EID VPN/eID VPN

From Mana zināšanu grāmata
Revision as of 12:51, 13 March 2021 by Kaspars (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Ubuntu 20.04

Centos 7

yum install nss-tools nss-pam-ldapd esc pam_pkcs11 pam_krb5 opensc pcsc-lite-ccid authconfig authconfig-gtk krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs gnutls-utils gnutls-devel openconnect

Uzinstalēt latvia-eid-middleware paku
pārsaukt /opt/latvian-eid par /opt/latvian-eid.bak

Atspiest latvia-eid arhīvu un pārkopēt uz /opt direktoriju

pārliecināties, vai ir fails /opt/latvia-eid/lib/eidlv-pkcs11.so

ls -la /opt/latvia-eid/lib/eidlv-pkcs11.so

pārliecināties, vai ir /usr/lib64/eidlv-pkcs11.so fails, ja nav, tad izveidot symlink

ln -s /opt/latvia-eid/lib/eidlv-pkcs11.so /usr/lib64/eidlv-pkcs11.so

Izveidot pkcs11 moduļi

cp /usr/share/p11-kit/modules/opensc.module /etc/pkcs11/modules/opensc.module
echo "module:/usr/lib64/eidlv-pkcs11.so" > /etc/pkcs11/modules/opensc.module

pārbaude

pcsc_scan
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DD 18 00 81 31 FE 45 90 4C 41 54 56 49 41 2D 65 49 44 90 00 8C
    Identity card (eID) Republic of Latvia
    http://www.pmlp.gov.lv/lv/pakalpojumi/passes/eid.html

 

p11tool --list-tokens
Token 2:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29
    Label: User PIN (LATVIA ID)
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: Oberthur Technologies
    Model: PKCS#15
    Serial: 010011761431013F
    Module: /usr/lib/pkcs11/eidlv-pkcs11.so

Token 3:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=Signature%20PIN%20%28LATVIA%20ID%29
    Label: Signature PIN (LATVIA ID)
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: Oberthur Technologies
    Model: PKCS#15
    Serial: 010011761431013F
    Module: /usr/lib/pkcs11/eidlv-pkcs11.so

 

p11tool --list-all-certs
warning: no token URL was provided for this operation; the available tokens are:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29
pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=Signature%20PIN%20%28LATVIA%20ID%29

Izmanto iegūto certifikātu

p11tool --list-all-certs 'pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29'
Object 0:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29;id=%a7%82%78%84%61%ce%53%39%0e%e2%34%45%6e%4a%01%bf%c6%ad%49%a1;object=Authentication%20certificate;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Sun Jun 20 05:02:52 2021
    Label: Authentication certificate
    ID: a7:82:78:84:61:ce:53:39:0e:e2:34:45:6e:4a:01:bf:c6:ad:49:a1
 

Atrast atrašanās vietu

find / -name "hipreport.sh"
/usr/libexec/openconnect/hipreport.sh

Atspiest magic.zip, kur saturā ir lvrtc root sertifikāts eid kartei un novietot ~/magic.pem

unzip magic.zip && mv magic.pem ~/magic.pem

Izpildīt komandu

sudo openconnect -v --dump-http-traffic --user="KASPARS BŪCENS" -c \
"pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29;id=%a7%82%78%84%61%ce%53%39%0e%e2%34%45%6e%4a%01%bf%c6%ad%49%a1;object=Authentication%20certificate;type=cert" \
--protocol=gp \
--os=win \
--csd-wrapper="/usr/libexec/openconnect/hipreport.sh" \
--cafile="/home/kasparsb/Documents/magic.pem" \
vpn1.eveseliba.gov.lv

 

File:latvia-eid-middleware-2.0.6-1-linux-centos-6.10-x86 641.rpm
File:latvia-eid.zip
File:magic.zip
 

CentOS 8

yum install nss-tools nss-pam-ldapd esc opensc pcsc-lite-ccid authconfig krb5-libs krb5-workstation krb5-pkinit pcsc-lite pcsc-lite-libs gnutls-utils gnutls-devel openconnect

