Using smart card for authentication and PDF signing

Hello folks! I’m now trying to figure out another thing as part of my migration from windows =p how to authenticate to a website and how to sign a PDF using a smart card digital certificate.

I’ve found out about lots of stuff already, like the Arch Wiki article on Smart Cards, and using Okular to sign PDFs…

I got around to install the recommended packages with

sudo pacman -S ccid opensc pcsc-tools
sudo systemctl enable pcscd.service
sudo systemctl start pcscd.service

When I run pcsc_scan it properly shows me my reader and details on my card’s certificate:

$ pcsc_scan 
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader 00 00
...
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00
3B 7D .. 00 00 80 31 80 65 B0 .. .. .. .. 83 .. 90 00
	IDClassic 3XX / Classic TPC (IXS, IS, IS V2, IS CC, IM, IM CC, IM CC V3) / MultiApp ID Cards
3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00
	Gemalto TOP DL v2 StdR
	eCPF (Cadastro de Pessoas Físicas) from Imprensa Oficial do Brasil
	Identidade digital (e-CPF) from Caixa

The Arch Wiki article mentions that

The Chrome, Firefox, Thunderbird and SeaMonkey are automatically processed with pkcs11-register(1) at each login . (Discuss in Talk:Smartcards)

So I shutdown my browser, executed it… and still nothing. Sadly, the “Talk:Smartcards” is completely empty.

I thought maybe it was enough that pcsc_scan could see my reader and certificate, but I still get no success on trying to login either on FireDragon or Vivaldi, and the certificate also won’t show up on Okular (when I go Tools > Digitally Sign, all I get is an error message about there being no signing certificates available and a link to a manual about adding digital signatures which must be outdated, since there’s nothing about the subject there)

