The Feitian PKI card/token holds up 64kB of free memory (64 x 1024 bytes = 65536 bytes), which is one of the largest free memory on the market. This page describes how to tune the Feitian PKI file system.
These changes were included by default on OpenSC svn version or OpenSC 0.12.1.
Understanding OpenSC settings
Under OpenSC initialization profiles are stored in:
/usr/share/opensc/entersafe.profile
Open /usr/share/opensc/entersafe.profile with a text editor.
Default OpenSC file system values are set in the "onepin" macro:
macros {
pin-flags = local, initialized, needs-padding;
df_acl = *=$PIN;
protected = *=$PIN,READ=NONE;
dir-size = 128;
tinfo-size = 128;
unusedspace-size = 128;
odf-size = 256;
aodf-size = 256;
cdf-size = 512;
prkdf-size = 256;
pukdf-size = 256;
dodf-size = 256;
info-size = 128;
}
}
These values are in byte.
To read the macros:
aodf-size: Authentication Object Directory File: points to PINs file
cdf-size: Certificate Directory File
prkdf-size: Private Keys Directory file
pukdf-size: Public keys Directory file
dodf-size: Data Object Directory file
We are not sure, but it seems that no file can be larger than 32Kb.
How much space is needed
Here, the main point is to higher the size for private keys, public keys and certificates:
prkdf-size: Private Keys Directory file
pukdf-size: Public keys Directory file
Here is some information about space and needs:
- A public or private key can take up to ??? bytes in the directory file.
- A 1024bit RSA key pair may take 500 bytes ???
- A 2048bit RSA key pair may take 1000 bytes ???
- Each RSA key pair can have up to three certificates: user certificate, CA and intermediate CA. As a rule, cdf-size is usually three times the size of prkdf-size and pukdf-size.
Proposed settings
So let's try these settings, writing a macro in /usr/share/opensc/entersafe.profile:
macros {
dir-size = 256;
info-size = 256;
unusedspace-size = 128;
odf-size = 512;
aodf-size = 512;
cdf-size = 3072;
prkdf-size = 1024;
pukdf-size = 1024;
}
}
The space used is: (512 + 512 +3072 + 1024 + 1024 ) * 8 = 49152 bytes
Which should fit into the 64Kb free space.
Recompile and install OpenSC.
Initializing the card with custom settings
Simply run:
pkcs15-init --create-pkcs15 --profile pkcs15+onepin+feitianpki --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"
Storing 9 keys on the Feitian PKI
For testing purpose, we consider an RSA 2048bit key pair with 3 certs and write them to the Feitian PKI in a interation.
We are using a PKCS#11 file containing:
- One CAcert 2048bit key.
- One user X.509 certificate.
- Two CAcert root certificates (these root certificates are only written once to the card).
The script is as follows:
pkcs15-init --create-pkcs15 --profile pkcs15+onepin+feitianpki --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"
i=1
while [ $i -lt 9 ] ; do
i=$(($i+1))
echo $1
pkcs15-init --store-private-key ***** --format pkcs12 --auth-id 01 --pin 0000 --passphrase ******** --label "Key $1"
done
done;
Warning: the script will remove any information on your smartcard.
This script allows storing 9 key pairs on the Feitian PKI, which is far enough for most needs.
Blinklist
del.icio.us
Digg
Facebook
Favorite
Google
Google Buzz
Icerocket
LinkedIn
Newsvine
Propeller
Reddit
SlashDot
StumbleUpon
Technorati
Twitter
Yahoo
Printer-friendly version- 4299 reads
PDF version
