WatchData PROXKey digital signature using emSigner in Fedora 30

TL;DR — go to Howto section to make WatchData PROXKey work with emSigner in GNU/Linux system.

Introduction

Hardware tokens with digital signature are used for filing various financial documents in Govt of India portals. The major tokens supported by eMudhra are WatchData ProxKey, ePass 2003, Aladdin, Safenet, TrustKey etc. Many of these hardware tokens come (in CDROM image mode) with drivers and utilities to manage the signatures, unfortunately only in Windows platform.

Failed attempts

Sometime in 2017, I tried to make these tokens work for signing GST returns under GNU/Linux, using the de-facto pcsc tool. I got a WatchData PROXKey, which doesn’t work out-of-the-box with pcsc. Digging further brings up this report and it seems the driver is a spinoff of upstream (LGPL licensed), but no source code made available, so there is no hope of using these hardware tokens with upstream tools. The only option is depending on vendor provided drivers, unfortunately. There are some instructions by a retailer to get this working under Ubuntu.

Once you download and install that driver (ProxKey_Redhat.rpm), it does a few things — installs a separate pcsc daemon named pcscd_wd, installs the driver CCID bundles and certain supporting binaries/libraries. (The drawback of such custom driver implementations is that different drivers clash with each other (as each one provides a different pcscd_wd binary and their installation scripts silently overwrite existing files!). To avoid any clashes with this pcscd_wd daemon, disable the standard pcscd daemon by systemctl stop pcscd.service.

Plug in the USB hardware token and to the dismay observe that it spews the following error messages in journalctl:

Oct 06 09:16:51 athena pcscd_wd[2408]: ifdhandler.c:134:IFDHCreateChannelByName() failed
Oct 06 09:16:51 athena pcscd_wd[2408]: readerfactory.c:1043:RFInitializeReader() Open Port 0x200001 Failed (usb:163c/0417:libhal:/org/freedesktop/Hal/devices/usb_device_163c_0417_serialnotneeded_if1)
Oct 06 09:16:51 athena pcscd_wd[2408]: readerfactory.c:335:RFAddReader() WD CCID UTL init failed.

This prompted me to try different drivers, mostly from the eMudhra repository — including eMudhra Watchdata, Trust Key and even ePass (there were no *New* drivers at this time) — none of them seemed to work. Many references were towards Ubuntu, so I tried various Ubuntu versions from 14.04 to 18.10, they didn’t yield different result either. At this point, I have put the endeavour in the back burner.

A renewed interest

Around 2019 September, KITE announced that they will start supporting government officials using digital signatures under GNU/Linux, as most of Kerala government offices now run on libre software. KITE have made the necessary drivers, signing tools and manuals available.

I tried this in a (recommended) Ubuntu 18.04 system, but the pcscd_wd errors persisted and NICDSign tool couldn’t recognize the PROXKey digital token. Although, their installation methods gave me a better idea of how these drivers are supposed to work with the signing middleware.

Couple of days ago, with better understanding of how these drivers work, I thought that these should also work in Fedora 30 system (which is my main OS), I set out for another attempt.

How to

  1. Removed all the wdtokentool-proxkey, wdtokentool-trustkey, wdtokentool-eMudhra, ProxKey_Redhat and such drivers, if installed; to start from a clean slate.
  2. Download WatchData ProxKey (Linux) *New* driver from eMudhra.
  3. Unzip and install wdtokentool-ProxKey-1.1.1 RPM/DEB package. Note that this package installs the TRUSTKEY driver (usr/lib/WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so), not ProxKey driver (/usr/lib/WatchData/ProxKey/lib/libwdpkcs_SignatureP11.so) and it seems the ProxKey token only works with TRUSTKEY driver!
  4. Start pcscd_wd.service by systemctl start pcscd_wd.service (only if not auto-started)
  5. Plug in your PROXKey token. (journalctl -f would still show the error message, but — lesson learned — this error can be safely ignored!)
  6. Download emsigner from GST website and unzip it into your ~/Documents or another directory (say ~/Documents/emSigner).
  7. Ensure port 1585 is open in firewall settings: firewall-cmd --add-port=1585/tcp --zone=FedoraWorkstation (adjust the firewall zone if necessary). Repeat the same command by adding --permanent to make this change effective across reboot).
  8. Go to ~/Documents/emSigner in shell and run ./startserver.sh (make sure to chmod 0755 startserver.sh, or double-click on this script from a file browser).
  9. Login to GST portal and try to file your return with DSC.
  10. f you get the error Failed to establish connection to the server. Kindly restart the Emsigner when trying to sign, open another tab in browser window and go to https://localhost:1585 and try signing again.
  11. You should be prompted for the digital signature PIN and signing should succeed.