$ garuda-inxi 
System:
  Kernel: 6.2.9-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 12.2.1
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
    root=UUID=468e3250-834f-4678-85b1-f50f268e557d rw rootflags=subvol=@
    quiet quiet splash rd.udev.log_priority=3 vt.global_cursor_default=0
    resume=UUID=92d5bc58-440e-4eab-9f01-4fa35d34e02b loglevel=3 ibt=off
  Desktop: KDE Plasma v: 5.27.3 tk: Qt v: 5.15.8 wm: kwin_x11 vt: 1 dm: SDDM
    Distro: Garuda Linux base: Arch Linux
Machine:
  Type: Laptop System: Dell product: G5 5590 v: N/A
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: Dell model: 0F3T2G v: A00 serial: <superuser required> UEFI: Dell
    v: 1.22.0 date: 11/10/2022
Battery:
  ID-1: BAT0 charge: 48.6 Wh (100.0%) condition: 48.6/60.0 Wh (81.0%)
    volts: 16.6 min: 15.2 model: SMP DELL JJPFK87 type: Li-poly serial: <filter>
    status: full
CPU:
  Info: model: Intel Core i7-9750H bits: 64 type: MT MCP arch: Coffee Lake
    gen: core 9 level: v3 note: check built: 2018 process: Intel 14nm family: 6
    model-id: 0x9E (158) stepping: 0xA (10) microcode: 0xF0
  Topology: cpus: 1x cores: 6 tpc: 2 threads: 12 smt: enabled cache:
    L1: 384 KiB desc: d-6x32 KiB; i-6x32 KiB L2: 1.5 MiB desc: 6x256 KiB
    L3: 12 MiB desc: 1x12 MiB
  Speed (MHz): avg: 1849 high: 2600 min/max: 800/4500 scaling:
    driver: intel_pstate governor: powersave cores: 1: 2600 2: 800 3: 800
    4: 2600 5: 2600 6: 2600 7: 799 8: 2600 9: 800 10: 2600 11: 2600 12: 800
    bogomips: 62399
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities: <filter>
Graphics:
  Device-1: Intel CoffeeLake-H GT2 [UHD Graphics 630] vendor: Dell
    driver: i915 v: kernel arch: Gen-9.5 process: Intel 14nm built: 2016-20
    ports: active: none off: eDP-1 empty: DP-1, DP-2, HDMI-A-1, HDMI-A-2
    bus-ID: 00:02.0 chip-ID: 8086:3e9b class-ID: 0300
  Device-2: NVIDIA TU106M [GeForce RTX 2060 Mobile] vendor: Dell
    driver: nvidia v: 530.41.03 alternate: nouveau,nvidia_drm non-free: 530.xx+
    status: current (as of 2023-03) arch: Turing code: TUxxx
    process: TSMC 12nm FF built: 2018-22 pcie: gen: 1 speed: 2.5 GT/s lanes: 8
    link-max: gen: 3 speed: 8 GT/s lanes: 16 bus-ID: 01:00.0
    chip-ID: 10de:1f11 class-ID: 0300
  Device-3: Microdia Integrated_Webcam_HD type: USB driver: uvcvideo
    bus-ID: 1-5:4 chip-ID: 0c45:671f class-ID: 0e02
  Display: x11 server: X.Org v: 21.1.8 with: Xwayland v: 23.1.1
    compositor: kwin_x11 driver: X: loaded: modesetting,nvidia unloaded: nouveau
    alternate: fbdev,intel,nv,vesa dri: iris gpu: i915 display-ID: :0
    screens: 1
  Screen-1: 0 s-res: 2560x2160 s-dpi: 96 s-size: 675x570mm (26.57x22.44")
    s-diag: 883mm (34.78")
  Monitor-1: DP-1-0 pos: primary,top res: 2560x1080 hz: 60 dpi: 81
    size: 798x334mm (31.42x13.15") diag: 865mm (34.06") modes: N/A
  Monitor-2: HDMI-1-0 pos: bottom res: 2560x1080 hz: 60 dpi: 96
    size: 677x290mm (26.65x11.42") diag: 736mm (29") modes: N/A
  Monitor-3: eDP-1 size-res: N/A modes: N/A
  API: OpenGL v: 4.6 Mesa 23.0.1 renderer: Mesa Intel UHD Graphics 630 (CFL
    GT2) direct-render: Yes
Audio:
  Device-1: Intel Cannon Lake PCH cAVS vendor: Dell driver: snd_hda_intel
    bus-ID: 1-4.1:5 v: kernel chip-ID: 1b3f:2008
    alternate: snd_soc_skl,snd_sof_pci_intel_cnl bus-ID: 00:1f.3
    class-ID: 0300 chip-ID: 8086:a348 class-ID: 0403
  Device-2: NVIDIA TU106 High Definition Audio vendor: Dell
    driver: snd_hda_intel v: kernel pcie: gen: 3 speed: 8 GT/s lanes: 8
    link-max: lanes: 16 bus-ID: 01:00.1 chip-ID: 10de:10f9 class-ID: 0403
