Getting a SURFnet Aladdin Pro 64 to work with OpenSC and Firefox

(Without using any binary blobs)

This little document is probably useful for anyone trying to get an Aladdin Pro 64 to work with Firefox in general but is primarily intended for those who use Debian (or Ubuntu) and are in the TERENA TCS programme.

Installing the software

apt-get install opensc openct

Getting access to the card

OpenSC uses the ‘scard’ UNIX group to regulate access to the USB stick. Add yourself to this group:

adduser $(whoami) scard

You will probably need to log out and in again after this.

Initializing the USB stick

Firefox uses the pkcs11 interface, so we need to use the ‘onepin’ profile.

pkcs15-init -CE -p pkcs15+onepin -l SURFnet

This will ask for a PIN (8 alphanumeric characters) and a PUK (same). Remember these well. Store the PUK somewhere secure.

Patching the source code

The patch

Apply a patch to OpenSC:

--- src/pkcs11/framework-pkcs15.c,orig  2007-06-21 21:37:59.000000000 +0200
+++ src/pkcs11/framework-pkcs15.c   2009-12-10 10:45:47.144653114 +0100
@@ -1563,6 +1563,7 @@
    if (rv != CKR_OK)
        goto kpgen_done;
+   keygen_args.prkey_args.x509_usage &= ~(SC_PKCS15INIT_X509_KEY_ENCIPHERMENT|SC_PKCS15INIT_X509_DATA_ENCIPHERMENT);
    pub_args.x509_usage = keygen_args.prkey_args.x509_usage;

    /* 2. Add the PINs the user presented so far to the keycache */

This patch is necessary because Firefox by default generates a key for both signing and encrypting, but the Aladdin token only supports keys with a single purpose. This patch causes the encryption bits to be removed from the usage statement. Obviously this is not a patch that can be applied upstreams, as this forces all keys to be generated without encryption usage flags.

You only need this patch if you generate keys from Firefox. After applying for your certificate you can replace OpenSC with the official Debian version (should happen automatically during the first apt upgrade you run).

Applying it

In Debian lenny, this would boil down to:

sudo apt-get build-dep opensc
apt-get source opensc
cd opensc-0.11.4
patch -p1 <../opensc-keyusage.patch
dpkg-buildpackage -us -uc -b
sudo dpkg -iO ../*.deb

Setting up Firefox

Open the preferences window and select the right tabs:

Screenshot 1

Select ‘Security Devices’ to get the dialog below:

Screenshot 2

Select ‘Load’:

Screenshot 3

Enter a name and a module path (/usr/lib/ and click OK:

Screenshot 4

Voilà, your device has been added.

Applying for your certificate

Use screenshots 34 to 64 from Teun's instructions. When it comes to generating a key, use the OpenSC device (duh). You do not need any ActiveX components, Firefox has everything built in.

Installing your certificate

Get a listing of all objects on the card (you may need to hit the Logout button in the Firefox Security Device manager if you get scary red locking errors):

$ pkcs15-tool -D
PKCS#15 Card [SURFnet]:
        Version        : 1
        Serial number  : 26BE2C5BC6D7
        Manufacturer ID: OpenSC Project
        Last update    : 20091209165408Z
        Flags          : EID compliant

PIN [User PIN]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x32], local, initialized, needs-padding
        Length    : min_len:4, max_len:8, stored_len:8
        Pad char  : 0x00
        Reference : 1
        Type      : ascii-numeric
        Path      : 3f005015

Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0xC], sign, signRecover
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 2048
        Key ref     : 16
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 2d9d9ed4e53d03993517d7729f3c398bc5c302f8

Public RSA Key [Public Key]
        Com. Flags  : 2
        Usage       : [0xC0], verify, verifyRecover
        Access Flags: [0x0]
        ModLength   : 2048
        Key ref     : 0
        Native      : no
        Path        : 3f0050153048
        Auth ID     :
        ID          : 2d9d9ed4e53d03993517d7729f3c398bc5c302f8

Note the hexadecimal ID of your keys. Assuming your new certificate is in me.pem, type:

pkcs15-init --store-certificate me.pem --id 2d9d9ed4e53d03993517d7729f3c398bc5c302f8 --format pem

It's best to add the chain as well. Get them from Teun's certificate pack:

wget ''
for i in GlobalSignPersonalSignClass2CA.cer GlobalSignPrimaryClass2CA.cer GlobalSignRootCA.cer ;do openssl x509 -inform der -in $i -out ${i%.cer}.pem; pkcs15-init -X ${i%.cer}.pem --label ${i%.cer} -v;done

Back to the index page

mail me