Signing files automatically using hardware token in Linux

I am currently doing some stuff for automatic signing of files for a friend of mine on a Linux machine (Ubuntu 19.10). Scary stuff. I know. The scenario is that the signing key is used in a script or similar in a controlled enviroment for some signing operations that are automated but using a certificate that is secured on a physical token such as the Safenet eToken 5100 or similar javabased keys. The end goal is to automate document signing for PDF.

It took alot of research and looking around before I could get if it was even possible. And it was actually pretty simple once I got the right drivers. Now, once I got it to work here the next step is to migrate it all to Windows and a PowerShell script but that is the next challenge.. =)

This is mostly done to make sure I can develop something cross-platform for PowerShell but before you can walk you need to crawl. So here is some pointers if some fool tries the same mission as I….. =)

First start by downloading the Safenet eToken 5100 token drivers.
Use the CORE drivers from withoutGUI folder.

Then install prereqs:

sudo apt install openssl
sudo apt install libssl-dev
sudo apt install safenetauthenticationclient-core_10.7.77_amd64.deb
sudo apt install libengine-pkcs11-openssl
sudo apt install opensc

After this plug in your token. It should light blue and stay blue when it is active. If the light goes out after a few seconds to a minute you need to do this:

sudo /usr/sbin/pcscd --foreground --auto-exit --apdu

Next step is to iterate the key and see the id of your signing key and any other certs in there (the “trust chain certs”):

pkcs11-tool --module /lib/libeToken.so --list-objects

Then I had to export all the certs, and then take all the “other” certs and concat them together to make a single file with the trust chain in it.

pkcs11-tool --module libeToken.so --read-object --type cert --id <certid> | openssl x509 -inform DER -outform PEM -out <cert.pem>

cat cert1.pem cert2.pem > chain.pem

Next step is to prepare the OpenSSL engine for use with this type and how to handle the key. The config file /etc/ssl/openssl.cnf was modified and the following content added:

#This line needs to be added in the "default" area, i.e. before any section
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
#Make sure theese still works
dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/libpkcs11.so
MODULE_PATH = /lib/libeToken.so
# PIN for yor token!
PIN = 123456

And now comes the magic; testing signing using openssl:

openssl smime -md sha256 -binary -outform SMIME -sign -certfile <chain.pem> -signer <public.pem> -inkey slot_<slotid>-id_<certid> -keyform engine -in <inputfile> -out <outputfile> -engine pkcs11 -passin pass:<pincode>

PHP Library for Freja eID

During the Covid-19 pandemic I have been working hard with supporting many customers at work around identity and security. Working secure from home have become the new standard.

For this purpose I started to collaborating with Verisec around their identity solution Freja eID. Numerous customers have been onboarded in their system and it work really, really, simple and gives me great authentication. So simple, and so great, that I have started to implement it for most of my private applications also. I wrote a small wrapper for it to make sure I can reuse it alot. Hopefully this code can be of use for you also.

See the code at GitHub.

Legitimera Online

Today I officially released my site Legitimera Online (http://legitmera.online) for usage. It’s a free service, with to be honest quite limited use, but a fun experiment and a platform for my other sites to use for authentication etc.

It uses Freja eID as a login provider to provide secure identities verification, simple agreement signing and also secured identities when using Teams for external people.

Read more on my project page.

The awakening (again!)

Finally! After a few years in the dark, offline and without the time or energy to migrate my crashed blog I have now finally done it! Kind of restored my backups that is..

The blog itself is up, most of what I could find in my backups are also migrated, most of my old posts are also imported, but still missing a few years and lots of Graphics, broken links and so on. Also, some years I decided to do blogging in Swedish so will be a bit confusing when you read them because I have just auto-translated them.

Using different plattforms have not exacly made my life easier when it gets to migration from all the scattered backups, but atleast its now happening anyways.

Will be updating some old sourcecode also as we go along and bring that online again, most of it is pretty old now but I will have the most requested projects up.

How much is Office 365 used?

