How to install OpenSC on IPFire Firewall

This article is the continuation of our previous work on IPFire firewall. In this tutorial, support for hardware tokens (such as smart cards) and their readers (CCID compliance) are integrated with the IPFire project. The following tools are successfully compiled for IPFire 2.19 version.

PC/SC smart card daemon is used to access smart cards on the Linux platform using CCID or proprietary drivers.  A driver program for the CCID smart card reader is required to access the smart cards. The CCID package contains drivers for different smart card readers for the Linux/Unix environment. Smartcard access (PKCS#11 API) and management (PKCS#15 file structure) is supported by OpenSC project which consists of several open source tools & libraries. Hardware tokens such as smart card can be used for following purposes

  • Secure Web Login
  • WorkStation Login
  • File Encryption
  • VPN (OpenVPN,L2TP)
  • Email Encryption

Several of the OpenSC supported smart card vendors are given below.

  • ASEPCOS
  • FTCOSPK01C
  • OpenPGP Card
  • Cyberflex
  • CardOs
  • STARCOS

Environment Setup

For the setup of a development environment, a detailed explanation has been given in the previous article.

Addons in test shell of IPFire

It is recommended to install the IPFire addon's in the test shell (similar to the Linux terminal) which is invoked by using the following command in the root directory.

./make shell

Run the IPFire shell

The source packages on the IPFire build environment are placed inside the /usr/src/cache directory.  All required packages for this tutorial are already placed in the cache directory.

Go the the IPFire Cache directory

The source of the pcsc-lite package is shown in the following snapshot.

pcsc-lite source package

Before we start the compilation of pcsc-lite tool, it is recommended to install the required libudev-dev library with the following command

apt-get install libudev-dev

Install libudev-dev library

Now, extract the source package using the following command and run the ./configure script as shown below.

tar -xf pcsc-lite-1.8.18.tar.bz2

undpack and configure pcsc-lite

As shown below, no error is generated by the configure command.

Configure command ran without errors

Now, simply run ./make and ./make install command to install pcscd daemon in the test environment.

Install pcscd daemon

Successful installation of pcsc-lite packages shows few important paths which will be used to compile CCID package.

pcsc-lite installed successfully

The following screenshot shows that pcscd is running in IPFire in the test environment.

pcscd is running in test environment

The next package that is required for smart cards iis the CCID drivers package. As shown below, CCID package is placed in the cache directory.

CCID package in cache directory

The following screenshot shows the error generated by the ./configure script of the CCID package.

CCID configure error

The error shows that pcsc-lite is not found by the configure script. Therefore, set PCSC_CFLAGS with the configure script as shown below.

./configure PCSC_CFLAGS=-I/usr/local/include/PCSC

Set PCSC_CFLAGS

However, another error is generated by the script because libpcsclite.pc is not found under pkg-config path on the IPFire LFS.

Export the PKG_CONFIG_PATH

Therefore, first export the PKG_CONFIG_PATH and again run the configure script command.

export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/

./configure PCSC_CFLAGS=-I/usr/local/include/PCSC

Run the configure script again

Successful output of the configure script run is shown below. It shows that, required files of PCSC is found by the script.

Configure successful

Run the ./make & ./make install commands to complete the installation of CCID drivers.

make and make install

Copy the udev rules for the smart card readers in the /etc/udev/rules directory as shown below.

Copy udev rules

Copying 92_pcscd_ccid.rules file in the /etc/udev/rules directory.

copy 92_pcscd_ccid.rules file

Following screenshot shows the OpenSC tool in the /usr/src/cache directory.

OpenSC Tool

Run configure script to check the dependencies of the package.

Run configure script

The output of configure script is shown in following snapshots.

Configure output 1

Configure output 2

Run the ./make and ./make install commands for the OpenSC installation in the test environment.

OpenSC make and make install run.

Following screenshot shows that the OpenSC tool has been successfully installed in the test shell of IPFire.

OpenSC installed successfully

After installation of the required tools in the LFS shell of IPFire, the next step is to build the addon in the IPFire package manager format (pakfire).

Compilation of IPFire addon's

The detailed procedure regarding addon building for an IPFire environment is already given in the "Building PSAD addon" section of the previous article.

