Assumptions: Using Ubuntu with OpenSC
Installation Tip: Make sure to have installed OpenSC from source, rather than using the Ubuntu repositories (in other words, follow the instructions here [1] rather than using apt-get install opensc). This is necessary to avoid the
“failed: Invalid arguments
Decrypt failed: Invalid arguments ”
error as outlined in this OpenSC mailing list submission [2]. It took a while to figure out what the problem was. Hopefully outlining the troubleshooting process will help with similar problems. First, enable verbose output (in this instance we were using pkcs15-crypt) and have a look at the output. In this case, we noted the output highlighted in red here [3]. Searching for the error “Invalid Case 4 short APDU” leads us to this OpenSC pull request [4], which highlights the need to install a later version of OpenSC.
Common Cryptographic operations using Estonian E-ID.
File names used:
/tmp/toSign: the file whose signature you would like to generate.
/tmp/toSign.sig: the signature of the file
/tmp/toEncrypt: the file you would like to encrypt
/tmp/Encrypted.enc: the encrypted file
/tmp/publickey.pem: the public key assigned to you, stored on your e-ID card, which is safe to distribute ( hence “public” 😉 )
Extracting Public Key for distribution
pkcs15-tool --read-public-key 01 > /tmp/publickey.pem
Generating a signature of a document (signing operation)
openssl dgst -binary -sha512 /tmp/toSign | /usr/bin/pkcs15-crypt --sign --key 01 --sha-512 --pkcs1 --raw > /tmp/toSign.sig
Verifying a signature of a document (signature verification operation)
openssl dgst -sha512 -verify /tmp/publickey.pem -signature toSign.sig /tmp/toSign
Encrypting a file using a public key (e.g. someone needs to send data ONLY YOU can decrypt)
openssl rsautl -inkey /tmp/publickey.pem -pubin -encrypt -pkcs -in /tmp/toEncrypt -out /tmp/Encrypted.enc
Decrypting a file with your private key stored on your card
pkcs15-crypt --decipher --key 01 --input /tmp/Encrypted.enc --pkcs1 --raw
PS: The following sites have been invaluable during the investigation
https://blog.g3rt.nl/luks-smartcard-or-token.html
http://blog.fkraiem.org/2013/03/13/linux-smart-card-authentication-howto/
References
[1] https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors
[2] http://opensc.1086184.n5.nabble.com/EstEID-decipher-problem-td12208.html
[3] https://docs.google.com/document/d/1NFtwAOL3EzU_qCZpmVctV8pdmW6jQMhkMVblevGC2LA/edit?usp=sharing
David Vassallo's Blog 
You must be logged in to post a comment.