Aktiv Co. offers the Rutoken ECP, an USB crypto token with 64K memory and support for RSA keys up to 2048bit key length.
- USB IDs: 0a89:0030
- Memory: 64K
- ATRs:
- Aktiv Rutoken ECP:
3B 8B 01 52 75 74 6F 6B 65 6E 20 44 53 20 C1 - Rutoken ECP:
3B 8B 01 52 75 74 6F 6B 65 6E 20 45 43 50 A0
- Aktiv Rutoken ECP:
- RSA (with RSA keys up to 2048 bits)
- GOST R 34.10-2001 (RFC 5832)
- GOST 34.11-94 (RFC 5831)
- GOST 28147-89 (RFC 5830)
- Key generation: ElGamal and Diffie-Hellman schemes
- 3 categories of owners: Administrator, User, Guest
- 2 Global PIN-codes: Administrator and User
- Local PIN-codes
- Combined authentication
- The possibility of simultaneous control of the access rights by the 7 Local PIN-codes
- File structure of ISO/IEC 7816-4
- The level of subdirectory - limited by space available for file system
- Number of file objects inside directory - up to 255, inclusive
- Using files Rutoken Special File (RSF-files) to store keys and PIN-codes
- Storage of private and symmetric keys, without the possibility of exports from device
- Predefined directory for storing different kinds of key information (RSF-files) and automatic selection of the predefined directories
- The total amount of memory for file structure - 64 kB
$ pkcs15-init --erase-card -p rutoken_ecp
$ pkcs15-init --create-pkcs15 --so-pin "87654321" --so-puk ""
$ pkcs15-init --store-pin --label "User PIN" --auth-id 02 --pin "12345678" --puk "" --so-pin "87654321" --finalize
$ pkcs15-tool -D
Using reader with a card: Aktiv Rutoken ECP 00 00
PKCS#15 Card [Rutoken ECP]:
Version : 0
Serial number : 000000002CDB7256
Manufacturer ID: Aktiv Co.
Last update : 20121114083252Z
Flags : EID compliant
PIN [Security Officer PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x99], case-sensitive, unblock-disabled, initialized, soPin
Length : min_len:8, max_len:32, stored_len:32
Pad char : 0x00
Reference : 1
Type : ascii-numeric
PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 02
Flags : [0x19], case-sensitive, unblock-disabled, initialized
Length : min_len:4, max_len:32, stored_len:32
Pad char : 0x00
Reference : 2
Type : ascii-numeric$ pkcs15-init -G rsa/1024 --auth-id 02 --label "My Private Key" --public-key-label "My Public Key"
Using reader with a card: Aktiv Rutoken ECP 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 04830838b7c9752bd0e90c96a88b989a80f45181
GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 04830838b7c9752bd0e90c96a88b989a80f45181
GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL>
OpenSSL> req -engine pkcs11 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -out req.csr -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]"
engine "pkcs11" set.
PKCS#11 token PIN:
OpenSSL> quit
$ cat req.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIByTCCATICAQAwgYgxCzAJBgNVBAYTAlJVMQ8wDQYDVQQIDAZNb3Njb3cxDzAN
BgNVBAcMBk1vc2NvdzEOMAwGA1UECgwFS09SVVMxCzAJBgNVBAsMAklUMRcwFQYD
VQQDDA5TZXJnZXkgU2FmYXJvdjEhMB8GCSqGSIb3DQEJARYScy5zYWZhcm92QG1h
aWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpY0LM0eBDKATrR47f
oFnzVrMVEl+oeLx8ffAUDRIsKyILBDEOrhj3wD/8qNSBXl0CTXRL1jPJ/Cmjy6si
+AJtVCbnuhe2LP064kcbj17eurAuAhPwKMlLhjchsPoEcjN22fQYAie+XN+atTtW
auFanOV6valVGsyboScbPyDbeQIDAQABoAAwDQYJKoZIhvcNAQEFBQADgYEAE0gR
T3KHARExb0aFBEl9x6+oPPQSJfE/qh5S0vc7d68JEnjSwkx4Zdy9CQW+ympHpRde
t5Dn68Xs3OjXUOJ6rEsAQcgya3PVcgjljY46555bFBz5V9LIOh+qTREGKpvOMTdO
XUFiwTApskr8pn8Gc2mFV1cA+dEf3S9XNluNVKA=
-----END CERTIFICATE REQUEST-----If you have errors when loading engine - check the location of directory of engine_pkcs11.so
(for example: /usr/lib/engines/engine_pkcs11.so) and use it further when loading engine.
