OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.

1. Openssl Engine
2. Openssl Pkcs11 Engine Slot Kit
3. Openssl Pkcs11 Engine Slots
4. Openssl Pkcs11 Engine

I want to add that apparently some openssl commands work OK with this token and pkcs11 engine: $ openssl version OpenSSL 1.0.2e 3 Dec 2015 $ openssl dgst -engine pkcs11 -keyform engine -sign 'pkcs11:object=SIGN%20key;object-type=private;pin-value=123456' -sha256 -out t.sig engine 'pkcs11' set. I have softhsm-v2.5.0-rc1 which has ec keys imported in it. Now, when I try to use these keys from openssl CLI using the pkcs11 engine, it fails. SoftHSM version :$ softhsm2-util -version 2.5.0rc1 SoftHSM token init.

This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.
You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an 'instant id' card, using PrimeCard for example, you cen reformat the card with cardos-tool.
On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i
Format:
>cardos-tool -f
Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01
Now pkcs11-tool list a slot:
>pkcs11-tool -L
Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01
Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj '/CN=Open SC'
CSR is stored as req.pem. Get certificate from EJBCA using 'Create Certificate from CSR' in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45
To use in FireFox you just need to add a 'Security Device' with module path /usr/lib/opensc-pkcs11.so

Openssl Engine

If you buy a new code signing certificate from SwissSign, you must generate a CSR using a hardware HSM which stores your private key inaccessibly. Unfortunately, this is a new requirement and pure soft certificates (all secrets in a file) are no more allowed.

Fortunately, the SuisseID is such a valid HSM. It can easily be used in your Ubuntu Linux MinGW cross build environment to sign your executables.

Sign CSR With SuisseID Private Key

You need the engine file, in current Ubuntu, this is /usr/lib/ssl/engines/libpkcs11.so from package libengine-pkcs11-openssl, the PKCS#11 library, which is /usr/lib/libcvP11.so provided by SwissSign in package suisseid-pkcs11. You also need pkcs11-tool from package opensc and openssl from package openssl. For code signing, you need osslsigncode from package osslsigncode. Your SuisseID must be initialized using SuisseID Assistant name swisssign-init from package swisssign-init.

If you haven’t run the SuisseID installer, you can also add the SwissSign repository manually:

Install the dependencies:

If you haven’t initialized your SuisseID, do it now. You should have received a TIN / PUK Sheet from SwissSign with the transport PIN (TIN). Run swisssign-init and follow the instructions. Set a PIN, that you will need below.

Compile osslsigncode

Unfortunately, as of July 2018, the version of osslsigncode delivered in Ubuntu 16.04 is of the latest version 1.7.1, but still does not support the options -pkcs11engine and -pkcs11module. So I had to compile my own version of osslsigncode:

Find Key ID

Get a list of all objects in your SuisseID:

This shows all objects found on your SuisseID smart card (which is your HSM), e.g.:

You need the ID of the key with label SwissSign_digSig, here 00903c80c138a20f4b92625a25550a6503273537.

OpenSSL Configuration

You need am openssl configurate file engine.conf:

Generate CSR

Now you have all puzzle pieces to generate the HSM-signed CSR required for getting your SwissSign code signing certificate. Do not forget to plug in your USB SuisseID:

It asks for your PIN and a common name. The comon name will be overwritten in the SwissSign request form anyway. As you see, in option -key you specify a slot number (1, if you have one reader, just try different numbers), and the key ID that you got in the instructions above.

After running the command, a file request.csr is generated, that contains some lines between -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----.

Just copy the content of file request.csr into the CSR field on SuisseSign’s web page, fillout the forms, download the request form, fill it out, sign it and send it to the fullfilment.

Sign Code With SuisseID

After some days, you get a mail containing download link for your certificate from SwissSign. Download it in cer format as certificate.pem.

Openssl Pkcs11 Engine Slot Kit

Something to Sign

You need a windows exe or a dll to test. Simply use my windows cross compilation docker image to generate a windows openssl version in /tmp/test:

Openssl Pkcs11 Engine Slots

Now you have an exe that you can sign in the next step:

Openssl Pkcs11 Engine

Sign a Windows Executable

Use osslsigncode(self-compiled, as explained above) to sign /tmp/test/usr/exe/openssl.exe:

Sources