA nhs RSA Public key 1024 bits RSA Public key 1024 bits RSA Private key 1024 bits RSA Private key 1024 bits
How do I retrieve my x509 certificate
> pkcs15-tool -r 01 | openssl x509 > X509-Certificate.PEM > pkcs15-tool -r 01 | openssl x509 -text
Where can I get the Certificate Authority Root Certificate?
These are the files I have, obtained from the NHS Certificate Enrollment Service Website:
How do I retrieve my RSA Public Key?
> pkcs11-tool --read-object --type pubkey --id 01 | (something, but I don't know what!)
> pkcs15-tool --read-public-keys 01
seems to do something, despite
> pkcs15-tool --list-public-keys
How do I retrieve my RSA Private Key?
You can't! It's a smartcard - that's the whole point!
Can I create additional certificates, without destroying my NHS connection, or getting into trouble?
No idea! Technically, the card belongs to the NHS, so you're probably not supposed to. I'm unsure if it will break NHS connectivity, though, so I'm unwilling to try!
So, what the *** can I do with it?
I have some useful information - how can I contact you?
Fantastic! You can either discuss the subject on this wiki, or you can Send me an email, and I will be eternally grateful. :)
Using the card under Windows
Outlook and Thunderbird need to be told to look for the secure certificate on the smartcard device, which means installing a new PKCS#11 Security Module. The required one is (on my system at least) found at C:\Program Files\Gemplus\GemSafe Libraries User\BIN\gclib.dll
NHS Smartcards (well, mine, at least) do not come with an email address configured - which somewhat defeats the use for signing emails as far as I can see...
Cannot import certificates under windows... Even when NHS root certificates are installed, i am unable to verify the validity of the certificate, and import is refused.
GemSAFE card support under Linux is somewhat limited, due to policies from Gemalto NV. I have tried to collect various snippets about GemPLUS in the Grimoire.Gemalto. There are official GemSAFE v2 Middleware drivers available, although so far I have not been able to make these work.
Unsurprisingly, there are limited resources available on the 'net. However, you will find the following useful: