 |
Auth /
NHS-SmartcardsHave you got a NHS Smartcard?Yes? Useless, isn't it! Despite the huge push in NPfIT, the push towards a useful system seems still stationary, at just past the starting post. However, do not dispair - this site will allow you to use your card for something interesting, if not excessively useful... What is it?pkcs11-tool reports 'GemSAFE on GPK16000'. This is, apparently, unlikely, as these cards have not been available for a long time. Currently unknown how to identify appropriately. What can the card do?> pkcs11-tool -M Supported mechanisms: SHA-1, digest SHA256, digest SHA384, digest SHA512, digest MD5, digest RIPEMD160, digest RSA-PKCS, sign, verify, unwrap, decrypt SHA1-RSA-PKCS, sign, verify MD5-RSA-PKCS, sign, verify RSA-PKCS-KEY-PAIR-GEN, keypairgen What Data is on my NHS Smartcard?Windows reports a total of 9 objects stored on the NHS SmartCard:-
> pcks15-tool -D
PKCS#15 Card [GemSAFE]:
Version : 0
Serial number : 00400032cxxxxxx9
Manufacturer ID: GemSAFE on GPK16000
Flags :
PIN [pin]
Com. Flags: 0x1
ID : 01
Flags : [0x22], local, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0x00
Reference : 0
Type : ascii-numeric
Path : 3f000200
Private RSA Key [AUTH key]
Com. Flags : 0
Usage : [0x37], encrypt, decrypt, sign, wrap, unwrap
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 0
Native : yes
Path : 0009
Auth ID : 01
ID : 01
X.509 Certificate [User certificate]
Flags : 0
Authority: no
Path :
ID : 01
> pkcs11-tool -OIL Cryptoki version 2.11 Manufacturer OpenSC (www.opensc-project.org) Library smart card PKCS#11 API (ver 1.0) Available slots: Slot 0 O2 Micro Oz776 00 00 token label: GemSAFE (pin) token manuf: GemSAFE on GPK16000 token model: PKCS #15 SCard token flags: rng, login required, PIN initialized, token initialized serial num : 00400032cxxxxxx9 Slot 1 (empty) Slot 2 (empty) Slot 3 (empty) Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Private Key Object; RSA label: AUTH key ID: 01 Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: User certificate ID: 01 Public Key Object; RSA 1024 bits label: User certificate ID: 01 Usage: encrypt, verify Alternatively, using the GemSafe Toolbox under windows:-
Card Serial Number: 14621476F1xxxxxx
Card Total Public Memory: 6068 byte
Card Total Private Memory: 2800 byte
Card Free Public Memory: 3692 byte
Card Free Private Memory: 2513 byte
User is logged in
User PIN is initialized.
Number of incorrect presentations after which User PIN will be blocked: 3
Number of incorrect presentations after which Administrator PIN will be blocked: 3
Number of object found: 9
X509 Certificate
- Real size: 1016
- Version: X509v3
- Serial number: hex:42:12:0A:65
- This certificate is valid from Wed Sep 19 10:36:41 2007 to Sat Sep 19 11:06:41 2009
- This certificate belongs to:
204551xxxxxx_Test_User
People
nhs
- This certificate was issued by:
NHS Level 1B
CA
nhs
X509 Certificate
- Real size: 894
- Version: X509v3
- Serial number: hex:40:CE:AE:5B
- This certificate is the default certificate.
- This certificate is valid from Wed Sep 19 10:36:37 2007 to Sat Sep 19 11:06:37 2009
- This certificate belongs to:
204551xxxxxx
People
nhs
- This certificate was issued by:
NHS Level 1A
CA
nhs
RSA Public key 1024 bits
RSA Public key 1024 bits
RSA Private key 1024 bits
RSA Private key 1024 bits
How do I retrieve my x509 certificate> pkcs15-tool -r 01 | openssl x509 > X509-Certificate.PEM > pkcs15-tool -r 01 | openssl x509 -text Where can I get the Certificate Authority Root Certificate?These are the files I have, obtained from the NHS Certificate Enrollment Service Website:
How do I retrieve my RSA Public Key?> pkcs11-tool --read-object --type pubkey --id 01 | (something, but I don't know what!) > pkcs15-tool --read-public-keys 01 seems to do something, despite > pkcs15-tool --list-public-keys showing nothing! How do I retrieve my RSA Private Key?You can't! It's a smartcard - that's the whole point! Can I create additional certificates, without destroying my NHS connection, or getting into trouble?No idea! Technically, the card belongs to the NHS, so you're probably not supposed to. I'm unsure if it will break NHS connectivity, though, so I'm unwilling to try! So, what the *** can I do with it?
I have some useful information - how can I contact you?Fantastic! You can either discuss the subject on this wiki, or you can Send me an email, and I will be eternally grateful. :) Using the card under WindowsOutlook and Thunderbird need to be told to look for the secure certificate on the smartcard device, which means installing a new PKCS#11 Security Module. The required one is (on my system at least) found at C:\Program Files\Gemplus\GemSafe Libraries User\BIN\gclib.dll IssuesNHS Smartcards (well, mine, at least) do not come with an email address configured - which somewhat defeats the use for signing emails as far as I can see... Cannot import certificates under windows... Even when NHS root certificates are installed, i am unable to verify the validity of the certificate, and import is refused. GemSAFE card support under Linux is somewhat limited, due to policies from Gemalto NV. I have tried to collect various snippets about GemPLUS in the Grimoire.Gemalto. There are official GemSAFE v2 Middleware drivers available, although so far I have not been able to make these work. LinksUnsurprisingly, there are limited resources available on the 'net. However, you will find the following useful:
|