  Device-3: Generalplus USB Audio Device type: USB
    driver: hid-generic,snd-usb-audio,usbhid
  Device-4: Realtek USB Audio type: USB driver: snd-usb-audio
    bus-ID: 1-4.5:9 chip-ID: 0bda:4014 class-ID: 0102 serial: <filter>
  API: ALSA v: k6.2.9-zen1-1-zen status: kernel-api with: aoss
    type: oss-emulator tools: N/A
  Server-1: PipeWire v: 0.3.67 status: active with: 1: pipewire-pulse
    status: active 2: wireplumber status: active 3: pipewire-alsa type: plugin
    4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Realtek vendor: Dell driver: r8169 v: kernel pcie: gen: 1
    speed: 2.5 GT/s lanes: 1 port: 3000 bus-ID: 3c:00.0 chip-ID: 10ec:2502
    class-ID: 0200
  IF: enp60s0 state: down mac: <filter>
  Device-2: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
    vendor: Dell driver: ath10k_pci v: kernel pcie: gen: 1 speed: 2.5 GT/s
    lanes: 1 bus-ID: 3d:00.0 chip-ID: 168c:003e class-ID: 0280 temp: 48.0 C
  IF: wlp61s0 state: down mac: <filter>
  Device-3: Realtek RTL8153 Gigabit Ethernet Adapter type: USB driver: r8152
    bus-ID: 6-1.2:3 chip-ID: 0bda:8153 class-ID: 0000 serial: <filter>
  IF: enp58s0u1u2 state: up speed: 1000 Mbps duplex: full mac: <filter>
Bluetooth:
  Device-1: Qualcomm Atheros type: USB driver: btusb v: 0.8 bus-ID: 1-14:8
    chip-ID: 0cf3:e007 class-ID: e001
  Report: bt-adapter ID: hci0 rfk-id: 0 state: up address: <filter>
Drives:
  Local Storage: total: 1.14 TiB used: 538.63 GiB (46.0%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Western Digital
    model: PC SN520 NVMe WDC 256GB size: 238.47 GiB block-size: physical: 512 B
    logical: 512 B speed: 15.8 Gb/s lanes: 2 type: SSD serial: <filter>
    rev: 20240012 temp: 51.9 C scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 vendor: Western Digital
    model: WD10SPZX-75Z10T3 size: 931.51 GiB block-size: physical: 4096 B
    logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5400 serial: <filter>
    rev: 4514 scheme: GPT
Partition:
  ID-1: / raw-size: 221.19 GiB size: 221.19 GiB (100.00%)
    used: 63.78 GiB (28.8%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
    used: 624 KiB (0.2%) fs: vfat dev: /dev/nvme0n1p1 maj-min: 259:1
  ID-3: /home raw-size: 221.19 GiB size: 221.19 GiB (100.00%)
    used: 63.78 GiB (28.8%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-4: /var/log raw-size: 221.19 GiB size: 221.19 GiB (100.00%)
    used: 63.78 GiB (28.8%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-5: /var/tmp raw-size: 221.19 GiB size: 221.19 GiB (100.00%)
    used: 63.78 GiB (28.8%) fs: btrfs dev: /dev/nvme0n1p2 maj-min: 259:2
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: zram size: 15.43 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
  ID-2: swap-2 type: partition size: 16.98 GiB used: 0 KiB (0.0%)
    priority: -2 dev: /dev/nvme0n1p3 maj-min: 259:3
Sensors:
  System Temperatures: cpu: 69.0 C pch: 69.0 C mobo: 65.0 C
  Fan Speeds (RPM): cpu: 2418 fan-1: 2353
Info:
  Processes: 323 Uptime: 1h 12m wakeups: 3 Memory: 15.43 GiB
  used: 6.72 GiB (43.5%) Init: systemd v: 253 default: graphical
  tool: systemctl Compilers: gcc: 12.2.1 Packages: pm: pacman pkgs: 1920
  libs: 531 tools: gnome-software,octopi,pamac,paru,yay pm: appimage pkgs: 0
  Shell: Zsh v: 5.9 running-in: kitty inxi: 3.3.26
Garuda (2.6.16-1):
  System install date:     2023-04-01
  Last full system update: 2023-04-06
  Is partially upgraded:   No
  Relevant software:       snapper NetworkManager dracut nvidia-dkms
  Windows dual boot:       No/Undetected
  Failed units:   