  • A compilation script also known as lfs script is created in the lfs directory of IPFire setup.
  • Changes for new addons have to be done in the make.sh script.  

The LFS script is created for the pcsc-lite-1.8.18 , ccid-1.4.24, and opensc-0.16.0 packages. Download all lfs scripts for the packages and place them inside the lfs directory of ipfire-2.x.

Dwnload LFS scripts

LFS scripts for the above addon's are shown below.

pcsc-lite

pcsc-lite

ccid

ccid

opensc

OpenSC

The changes in the build script (make.sh) file are shown below.

make.sh changes

Run the following commands to build the packages.

ipfiremake pcsc-lite

ipfiremake ccid

ipfiremake opensc

It is required to run following command two times for the compilation of the new addons. 

./make.sh build

run make build

The following screenshot shows that the lfs scripts of new addons are compiled without an error.

Compilation of the scripts succeeded.

The following screenshot shows the output of first build command. The rootfiles for all three packages are not found during this build process.

rootfiles not found

Three rootfiles for the new addon's are inside the log directory with the same package/file name as shown below.

rootfiles are in the log directory

The following screenshot shows that the rootfiles of new addons are copied into the config/rootfiles/packages path.  Change the name of the copied rootfiles to match the lfs name of the new addon. (placed in the lfs directory)

cp log/pcsc-lite-1.8.18 config/rootfiles/packages/pcsc-lite

cp log/ccid-1.4.24 config/rootfiles/packages/ccid

cp log/opensc-0.16.0 config/rootfiles/packages/opensc

copying root files

The rootfiles of new addons contain a "+" sign which must be removed before running the build command.

pcsc-lite root file

pcsc-lite root file

ccid rootfile

ccid rootfile

opensc rootfile

opensc rootfile

Use the following sed command to remove the  "+" sign from the rootfiles of the new packages.

sed -i 's/+//g' config/rootfiles/packages/pcsc-lite

sed -i 's/+//g' config/rootfiles/packages/ccid

sed -i 's/+//g' config/rootfiles/packages/opensc

Following screenshot shows that plus sign has been removed from the rootfiles.

Plus sign removed from rootfiles

PakFire is the package management system for IPFire which is used by the install, uninstall and update routines in the new addons.

Create directories (same as lfs of the packages) for all new addon's inside the src/paks path and copy install.sh, uninstall.sh an update.sh scripts from src/paks/default/ into the src/paks/pcsc-lite , src/paks/ccid,src/paks/opensc .

Copy installer scripts

Run the build command again to complete the build process.

./make.sh build

This time, ignore the rootfiles missing message for all new addon's because we have already updated rootfiles  in the config directory.

ignore missing rootfiles message

Finally, the following screenshot shows that the new addon's (pcsc-lite-1.8.18-2.ipfire, ccid-1.4.24-2.ipfire , opensc-0.16.0-2.ipfire) have been created inside the packages directory.

Package building completed

Installation of pakfire packages

As shown below, the compiled packages are copied to the already installed IPFire system inside the /opt/pakfire/tmp directory.

copy packages to live system

Following screenshot shows that packages are copied on IPFire system.

packages copied

New addons are  extracted by using the following command for installation on IPFire.

 tar -xvf pcsc-lite-1.8.18-2.ipfire

unpack addon's

 tar -xvf ccid-1.4.24-2.ipfire

unpack ccid

 tar -xvf opensc-0.16.0-2.ipfire

unpack ccid

Installation of the new addon's is shown in the following screenshot using ./install.sh script.

Install packages

Successful installation of pcsc-lite is shown in the following snapshot.

pcsc-lite installed successfully

The following figure shows the installation of CCID smart card drivers.

Install smartcard drivers

As shown below, the openSC tool is finally installed for the management of smart cards on IPFire system.

OpenSC tool installed

In this tutorial, new addon's are build in the development system of IPFire. These new addons are used to integrate smartcards and their readers with open source IPFire project.

Share this page:

1 Comment(s)

Add comment

Comments

From: bonbonboi at: 2016-09-27 07:31:16

 Why to use OpenCC with IPFire?