TL;DR — go to the Howto section to make WatchData PROXKey work with emSigner in GNU/Linux system.
Introduction
Hardware tokens with digital signature are used for filing various financial documents in Govt of India portals. The major tokens supported by eMudhra are WatchData ProxKey, ePass 2003, Aladdin, Safenet, TrustKey etc. Many of these hardware tokens come (in CDROM image mode) with drivers and utilities to manage the signatures, unfortunately only in Windows platform.
Failed attempts
Sometime in 2017, I tried to make these tokens work for signing GST returns under GNU/Linux, using the de-facto pcsc
tool. I got a WatchData PROXKey, which doesn’t work out-of-the-box with pcsc
. Digging further brings up this report and it seems the driver is a spinoff of upstream (LGPL licensed), but no source code made available, so there is no hope of using these hardware tokens with upstream tools. The only option is depending on vendor provided drivers, unfortunately. There are some instructions by a retailer to get this working under Ubuntu.
Once you download and install that driver (ProxKey_Redhat.rpm
), it does a few things — installs a separate pcsc
daemon named pcscd_wd
, installs the driver CCID bundles and certain supporting binaries/libraries. (The drawback of such custom driver implementations is that different drivers clash with each other (as each one provides a different pcscd_wd
binary and their installation scripts silently overwrite existing files!). To avoid any clashes with this pcscd_wd
daemon, disable the standard pcscd
daemon by systemctl stop pcscd.service
.
Plug in the USB hardware token and to the dismay observe that it spews the following error messages in journalctl
:
Oct 06 09:16:51 athena pcscd_wd[2408]: ifdhandler.c:134:IFDHCreateChannelByName() failed
Oct 06 09:16:51 athena pcscd_wd[2408]: readerfactory.c:1043:RFInitializeReader() Open Port 0x200001 Failed (usb:163c/0417:libhal:/org/freedesktop/Hal/devices/usb_device_163c_0417_serialnotneeded_if1)
Oct 06 09:16:51 athena pcscd_wd[2408]: readerfactory.c:335:RFAddReader() WD CCID UTL init failed.
This prompted me to try different drivers, mostly from the eMudhra repository — including eMudhra Watchdata
, Trust Key
and even ePass
(there were no *New* drivers at this time) — none of them seemed to work. Many references were towards Ubuntu, so I tried various Ubuntu versions from 14.04 to 18.10, they didn’t yield different result either. At this point, I have put the endeavour in the back burner.
A renewed interest
Around 2019 September, KITE announced that they will start supporting government officials using digital signatures under GNU/Linux, as most of Kerala government offices now run on libre software. KITE have made the necessary drivers, signing tools and manuals available.
I tried this in a (recommended) Ubuntu 18.04 system, but the pcscd_wd
errors persisted and NICDSign
tool couldn’t recognize the PROXKey digital token. Although, their installation methods gave me a better idea of how these drivers are supposed to work with the signing middleware.
Couple of days ago, with better understanding of how these drivers work, I thought that these should also work in Fedora 30 system (which is my main OS), I set out for another attempt.
