I know this is mainly an “Italian” topic, but there’s non “Italian forum” so I’ll post here: in case move somewhere else. There’s a dutch thread (http://forums.opensuse.org/forums/nederlands-dutch/helpen-en-hulp/programmas/461288-opensuse-11-4-64-bits-kde-firefox-4-0-1-acr38-usb-kaartlezer-eid.html) regarding the same smart-card reader, but it’s about a different openSUSE release. PM me in case.
A few instruction about setting up and using to authenticate in a web site the smart-card (chip card) and the smart-card reader that Regione Autonoma Friuli Venezia Giulia (FVG – an Italian region) gives free to his citizens on a system equipped with openSUSE 12.1 x86_64 will follow here.
64bit environment is not supported by FVG, but, for me, it seems to work well: however instruction provided by FVG for a 32 bit openSUSE environment are not complete and cannot be fully followed for a 64 bit environment.
This guide wants to help: I hope it does. Software versions change in time (getting better …): what is here stated, works for daily usage. I can’t manage to unlock the smart-card (i.e. to use the PUK number or to change the PIN): a M$ Windows partition and docs delivered by FVG help for this.
Status quo
Operating System: Linux 3.1.0-1.2-desktop x86_64
Distro: openSUSE 12.1 (x86_64)
Browser: MozillaFirefox (release 9.0.1-2.9.2-x86_64 from vendor openSUSE)
Smart-card: not expired, second generation (that is the one with European and Italian flag and regional symbol)
Smart-card reader: “bit4id” minilector USB, distributed by FVG
What to do
First, check if reader is recognized. Insert the reader in an USB port, open a terminal, type “lsusb” (you don’t need to be root). I get this:
Bus 002 Device 015: ID 072f:9000 Advanced Card Systems, Ltd ACR38 AC1038-based Smart Card Reader
(reader is recognized as “ACR38”).
All is OK, but without correct software/driver it is useless, in particular it will not be possible to use the smart-card to gain access to restricted areas of FVG web site.
Let’s begin adding a repository: you can do as you like, I use YaST, graphical interface, as URL use:
Index of /repositories/security:/chipcard/openSUSE_12.1
(this repository contains newer packages of what we will install later).
Let’s install these packages:
libpcsclite1 (version 1.8.1-68.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
pcsc-lite (version 1.8.1-68.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
perl-pcsc (version 1.4.10-12.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
pcsc-acr38 (version 1.7.10-23.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
opensc (version 0.12.2-31.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
pcsc-tools (version 1.4.18-1.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
The last one is optional, we will use it once, but it’s useful to check what happens when plugging in the reader and when inserting the smart-card.
Activate “pcscd” daemon. Again do as you like, I use YaST (System Services – Runlevel, expert mode, “Set/Reset” button, “Enable the service” to start it powering on the computer, “Start/Stop/Refresh” button, “Start now …” to start it now).
I plugged in the reader and from command line (no need to be root), I typed “pcsc_scan”, … I thought I was ready, but instead I got:
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.1
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...
Not so good…
So I rebooted (too much?) and got (OK this time):
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.1
Using reader plug'n play mechanism
Scanning present readers...
0: ACS ACR38U 00 00
Thu Jan 19 00:33:40 2012
Reader 0: ACS ACR38U 00 00
Card state: Card removed,
Inserting the smart-card :
PC/SC device scanner
V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.1
Using reader plug'n play mechanism
Scanning present readers...
0: ACS ACR38U 00 00
Thu Jan 19 00:34:59 2012
Reader 0: ACS ACR38U 00 00
Card state: Card inserted,
ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
+ TS = 3B --> Direct Convention
+ T0 = FF, Y(1): 1111, K: 15 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = FF --> Extra guard time: 255 (special value)
TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1
-----
TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 55 --> Block Waiting Integer: 5 - Character Waiting Integer: 5
+ Historical bytes: 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80
Category indicator byte: 00 (compact TLV data object)
Tag: 6, len: B (pre-issuing data)
Data: 05 08 C8 0C 01 11 01 43 4E 53
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 10 (Proprietary)
SW: 3180 (Error not defined by ISO 7816)
+ TCK = 05 (correct checksum)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
Healtcare card (TS-CNS) - Provincia Autonoma di Trento
Provincia Autonoma di Trento is not Regione Autonoma Friuli Venezia Giulia, but it’s good anyway.
(CTRL-C to get out from pcsc_scan command, of course).
So now reader and smart-card are both recognized. It’s time to configure Firefox to use the smart-card as an authentication method.
Open Firefox and, in the address bar, type “about:config”, jump over the warning and type “renego” in the filter box. Choose “security.ssl.renego_unresticted_host” parameter, change it writing the string “cartaservizi.regione.fvg.it” (as stated on FVG web site docs).
Furthermore, in “Edit” menu, “Preferences”, “Advanced”, “Security Devices”, push “Load” button, choose something for the “Module Name” field and select “/ur/lib64/opensc-pkcs11.so” for the “Module filename” field.
Now, once reader and smart-card are both inserted, it’s possible to surf on private areas of FVG web site (carta regionale dei servizi - ROOT) and clicking on “accedi ai servizi” (https://cartaservizi.regione.fvg.it/CrsCentralService/securityplugin?operazione=loginsmartcard&origine=https://cartaservizi.regione.fvg.it/CrsCentralService/securityplugin?DestinazioneSecurityPlugin=https://cartaservizi.regione.fvg.it/CrsCentralService/areaUtente/CrsHome/Welcome), will pop up:
- a window asking for the PIN (personal identification number) card
- a window asking to choose the correct certificate to use:
- a web page stating that you have been authenticated successfully:
3-bis) sometimes there’s an error web page (“The connection was reset”), just hit “Try again” button.
That’s all: enjoy yourself!