$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 04830838b7c9752bd0e90c96a88b989a80f45181
GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> req -engine pkcs11 -x509 -new -key slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -out ca.crt -subj "/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]"
engine "pkcs11" set.
PKCS#11 token PIN:
OpenSSL> quit
$ cat ca.crt
-----BEGIN CERTIFICATE-----
MIICiTCCAfICCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC
UlUxDzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVL
T1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJ
KoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDg1MTMyWhcN
MTIxMjE0MDg1MTMyWjCBiDELMAkGA1UEBhMCUlUxDzANBgNVBAgMBk1vc2NvdzEP
MA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAV
BgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZA
bWFpbC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtH
jt+gWfNWsxUSX6h4vHx98BQNEiwrIgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPL
qyL4Am1UJue6F7Ys/TriRxuPXt66sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1
O1Zq4Vqc5Xq9qVUazJuhJxs/INt5AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAlmet
AeeNkdUjCiP3nk8PJ5lW8d+ohl55W6gsi4pRvLwXH/CsKzU3scNbPKnEQz1FGpfZ
xHp+LB1jZSUci1r6saQKkDFLXLQqIedRhR2Bevx5msw+ydM3GwwRW9K0IumwrYwp
9IGRsBOT1s7eTZfYNURmqdhP5hIdgo3dJ4utr1c=
-----END CERTIFICATE-----$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 04830838b7c9752bd0e90c96a88b989a80f45181
GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ openssl
OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/lib/openssl/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> ca -engine pkcs11 -keyfile slot_1-id_04830838b7c9752bd0e90c96a88b989a80f45181 -keyform engine -cert ca.crt -in req.csr -out tester.crt
Using configuration from /etc/pki/tls/openssl.cnf
engine "pkcs11" set.
PKCS#11 token PIN:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 14 09:04:44 2012 GMT
Not After : Nov 14 09:04:44 2013 GMT
Subject:
countryName = RU
stateOrProvinceName = Moscow
organizationName = KORUS
organizationalUnitName = IT
commonName = Sergey Safarov
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DD:47:C4:DB:57:4B:04:BB:67:82:5A:88:DF:93:1C:6D:E2:CB:58:0F
X509v3 Authority Key Identifier:
DirName:/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]
serial:8F:30:77:60:57:FA:D0:06
Certificate is to be certified until Nov 14 09:04:44 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
OpenSSL> quit
$ cat tester.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=RU, ST=Moscow, L=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov/[email protected]
Validity
Not Before: Nov 14 09:04:44 2012 GMT
Not After : Nov 14 09:04:44 2013 GMT
Subject: C=RU, ST=Moscow, O=KORUS, OU=IT, CN=Sergey Safarov/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a9:63:42:cc:d1:e0:43:28:04:eb:47:8e:df:a0:
59:f3:56:b3:15:12:5f:a8:78:bc:7c:7d:f0:14:0d:
12:2c:2b:22:0b:04:31:0e:ae:18:f7:c0:3f:fc:a8:
d4:81:5e:5d:02:4d:74:4b:d6:33:c9:fc:29:a3:cb:
ab:22:f8:02:6d:54:26:e7:ba:17:b6:2c:fd:3a:e2:
47:1b:8f:5e:de:ba:b0:2e:02:13:f0:28:c9:4b:86:
37:21:b0:fa:04:72:33:76:d9:f4:18:02:27:be:5c:
df:9a:b5:3b:56:6a:e1:5a:9c:e5:7a:bd:a9:55:1a:
cc:9b:a1:27:1b:3f:20:db:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DD:47:C4:DB:57:4B:04:BB:67:82:5A:88:DF:93:1C:6D:E2:CB:58:0F
X509v3 Authority Key Identifier:
DirName:/C=RU/ST=Moscow/L=Moscow/O=KORUS/OU=IT/CN=Sergey Safarov/[email protected]
serial:8F:30:77:60:57:FA:D0:06
Signature Algorithm: sha1WithRSAEncryption
