Using Qualified Certificates on Nokia N900

Introduction

Nokia N900

Several months ago I decided that I want to change my ageing Symbian platform, Nokia phone with something newer. I came across a bargain for Nokia N900. N900 has a querty keyboard and is running Maemo, a Linux-based OS. It has great integration with different instant messengers like Skype, GTalk, etc. The phone has 32 GB of storage, USB host and fully customizable UI. When I chose this phone I reasoned that I can easily customize its software, if the need arises, because it’s Linux-based. It’s a great phone, though it’s old (2009 model).

Qualified Digital Certificates

Digital certificates are the electronic equivalent of an ID card. They are issued by certification authorities and contain identification information about the holder, including the person’s public key, along with the authority’s digital signature, so that the recipient can verify the authenticity of the certificate.

The term qualified certificate is defined in European Directive. The qualified digital certificates are used in conjunction with secure signature-creation devices (cryptographic tokens) to create qualified electronic signatures. According to the EU legislation the qualified electronic signatures are equivalent to the handwritten signatures.

I have a qualified digital certificate, issued on Siemens CardOS card and an ACS ACR reader. Most of the time I have access to a PC, but I decided that since the N900 is running Linux it will be great, if I can use my qualified certificate on my phone.

The reader connected to the phone.

Requirements

By default the USB host of Nokia N900 is disabled. In order to enable it you need:

For the cryptographic hardware you need:

  • USB driver for the smart card reader;
  • PCSC Lite resource manager daemon to provide a Windows SCard interface for communicating to smartcards and readers;
  • Middleware for the smart card.

The ACS ACR reader, I’m using, is CCID compatible. It works with the generic USB CCID driver for Linux. Please check here, if your reader is supported.

The Siemens CardOS cards are supported by OpenSC. OpenSC implements the PKCS#11 API and applications supporting this API (like Mozilla Firefox) can use it. Check here, if your smart card is supported.

Packages

Binary Packages

I’ve built the required tools and libraries. They are based on Debian Stable (“squeeze”). If your smart card and reader are supported by OpenSC and libccid, you can download and install the packages (using “dpkg -i”) bellow:

Please note that the packages need to be installed in the correct order.

The pcsc daemon does not start automatically, so you will have to start it manually:

pcscd

Screenshots of the running OpenSC with the reader, connected to the phone:

The reader is recognized.

The reader is recognized by the driver.

Certificates listing

Listing of the certificates on my card.

Building from Source

If you would like to build the packages yourself, you will need the Maemo 5 SDK.

The toolchain of the SDK is getting old and I wasn’t able to build the deb packages for the up-to-date versions of the libraries and tools. I used the versions from Debian Stable instead:

Usage

Having a working smart card and reader is good, but not enough. I want to be able to use my digital certificate with some actual applications. For example the certificate can be used for authentication against certain Web sites (like online banking, epay.bg, etc).

Nokia N900 comes with MicroB, Mozilla based browser for Maemo. I also have Firefox for mobile (codenamed fennec) installed. They both use NSS, a set of cryptographic software libraries for client and server security, developed by Mozilla. In order to use your digital certificate you need to configure NSS. The NSS database files (*.db) are located in:

  • /home/user/.mozilla/microb folder for MicroB;
  • /home/user/.mozilla/fennec/youprofile.default folder for Firefox.

In order to configure NSS you need to do two things:

  • Add the OpenSC PKCS#11 modules to NSS;
  • Add the certificate chain of the issuer of your certificate.

The NSS tools are not available for Maemo, so you need to edit the configuration database files on your PC. Install the NSS security tools for your OS and copy the NSS database files (*.db) from your phone. The samples bellow assume that the database files are stored in /tmp/nssdb.

Registering the OpenSC’s PKCS#11 module

modutil -dbdir /tmp/nssdb -add "OpenSC" -libfile /usr/lib/onepin-opensc-pkcs11.so -mechanisms FRIENDLY

Adding the certificate chain of your CA

For InfoNotary CA, please download the following certificates:

For other CAs, please visit the Web page of the particular CA.

Add the certificate chain to database:

certutil -d /tmp/nssdb -A -t "CT,C,C" -n "InfoNotary CSP Root" -i in-csp-root.cer
certutil -d /tmp/nssdb -A -t ",," -n "i-Notary Q Sign CA" -i qs-ca.cer
certutil -d /tmp/nssdb -A -t ",," -n "i-Notary Company Q Sign CA" -i cqs-ca.cer
certutil -d /tmp/nssdb -A -t ",," -n "i-Notary Personal Q Sign CA" -i pqs-ca.cer

Copy the files back to your phone.

That’s all you need to test your hardware.

Firefox for mobile 14+ works fine with my qualified digital certificate:

Firefox prompting for smart card PIN

Certificate selection

SSL client authentication succeeded

You can leave a response, or trackback from your own site.

One response to “Using Qualified Certificates on Nokia N900”

  1. livelace says:

    Great.

Leave a Reply