It is possible to use this digital token also in Firefox (via Preferences → Privacy & Security → Certificates → Security Devices → Load with Module filename as usr/lib/WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so) as long as the key is plugged in. Here again, you can skip the error message unable to load the module.

Advertisements

Switching Raspbian to Pixel desktop

Official Raspbian images based on Debian Stretch by default has the Pixel desktop environment and will login new users to it. But if you have had a Raspbian installation with another DE (such as LXDE), here are the steps to install and login to the Pixel desktop.

apt-get install raspberrypi-ui-mods
sed -i 's/^autologin-user=pi/#autologin-user=pi/' /etc/lightdm/lightdm.conf
update-alternatives --set x-session-manager /usr/bin/startlxde-pi
sed -i 's/^Session=.*/Session=lightdm-xsession/' ${USER}/.dmrc

Make sure the user’s ‘.dmrc’ file is updated with the new startlxde-pi session as that is where lightdm login manager looks to decide which desktop should be launched.

Convert iPhone contacts to vCard

On a recent troubleshooting attempt, I lost all the contacts in my Android phone. It had also received a recent update which took away the option to import contacts from another phone via bluetooth.
I still had some contacts in the old iPhone, but now that mass transfer via bluetooth is gone, it was a question of manually sending each contact in vCard format to the Android phone. That means I should probably find a less dreadful way to get the contacts back.

Here is one way to extract contacts en-masse from iPhone into popular vCard format. The contact and address details in iOS are stored by AddressBook application in a file named ‘AddressBook.sqlitedb’ which is an sqlite database. The idea is to open this database using sqlite, extract the details from a couple of tables and convert the entries into vCard format.

Disclaimer: the iPhone is an old 3GS running iOS 6 and it is jailbroken. If you attempt this, your mileage would vary. Required tools/softwares are usbmuxd (especially libusbmuxd-utils) and sqlite, with the prerequisite that openssh server is running on the jailbroken iPhone.

  1. Connect iPhone via USB cable to the Linux machine. Run iproxy 2222 22 to connect to the openssh server running on the jailbroken phone. iproxy comes with libusbmuxd-utils package.
  2. Copy the addressbook sqlite database from phone:scp -P 2222 mobile@localhost:/var/mobile/Library/AddressBook/AddressBook.sqlitedb .Instead of steps 1 and 2 above, it might be possible to copy this file using Nautilus (gvfs-afc) or Dolphin (kio_afc) file manager, although I’m not sure if the file is accessible.
  3. Extract the contact and address details from the sqlite db (based on this forum post):sqlite3 -cmd ".out contacts.txt" AddressBook.sqlitedb "select ABPerson.prefix, ABPerson.first,ABPerson.last,ABPerson.organization, c.value as MobilePhone, h.val ue as HomePhone, he.value as HomeEmail, w.value as WorkPhone, we.value as WorkEmail,ABPerson.note from ABPerson left outer join ABMultiValue c on c.record_id = ABPerson.ROWID and c.label = 1 and c.property= 3 left outer join ABMultiValue h on h.record_id = ABPerson.ROWID and h.label = 2 and h.property = 3 left outer join ABMultiValue he on he.record_id = ABPerson.ROWID and he.label = 2 and he.property = 4 left outer join ABMultiValue w on w.record_id = ABPerson.ROWID and w.label = 4 and w.property = 3 left outer join ABMultiValue we on we.record_id = ABPerson.ROWID and we.label = 4 and we.property = 4;"
  4. Convert the extracted contact details to vCard format:cat contacts.txt | awk -F\| '{print "BEGIN:VCARD\nVERSION:3.0\nN:"$3";"$2";;;\nFN:"$2" "$3"\nORG:"$4"\nEMAIL;type=INTERNET;type=WORK;type=pref:" $9"\nTEL;type=CELL;type=pref:"$5"\nTEL;TYPE=HOME:"$6"\nTEL;TYPE=WORK:"$8"\nNOTE:"$9"\nEND:VCARD\n"}' > Contacts.vcf
  5. Remove the empty content lines if some contacts do not have all the different fields:sed -i '/.*:$/d' Contacts.vcf

