on 22-08-2016 10:59 AM
PEXA signing should work with Linux operating system variants. We shouldn't be third-line forced into buying Windows or Mac licenses to use PEXA.
23-08-2016 02:00 PM - edited 23-08-2016 02:04 PM
As you may already be aware, PEXA is designed to work in a standard operating environment, details of which may be found here.
Having said that, personally, I would be interested to understand the issue. Are you able to elaborate on the distribution of Linux you are using, it's version, what browser etc. Also what errors you have been getting.
on 23-08-2016 03:33 PM
"Standard operating environment" kind of defeats the purpose of browser-based / cloud transacting. So far I have managed to get the smart card working on Firefox on Ubuntu up to signing (but without being able to successfully sign) as follows:
1. downloaded "scmccid_linux_64bit_driver_V5.0.21.tar.gz" from http://support.identive-group.com/download_scm/download_scm.php
2. unpack the tarball and followed the readme steps located in "path/to/scmccid_5.0.21_linux/ReadmeFirst.txt"
3. Step 1 of the readme says "Step 1: Install pcsclite". I installed the following packages following this article: sudo apt-get install libpcsclite1 pcscd pcsc-tools
4. Step 2 of the readme says you need the libusb library: sudo apt-get install libusb-1.0-0-dev
5. Step 3 of the readme says to run the install script. I have done that: cd path/to/scmccid_5.0.21_linux && sudo chmod +x install.sh && sudo ./install.sh
6. Step 4 of the readme is optional. I did not make any changes.
7. Step 5 of the readme is "Restart the pcsclite daemon.": sudo service pcscd restart
8. running the command pcsc_scan with the card connected returns that the Card is inserted and various other details - i.e. the card is communicating with the OS
9. next install opensc: sudo apt-get install opensc
10. when I run pkcs15-tool -c I can see that the card has a certificate for digital signature
11. when I run pkcs15-tool --list-public-keys I can see that the card has a public key
12. when I run pkcs15-tool --keys I can see that the card has a private key
13. when I run pkcs15-tool --D I can see that there are various other objects on the card
14. at this point it looks as if the card has everything preloaded and that the Charismathics proprietary software is at the user end only a means of setting up the right drivers and in case the user wants to change their pin (although at PEXA's end they have used it to create the key pairs and set the PIN)? And for Windows to store the certificate to make it available to the browser?
15. to make the certificate available in Firefox I followed this guide as it relates to *nix operating systems with some modifications, namely, my "opensc-pkcs11.so" file was located under "usr/lib/x86_64-linux-gnu"
16. in the Device Manager menu within "aboutreferences#advanced" of Firefox I can select a device named "PIV_II (PIV Card Holder pin) and log in using PEXA Digital Certificate PIN:
17. in the Certificate Manager menu within ""aboutreferences#advanced" of Firefox I can select and view my certificate.
18. testing at https://www.pexa.com.au/setup/signingreadiness.html still gives me a null result:
19. When I go to sign in a workspace the Java console gives me the following:
Unsupported OS [Linux]
on 24-08-2016 09:32 AM
Thanks for the comprehensive information. Leave it with me and I will have a poke around to see what I can find. May take me a couple of days.
on 24-08-2016 02:23 PM
The limitation you have hit is because of the restriction that has been forced in to the JAVA Digital Signing Applet (which is driven by the SOE). I am amazed by the details provided by you to get the setup ready. There is no reason why we can't benefit from your hard work here (with due acknowledgement to you) to setup and testing in our labs and eventually open it up for *nix based OS.
May I ask if you are blocked by this or do you have an alternative operating system that you can use to sign in PEXA?
on 06-09-2016 06:12 PM
Reading your post motivated me to dig a bit deeper into the Digital Signing Applet code.So I got into a bit of hack mode to find how difficult would it be to get the signing working for Linux OS. There were a few discoveries that I will share with you. PEXA Digital Signing Applet has a few hard checks built in i.e. what OS and which Browser and based on the previously mentioned Standard Operating Environment, I was able to confirm the behavior as experienced by you. However being privileged to meddle with the code and support from your detailed instructions, I was able to write some code to go down the path of searching the certificates using PKCS11 keystore. I was able to load the certificates from a USB token into the Firefox and get the Test Applet to find it Yay!
However the attempt to sign failed
The error is typical and I think I can get to the bottom of it given more time and caffeine.
I am running all this on my desktop at the moment and am still a few steps away before I speak to delivery teams for taking this further. Based on my discovery so far I am thinking that we may be able to resolve this issue and make it available to users like yourself to try out. But to make it simple and user friendly we will need to work a bit more on this. I will initiate discussions with the techies here at PEXA to get this the Digital Signing road map. I will also be in touch as we progress further.