Skip to main content

Tuning smartcard file system

The Feitian PKI card/token holds up 64kB of free memory (64 x 1024 bytes = 65536 bytes), which is one of the largest free memory on the market. This page describes how to tune the Feitian PKI file system.

These changes were included by default on OpenSC svn version or OpenSC 0.12.1.

Understanding OpenSC settings

Under OpenSC initialization profiles are stored in:
/usr/share/opensc/entersafe.profile

Open /usr/share/opensc/entersafe.profile with a text editor.

Default OpenSC file system values are set in the "onepin" macro:

option onepin {
macros {
pin-flags = local, initialized, needs-padding;
df_acl = *=$PIN;
protected = *=$PIN,READ=NONE;
dir-size = 128;
tinfo-size = 128;
unusedspace-size = 128;
odf-size = 256;
aodf-size = 256;
cdf-size = 512;
prkdf-size = 256;
pukdf-size = 256;
dodf-size = 256;
info-size = 128;
}
}

These values are in byte.

To read the macros:

odf-size: Object Directory File: pointers to other files
aodf-size: Authentication Object Directory File: points to PINs file
cdf-size: Certificate Directory File
prkdf-size: Private Keys Directory file
pukdf-size: Public keys Directory file
dodf-size: Data Object Directory file

We are not sure, but it seems that no file can be larger than 32Kb.

How much space is needed

Here, the main point is to higher the size for private keys, public keys and certificates:

cdf-size: Certificate Directory File
prkdf-size: Private Keys Directory file
pukdf-size: Public keys Directory file

Here is some information about space and needs:

  • A public or private key can take up to ??? bytes in the directory file.
  • A 1024bit RSA key pair may take 500 bytes ???
  • A 2048bit RSA key pair may take 1000 bytes ???
  • Each RSA key pair can have up to three certificates: user certificate, CA and intermediate CA. As a rule, cdf-size is usually three times the size of prkdf-size and pukdf-size.

Proposed settings

So let's try these settings, writing a macro in /usr/share/opensc/entersafe.profile:

option feitianpki {
macros {
dir-size = 256;
info-size = 256;
unusedspace-size = 128;
odf-size = 512;
aodf-size = 512;
cdf-size = 3072;
prkdf-size = 1024;
pukdf-size = 1024;
}
}

The space used is: (512 + 512 +3072 + 1024 + 1024 ) * 8 = 49152 bytes
Which should fit into the 64Kb free space.

Recompile and install OpenSC.

Initializing the card with custom settings

Simply run:

pkcs15-init -E
pkcs15-init --create-pkcs15 --profile pkcs15+onepin+feitianpki --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"

Storing 9 keys on the Feitian PKI

For testing purpose, we consider an RSA 2048bit key pair with 3 certs and write them to the Feitian PKI in a interation.

We are using a PKCS#11 file containing:

  • One CAcert 2048bit key.
  • One user X.509 certificate.
  • Two CAcert root certificates (these root certificates are only written once to the card).

The script is as follows:

pkcs15-init -E
pkcs15-init --create-pkcs15 --profile pkcs15+onepin+feitianpki --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"
i=1
while [ $i -lt 9 ] ; do
i=$(($i+1))
echo $1
pkcs15-init --store-private-key ***** --format pkcs12 --auth-id 01 --pin 0000 --passphrase ******** --label "Key $1"
done

done;

Warning: the script will remove any information on your smartcard.
This script allows storing 9 key pairs on the Feitian PKI, which is far enough for most needs.