Using smart cards with applications

Matthew X. Economou edited this page Sep 12, 2017 · 8 revisions

Using smart cards with applications

This is an incomplete list of (mostly open source) end-user applications that are capable of working with smart cards initialized and/or supported by OpenSC, grouped by function. Software development libraries and helpers are listed on DeveloperInformation page.

Connection authentication + encryption

Web browsers / HTTPS

SSH

VPN

  • OpenConnect (client for Cisco AnyConnect SSL VPN) supports PKCS#11 for client authentication. HOWTO
  • OpenVPN (SSL VPN) supports PKCS#11 for client authentication. Documentation
  • strongSwan (IPSec VPN) supports PKCS#11 modules for RSA keys so it can be used with OpenSC. Documentation and installation instructions. StrongSwan has limitations in PKCS#11 slot ID length, see this post on opensc-devel for more information.
  • Openswan 2.4.X includes code to link directly against libopensc, this has been deprecated with OpenSC versions from 0.12 onwards. README.×509 has a chapter 8 about smart card support. Openswan 2.6.X seem to have PKCS#11 support but there is no visible documentation.

Misc

Data signing + encryption

E-mail / S/MIME

Application specific document signing

  • OpenOffice internal digital signatures
  • Built-in support in OpenOffice.org http://wiki.services.openoffice.org/wiki/How_to_use_digital_Signatures
  • PDF
  • Sinadura – a multiplatform PDF signing application with PKCS#11 support. Source code available under GPL. Mostly targeting Spanish speaking people.
  • OpenSignature – a multiplatform PDF signing application with smart card support. Source code is available under GPL. Mostly targets Italian speaking people.
  • jPdfSign – a commandline application written in Java which allows to add an invisible signature to PDF documents. The private key for signing the PDF document have to be stored in an password protected PKCS#12 file or in a PKCS#11 compatible hardware-tokens.
  • Generic
  • Cryptonit is a multiplatform open source (GPL) signing and (de)crypting software with PKCS#11 support that generates PKCS#7 containers.

Legally binding (non-repudiation) signature software

  • DigiDocClient3 (also known as qdigidoc) implements DigiDoc/BDOC format (a XAdES profile) and available as LGPL source or [ftp://ftp.id.eesti.ee/pub/id/macosx/ multiplatform binary] from https://id.eesti.ee/idtrac/wiki/ArendajaSissejuhatus.. This obsoletes gdigidoc.
  • DigiDoc is the official legally binding signature format used in Estonia (and Latvia and Lithuania) See http://wpki.eu for more information
  • Companion utility, DigiDoc3Crypto provides encryption functionality.
  • j4sign is a multiplatform open source legal signature software with PKCS#11 support. Currently in Italian.

Local authentication / login

Disk encryption

  • TrueCrypt can use PKCS#11 tokens as keyfile stores. NB! TrueCrypt does not use asymmetric keys generated on the card but stores symmetric keys as data files in the token! This requires write access to the token and keyfiles are extracted in plaintext on every use.
  • Linux disk encryption

Miscellaneous applications

  • GnuPG can be configured to work with whatever smart card that provides a PKCS#11 library. See gnupg-pkcs11 for more information. Be aware – configuring and using this solution is not trivial.
  • HBCI Home banking

PKI/CA

  • EJBCA is a complete open source J2EE implementation of CA and RA software. It supports PKCS#11 for CA key storage. Compatibility with issuing OpenSC created smart cards for end users has been tested. Using OpenSC cards to store CA keys are yet to be tested.
  • OpenCA is an open source CA offering PKI services. It includes code to use the command line tools of OpenSC in a scripted way, no PKCS#11 support.
  • XCA is an open source CA GUI using OpenSSL and QT4. It supports PKCS#11 to manage and use keys and certificates on smart cards.

Work in progress

The following projects are working on adding PKCS#11 support into their software. People who feel comfortable working with source code can check out the latest snapshots.

CA

  • gnoMint is an X.509 Certification Authority management tool. Currently, it has two different interfaces: one for GTK/Gnome environments, and another one for command-line. Windows port soon (patch submitted). Import/Export to pkcs12 format. Will soon include some OpenSC support.
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.