How to
- Removed all the
wdtokentool-proxkey
,wdtokentool-trustkey
,wdtokentool-eMudhra
,ProxKey_Redhat
and such drivers, if installed; to start from a clean slate. - Download
WatchData ProxKey (Linux) *New*
driver from eMudhra. - Unzip and install
wdtokentool-ProxKey-1.1.1
RPM/DEB package.Note that this package installs theUpdate: theTRUSTKEY
driver (/usr/lib/WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so
), notProxKey
driver (/usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so
) and it seems the ProxKey token only works withTRUSTKEY
driver!libwdpkcs_SignatureP11.so
library works fine for ProxKey, it is theemSigner
binary that doesn’t look for it. - To make
emSigner
work, symlink to one of the libraries it checks for (ensure target directory doesn’t exist because you installed another driver):mkdir -p /usr/lib/WatchData/TRUSTKEY/lib/; ln -s /usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so /usr/lib/WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so
- Start
pcscd_wd.service
bysystemctl start pcscd_wd.service
(only if not auto-started) - Plug in your PROXKey token. (
journalctl -f
would still show the error message, but — lesson learned — this error can be safely ignored!) - Download
emsigner
from GST website and unzip it into your~/Documents
or another directory (say~/Documents/emSigner
). - Ensure port
1585
is open in firewall settings:firewall-cmd --add-port=1585/tcp --zone=FedoraWorkstation
(adjust the firewall zone if necessary). Repeat the same command by adding--permanent
to make this change effective across reboot). - Go to
~/Documents/emSigner
in shell and run./startserver.sh
(make sure tochmod 0755 startserver.sh
, or double-click on this script from a file browser). Note that you’d needopenjdk-1.8
or Oracle java due towindowslookandfeel
component. - Login to GST portal and try to file your return with DSC.
- f you get the error
Failed to establish connection to the server. Kindly restart the Emsigner
when trying to sign, open another tab in browser window and go tohttps://127.0.0.1:1585
and try signing again (don’t uselocalhost
, as it would cause self-signed certificate mismatch). - You should be prompted for the digital signature PIN and signing should succeed.
It is possible to use this digital token also in Firefox (via Preferences → Privacy & Security → Certificates → Security Devices → Load
with Module filename
as
) as long as the key is plugged in. Here again, you can skip the error message /usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so
unable to load the module
. Update: this error message is caused by a permission issue of pkcs11.txt
file in firefox profiles directory, change that file’s owner to your user.
11 responses to “WatchData PROXKey digital signature using emSigner in Fedora 30”
This is a brave attempt! I have been frustrated with my USB key failing in Linux. I will try when I get time and right mindset. And will post my experience as a comment again.
Did you tried with the PKCS#11 file?
I use the moserbaer etoken. Most of the end application website signer doesn’t support this. Those signer does not recognise the driver or middleware used by moserbaer. But they support PKCS#11 and ask for that particular file. I point the location of the file and I am done. Mozilla firfox, thunderbird, adobe acrobat all supports PKCS#11. It is a kind of open system where you can connect with any cryptographic token supporting PKCS#11 without the drivers.
I am not a programmer. I work on windows platform. Please let me know if it was of any help.
PKCS#11 files would work fine with many applications. But, IIRC, new digital signature tokens don’t let you export the public key and private key into pkcs11 file.
I get to the point where it(emsigner?) asks for the password to the token and then fails with a popup of “unable to load the token”.
I am able to sign in with the same password(pin) in the standalone proxykey application
What could be the problem?
I have no idea; but is there a standalone proxkey application available for Linux?
Yes wdtokentool-proxykey installation results in installation of two tools which can be used to access the certificate inside the key check https://knowledge.cryptoplanet.in/article/token-driver-installation-ubantu-os/
BTW: The error above was due to a missing ‘/usr/lib/WatchData/eMudhra_3.4.3/lib/libwdpkcs_eMudhra_343.so’ file the file was to in the old driver from emudhra’s website 😦
Now I am stuck at “Failed for Watchdata check in Linux – java.security.KeyStoreException: PKCS11 not found” error with no indication of whether it is an emsigner library, watchdata library, standard linux library or something else
As mentioned, none of these drivers worked for me, except the TRUSTKEY mentioned in the post. But, if you debug further and look for missing library files; I think you may be able to narrow it down.
In step 4, u mentioned to Start pcscd_wd.service. Where is this pcscd_wd.service located? Similarly can you please tell where is journalctl located?
I have updated the post (step 4), which should probably fix the emSigner issue.
[…] This blog post written a couple of years ago about using hardware token in GNU/Linux is still actively referred by many users. Trying to make the hardware token work with Okular gave me some more insights. With all the other prerequisites (token driver installation etc.) in place, follow these steps to get everything working nicely. […]