If you have an Office 365 agreement and wonder what and how much you use, it’s possible to check out using the long-awaited Office 365 content package that has now been published. The package shows how many different services are used, how many messages are posted on social functions, but there are limited places in this pilot and you must apply by email. Read more at https://blogs.office.com/2016/10/10/announcing-the-preview-of-the-office-365-adoption-content-pack-in-power-bi/

Azure Information Protection is now GA

“Information wants to be free” is the stroke of many bad people out there, but completely untrue it is not. Or, at least, it’s not the idea that information wants to be mobile. A tough difference. For this I have always propagated RMS (Rights Management Services) as protection. It protects the document itself, no matter where it is. It is a cornerstone of information security – that we can actually protect. The problem with RMS has long been just how to attack to actually classify, set permissions and crash work with RMS. It has been more or less insurmountable. Now, Microsoft has taken a leap and released AIP, which includes our former hero RMS, but also the new fighter we received when Microsoft bought the Secure Islands. AIP is about how we classify, follow up, and enable sharing of information.

Certainly not an Office 365 product without an Azure product, but it solves so many problems we’ve had on the productivity page so it’s impossible to talk about it. It builds on and above all, the new way of working is amazingly amazing. Read more at https://blogs.technet.microsoft.com/enterprisemobility/2016/10/04/azure-information-protection-is-now-generally-available/

Yammer is a part of Groups!

In the department of some older news, I would like to remind you of an incredibly important news that really shows Microsoft’s investments on Yammer as a platform. So for those who believe that Yammer has taken their last breath, or is heading for safe death, believe wrong. We have one of the greatest possible development plans in our history of Yammer, and it’s a social network for companies that actually develop and adapt to new modern tools and working methods.

Soon, we can now use all SharePoints strengths when we handle files in Yammer, that is, version management, document management principles, and all security features. Easy access to Planner, OneNote and more for users, competent management and control through Office 365 and its admin center.

Read more at https://blogs.office.com/2016/09/26/yammer-strengthens-team-collaboration-through-integration-with-office-365-Groups/

Staff Hub

There are some issues that are recurring for an admin; one is just how to handle users who are not always employed or may not have their own computer. Shared computers have always been the answer. It works really well with all the technology currently available like Azure Domain Join, Intune, Office 365 mm. But somewhere you need more.

Microsoft recently released a great portal for these cases, a portal where you can manage meeting invitations, files and, in particular, scheduling and changing passes. The solution might not suit everyone but it’s a great starting point. Read more about Staff Hub here: https://blogs.office.com/2016/09/26/announcing-the-public-preview-of-microsoft-staffhub-the-new-app-for-deskless-workers/

Silence..

After a couple of years of silence , I thought once more to get me behind the keyboard again. It’s both fun and scary,  it’s enough time now. Here you will find general about Office 365, Microsoft’s productivity platform, but also about other things that relate to it. All through the eyes of a technician, ie me. Also thought to concentrate on what’s new, some Swedish links to otherwise quite globalized information. Well, then you’ll get affected by contacting me!

Hur testar jag nya funktioner enkelt?
VYou have started to “nag” a lot about advanced security features in the past. One of the problems I often hear is that it is difficult and difficult to set up tests and how to conduct tests on Microsoft’s online platforms. A simple solution to at least how to test these new security features can be found in the Office 365 Test Lab Guides. It’s simple step by step guides that will guide you through how to best set up and evaluate the various features. Read more at https://blogs.office.com/2016/10/03/demonstrate-enterprise-features-with-the-office-365-test-lab-guides/

Datacenter in Hyperscale
One of the first things I had the privilege of doing when I started at Microsoft was to visit a couple of our data centers. I thought so well before I thought it would be fun to see Dublin and Amsterdam more than maybe the data center ..; P .. because I have seen my prone part of data centers over the years. How awesome could it really be? I was not only surprised, impressed and seduced. I was completely resigned. The scale that Microsoft’s data center is built and operated in means that you can not really understand it until you walk through the floor, hundreds of feet on each floor. Crazy impressive. We sometimes have the privilege of bringing customers on tours in the data center, talking to your customer manager if you’re crazy, but it’s often a pretty big process. If you now can not, have time or have time to go there with your customer team, you can see more of Microsoft’s data center to learn more about here: https://blogs.office.com/2016/10/03/take-a-guided-tour-of-a-microsoft-datacenter-to-learn-how-microsoft-delivers-your-cloud-services/

Office App Launcher
The last thing I was thinking about this time is Microsoft’s new applauncher, located in Office 365, a product that you can actually use for really. Right now we have concentrated on making it useful to users, that is, they can move, fix and arrange the menus as they wish. Most features are available to you who use Exchange Online, including tabs, and the ability to move things if you do not have Exchange Online. Later we will build on more administrative functions, there is already ongoing work on this. Read more at https://blogs.office.com/2016/09/27/introducing-the-new-office-365-app-launcher/