14:4b:39:32:81:37:aa:95:8f:db:f8:42:64:21:32:6f:11:ad:
8e:c1:ef:bf:20:93:e2:6f:66:80:fc:f6:af:ad:5c:80:6f:98:
1f:28:ea:14:87:f9:6c:5d:59:2c:0a:42:fd:a1:ed:34:f5:4b:
c5:7c:5e:2f:16:48:27:a1:c5:b8:0d:f3:64:d0:7f:f6:55:fc:
36:3c:30:bf:7f:e9:62:23:e6:4f:45:76:43:9f:ae:a7:b4:5a:
ca:e7:98:f3:6e:09:91:58:f3:4b:6f:36:e3:88:fc:48:54:95:
a7:be:58:b8:97:86:5c:57:7e:cb:c4:0a:f2:d6:ac:c3:90:11:
2b:00
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCUlUx
DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JV
UzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZI
hvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDkwNDQ0WhcNMTMx
MTE0MDkwNDQ0WjB3MQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ4wDAYD
VQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92
MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtHjt+gWfNWsxUSX6h4vHx98BQNEiwr
IgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPLqyL4Am1UJue6F7Ys/TriRxuPXt66
sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1O1Zq4Vqc5Xq9qVUazJuhJxs/INt5
AgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3UfE21dLBLtnglqI35Mc
beLLWA8wgacGA1UdIwSBnzCBnKGBjqSBizCBiDELMAkGA1UEBhMCUlUxDzANBgNV
BAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkG
A1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkB
FhJzLnNhZmFyb3ZAbWFpbC5jb22CCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFAAOB
gQAUSzkygTeqlY/b+EJkITJvEa2Owe+/IJPib2aA/PavrVyAb5gfKOoUh/lsXVks
CkL9oe009UvFfF4vFkgnocW4DfNk0H/2Vfw2PDC/f+liI+ZPRXZDn66ntFrK55jz
bgmRWPNLbzbjiPxIVJWnvli4l4ZcV37LxAry1qzDkBErAA==
-----END CERTIFICATE-----$ pkcs15-tool --list-keys
Using reader with a card: Aktiv Rutoken ECP 00 00
Private RSA Key [My Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 1 (0x1)
Native : yes
Path : 3f001000100060020001
Auth ID : 02
ID : 04830838b7c9752bd0e90c96a88b989a80f45181
GUID : {04830838-b7c9-752b-d0e9-0c96a88b989a}
$ pkcs15-init --store-certificate tester.crt --auth-id 02 --id 04830838b7c9752bd0e90c96a88b989a80f45181 --format pem
$ pkcs15-tool --read-certificate 04830838b7c9752bd0e90c96a88b989a80f45181
Using reader with a card: Aktiv Rutoken ECP 00 00
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMCUlUx
DzANBgNVBAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JV
UzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZI
hvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wHhcNMTIxMTE0MDkwNDQ0WhcNMTMx
MTE0MDkwNDQ0WjB3MQswCQYDVQQGEwJSVTEPMA0GA1UECAwGTW9zY293MQ4wDAYD
VQQKDAVLT1JVUzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92
MSEwHwYJKoZIhvcNAQkBFhJzLnNhZmFyb3ZAbWFpbC5jb20wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAKljQszR4EMoBOtHjt+gWfNWsxUSX6h4vHx98BQNEiwr
IgsEMQ6uGPfAP/yo1IFeXQJNdEvWM8n8KaPLqyL4Am1UJue6F7Ys/TriRxuPXt66
sC4CE/AoyUuGNyGw+gRyM3bZ9BgCJ75c35q1O1Zq4Vqc5Xq9qVUazJuhJxs/INt5
AgMBAAGjggEGMIIBAjAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQU3UfE21dLBLtnglqI35Mc
beLLWA8wgacGA1UdIwSBnzCBnKGBjqSBizCBiDELMAkGA1UEBhMCUlUxDzANBgNV
BAgMBk1vc2NvdzEPMA0GA1UEBwwGTW9zY293MQ4wDAYDVQQKDAVLT1JVUzELMAkG
A1UECwwCSVQxFzAVBgNVBAMMDlNlcmdleSBTYWZhcm92MSEwHwYJKoZIhvcNAQkB
FhJzLnNhZmFyb3ZAbWFpbC5jb22CCQCPMHdgV/rQBjANBgkqhkiG9w0BAQUFAAOB
gQAUSzkygTeqlY/b+EJkITJvEa2Owe+/IJPib2aA/PavrVyAb5gfKOoUh/lsXVks
CkL9oe009UvFfF4vFkgnocW4DfNk0H/2Vfw2PDC/f+liI+ZPRXZDn66ntFrK55jz
bgmRWPNLbzbjiPxIVJWnvli4l4ZcV37LxAry1qzDkBErAA==
-----END CERTIFICATE------ When initializing with
pkcs15-inittool, a PUK code must not be present (press enter when asked or use--puk ""). - Card can be erased with
pkcs15-init --erase-card(including all keys) without any authentication.