(had a minor hiccup because of an update. @meanruse pointed to topics mentioning it. Simple sudo systemctl enable --now sddm.service solved. Now back on track, previous unrelated content removed)

This may be a silly question, but is pkcs11-register installed?

edit: for Okular, looks like the relevant info is missing in the Brazilian Portuguese translation, the English version has a section about adding signatures: Signatures

The current Firefox user certificate store.

The system-wide /etc/pki/nssdb certificate store.

The current user $HOME/.pki/nssdb

yes, it’s installed:

$ command -v pkcs11-register 
/usr/sbin/pkcs11-register

I thought it was clear it was about pkcs11-register I was talking about when I said:

And yeah, I know the English version is there - that link you posted was actually my first find when Googling for “linux sign pdf with card” lol

Apologies for my misunderstanding.
I'm thinking whether it could be a browser problem (which ones did you try with by the way?) or with the specific card: I see for instance that newer Italian health service cards are not supported yet (but they return different bytes than yours) Issues · OpenSC/OpenSC · GitHub

I tried it both on Vivaldi (Chromium based) and Firefox.

The pcsc_scan seems to grab everything, really... here's the full log, I left out a few on the original post:

PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau <ludovic.rousseau@free.fr>
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader 00 00
 
Thu Apr  6 15:22:47 2023
 Reader 0: Gemalto PC Twin Reader 00 00
  Event number: 0
  Card state: Card inserted, 
  ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00

ATR: 3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00
+ TS = 3B --> Direct Convention
+ T0 = 7D, Y(1): 0111, K: 13 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 80 31 80 65 B0 83 11 11 E5 83 00 90 00
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 80
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: 5 (pre-issuing data)
      Data: B0 83 11 11 E5
    Tag: 8, len: 3 (status indicator)
      LCS (life card cycle): 00 (No information given)
      SW: 9000 (Normal processing.)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00
3B 7D .. 00 00 80 31 80 65 B0 .. .. .. .. 83 .. 90 00
	IDClassic 3XX / Classic TPC (IXS, IS, IS V2, IS CC, IM, IM CC, IM CC V3) / MultiApp ID Cards
3B 7D 96 00 00 80 31 80 65 B0 83 11 11 E5 83 00 90 00
	Gemalto TOP DL v2 StdR
	eCPF (Cadastro de Pessoas Físicas) from Imprensa Oficial do Brasil
	Identidade digital (e-CPF) from Caixa
	http://www.caixa.gov.br/
	Ingenico Sign/Kit Telium TETRA (Developer kit signature card)
	https://developer.ingenico.com/hc/en-gb
	Brazilian "e-CNPJ" card, issued by Certisign (Safesign)

After showing that, pcsc_scan will keep running and watching... it recognizes if I remove the card, and correctly reads it all again if I put it back in the reader.

TL;DR: To get straight to the point (and because I'm pretty sure I'll need it down the road):

• sudo pacman -S ccid opensc pcsc-tools
• sudo systemctl enable --now pcscd.service
• Attach your USB reader and put your smart card in it;
• opensc-tool -n to check if the card is supported. If it's not you need to figure out the manufacturer/vendor of your smart card and find out their driver
• In this case, card was made by AET Europe, driver/package needed was "safesignidentityclient"
• yay -S safesignidentityclient, during it you'll see the required file right there:
  
• modutil -dbdir sql:$HOME/.pki/nssdb/ -add "AET SafeSign" -libfile /usr/lib/libaetpkss.so to load the driver up and you're home.
• If you're using it on Firefox, you need to load the /usr/lib/libaetpkss.so driver on Settings > Privacy & Security > roll all the way down to Security Devices > Load
  
  

  image1274×699 91.1 KB
• if you're using it on a Chromium, from what I gather you don't need to do nothing else, Chromiums grab it straight from the modutil stuff (or there was some other step I'm not seeing in history right now that did it)

I'm gonna add some keywords here to help possible neighbors find out what they're looking for:
identidade digital, certificado digital, acesso.gov.br

(original)
Took some time off, but thought I'd get back on it once more before going to bed. Thought I'd broaden my search beyond just Arch stuff, found this:

When I try to pkcs11-tool --list-objects --login, I get a weird error:

Using slot 0 with a present token (0x0)
error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1)
Aborting.

This other one also gives an error:

$ pkcs15-tool --list-info
Using reader with a card: Gemalto PC Twin Reader 00 00
Failed to connect to card: Card is invalid or cannot be handled

I know the certificate is valid because I can use it with no trouble on Windows, though...

Huh, I wonder if this is the problem:

$ opensc-tool -n
Using reader with a card: Gemalto PC Twin Reader 00 00
Unsupported card

Looks like what I actually need is this... I just need to find where to download the mf...

Closer I could find was 3.8.0.0 for Ubuntu...

Looks like the 3.7.0.0 is in AUR

yay -S safesignidentityclient, then loaded /usr/lib/libaetpkss.so on Firedragon and... SUCCESS.

image992×505 53.7 KB

At least so far. Let's see if this actually works.

On Firedragon it works, I was able to log in to a website using my certificate from the smart card. But still no success on Okular, still getting the "no sign certificates available" error there...

DING DING DING! I had forgotten to modutil this sucker in. modutil -dbdir sql:$HOME/.pki/nssdb/ -add "AET SafeSign" -libfile /usr/lib/libaetpkss.so and it showed right up on Okular!

Ah right, found this tab open and thought I should share: this is where it hit me to find the proper driver. I had found this article on Medium, and way down the road he mentions the SafenetAuthenticationClient-9.1.7–0_amd64.deb. That's when it hit me that I had already dealt with safesignidentityclient before and had to find it!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.