Uzinstalēt latvia-eid-middleware paku
pārsaukt /opt/latvian-eid par /opt/latvian-eid.bak

Atspiest latvia-eid arhīvu un pārkopēt uz /opt direktoriju

pārliecināties, vai ir fails /opt/latvia-eid/lib/eidlv-pkcs11.so

ls -la /opt/latvia-eid/lib/eidlv-pkcs11.so

pārliecināties, vai ir /usr/lib64/eidlv-pkcs11.so fails, ja nav, tad izveidot symlink

ln -s /opt/latvia-eid/lib/eidlv-pkcs11.so /usr/lib64/eidlv-pkcs11.so

Izveidot pkcs11 moduļi

cp /usr/share/p11-kit/modules/opensc.module /etc/pkcs11/modules/opensc.module
echo "module:/usr/lib64/eidlv-pkcs11.so" > /etc/pkcs11/modules/opensc.module

pārbaude

pcsc_scan
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B DD 18 00 81 31 FE 45 90 4C 41 54 56 49 41 2D 65 49 44 90 00 8C
    Identity card (eID) Republic of Latvia
    http://www.pmlp.gov.lv/lv/pakalpojumi/passes/eid.html

 

p11tool --list-tokens
Token 2:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29
    Label: User PIN (LATVIA ID)
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: Oberthur Technologies
    Model: PKCS#15
    Serial: 010011761431013F
    Module: /usr/lib/pkcs11/eidlv-pkcs11.so

Token 3:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=Signature%20PIN%20%28LATVIA%20ID%29
    Label: Signature PIN (LATVIA ID)
    Type: Hardware token
    Flags: RNG, Requires login
    Manufacturer: Oberthur Technologies
    Model: PKCS#15
    Serial: 010011761431013F
    Module: /usr/lib/pkcs11/eidlv-pkcs11.so

 

p11tool --list-all-certs
warning: no token URL was provided for this operation; the available tokens are:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29
pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=Signature%20PIN%20%28LATVIA%20ID%29

Izmanto iegūto certifikātu

p11tool --list-all-certs 'pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29'
Object 0:
    URL: pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29;id=%a7%82%78%84%61%ce%53%39%0e%e2%34%45%6e%4a%01%bf%c6%ad%49%a1;object=Authentication%20certificate;type=cert
    Type: X.509 Certificate (RSA-2048)
    Expires: Sun Jun 20 05:02:52 2021
    Label: Authentication certificate
    ID: a7:82:78:84:61:ce:53:39:0e:e2:34:45:6e:4a:01:bf:c6:ad:49:a1
 

Atrast atrašanās vietu

find / -name "hipreport.sh"
/usr/libexec/openconnect/hipreport.sh

Atspiest magic.zip, kur saturā ir lvrtc root sertifikāts eid kartei un novietot ~/magic.pem

unzip magic.zip && mv magic.pem ~/magic.pem

Izpildīt komandu

sudo openconnect -v --dump-http-traffic --user="KASPARS BŪCENS" -c \
"pkcs11:model=PKCS%2315;manufacturer=Oberthur%20Technologies;serial=010011761431013F;token=User%20PIN%20%28LATVIA%20ID%29;id=%a7%82%78%84%61%ce%53%39%0e%e2%34%45%6e%4a%01%bf%c6%ad%49%a1;object=Authentication%20certificate;type=cert" \
--protocol=gp \
--os=win \
--csd-wrapper="/usr/libexec/openconnect/hipreport.sh" \
--cafile="/home/kasparsb/Documents/magic.pem" \
vpn1.eveseliba.gov.lv
  File:latvia-eid-middleware-2.0.6-1-linux-centos-6.10-x86 641.rpm
File:latvia-eid.zip
File:magic.zip
Retrieved from "https://wiki.virusstyle.synology.me/index.php?title=EID_VPN/eID_VPN&oldid=48"