Now simply transfer the Contact.vcf file containing all the contact details to Android phone’s storage and import contacts from there.

Yum

Many years ago, when I first saw this thing called Linux and found that I could use it everyday (in the college Lab), it intrigued me so much that I spent days and nights with it. Learning new things every day.

I remember this particular story – trying to get MPlayer work on my friend’s desktop running RedHat 9. Only the college lab had internet connection, I was downloading the RPM, finds that it is too big to fit in a Floppy disk, so I cut it into smaller KB files, doing round trips from Lab to hostel room, finally stitch them together and try to install it. Then I got into fighting the ‘dependency hell’ – MPlayer had a lot of dependencies, so I have to then search for the dependencies individually in rpm.pbone.net and download all these RPMS, copy them into the floppy and try to install them all together – of course using ‘rpm -ivh‘. That, then would result into a new level of dependency, missing dozens of libxyz.so files. The end of the story is that I did manage to install MPlayer and play videos.

And then Fedora Core emerged. With it, we found Yum as the package manager and instantly found that it can solve the dependencies for me! Ever since then, the one single command I have run most would be “yum”. Over the years it gained a lot of new features and stability.

I have recently learned the tragic demise of Seth Vidal who developed yum; and though I never knew him personally; he has touched someone’s life at the other end of the world. Thank you, Seth.

Fedora 18 : Install from ISO file

I can’t remember the last time I burned a DVD when a new Fedora version releases. The preferred way of installing a new version is the ‘diskless’ install method provided the computer already is running one or the other version of Fedora. For guidelines, see the installation guide: http://docs.fedoraproject.org/en-US/Fedora/18/html/Installation_Guide/ap-medialess-install.html

As of Fedora 17, the Boot Options have been changed, and the “askmethod” parameter is deprecated, it is no longer recognized by the installer. Instead you need to use “inst.repo” parameter with appropriate syntax to specify install from network (http/ftp), nfs, hard disk et al.

I have obtained the Fedora 18 DVD ISO file, mounted it loopback, and copied the vmlinuz and initrd.img from isolinux folder to /boot/ and added a custom menu entry in /etc/grub.d/40_custom with the repo method as found in the documentation. Installer starts, but unfortunately fails, probably at stage2, with a dracut message saying “Cannot boot” and “Root device not found”. There’s no helpful error message or warning as to what could cause this.

Finally figured out that the repo parameter was missing a colon after the hard disk device. This had hit me during the Fedora 17 install too, so let it be documented for future reference. The proper parameter would be something like:

linux /boot/vmlinuz-fedora18-install repo=hd:/dev/sda2:/home/rajeesh/

Where the Fedora DVD ISO is placed at /home/rajeesh. Once that is fixed, installer boots into the graphical mode just fine. The new installer seems quite unstable – it crashed 4 times before I could complete installation – at disk probing, when switching to other terminals using Alt+Ctrl+F2, Alt+Ctrl+F3 etc. But once that phase is passed, the package installation is swift. There’s no way to customize and tweak package selection during the installation, which is quite limiting. That said, once the installation is done, the desktop is quite solid and polished.