Guide for accessing UniCredit bank smartcard (SafeNet eToken 5110) on Arch Linux.
Bus 001 Device 018: ID 0529:0620 Aladdin Knowledge Systems Token JC
# Core smartcard infrastructure
sudo pacman -S ccid opensc pcsc-tools
# Start PC/SC daemon
sudo systemctl enable --now pcscdecho 'SUBSYSTEM=="usb", ATTR{idVendor}=="0529", ATTR{idProduct}=="0620", MODE="0666", GROUP="plugdev"' | \
sudo tee /etc/udev/rules.d/99-safenet-token.rules
sudo udevadm control --reload-rules
sudo udevadm triggerOpenSC does not support SafeNet eToken natively. Install proprietary PKCS#11 module:
yay -S sac-core sac-guiThis provides:
/usr/lib/libeToken.so- PKCS#11 moduleSACTools- GUI management tool
sudo systemctl restart pcscdopensc-tool --list-readersOutput:
Nr. Card Features Name
0 Yes SafeNet eToken 5100 [eToken 5110 SC] 00 00
pkcs11-tool --module /usr/lib/libeToken.so -LOutput:
Slot 0 (0x0): SafeNet eToken 5100 [eToken 5110 SC] 00 00
token label : USB key
token manufacturer : SafeNet, Inc.
token model : eToken
serial num : 03076257
pin min/max : 6/20
pkcs11-tool --module /usr/lib/libeToken.so --login -OOutput:
Private Key Object; RSA
label: 0301970190015
Usage: decrypt, sign, signRecover, unwrap
Access: sensitive, always sensitive, never extractable, local
Public Key Object; RSA 1024 bits
label: 0301970190015
Usage: encrypt, verify, verifyRecover, wrap
Certificate Object; type = X.509 cert
label: 0301970190015
subject: DN: C=BA, O=e-baplus, OU=4218025900006, CN=0301970190015
serial: 07DA9C03061E0981927945C3E6E7F91A6B120627
pkcs11-tool --module /usr/lib/libeToken.so --login \
--read-object --type cert --label "0301970190015" -o cert.der
openssl x509 -inform DER -in cert.der -text -noout| Field | Value |
|---|---|
| Subject | CN=0301970190015, OU=4218025900006, O=e-baplus, C=BA |
| Issuer | Zagrebačka banka d.d. (ZABACA2) |
| Validity | Nov 11, 2025 → Nov 11, 2027 |
| Key | RSA 1024-bit |
| Usage | Digital Signature, TLS Client Auth |
echo "ERNAD THE DOSADNI" > ernad.txtpkcs11-tool --module /usr/lib/libeToken.so --login --pin YOUR_PIN \
--sign --mechanism SHA256-RSA-PKCS \
--input-file ernad.txt --output-file ernad.txt.sigpkcs11-tool --module /usr/lib/libeToken.so \
--verify --mechanism SHA256-RSA-PKCS \
--input-file ernad.txt --signature-file ernad.txt.sigOutput:
Signature is valid
# Export as DER
pkcs11-tool --module /usr/lib/libeToken.so --login --pin YOUR_PIN \
--read-object --type cert --label "0301970190015" -o ernad.cert.der
# Convert to PEM
openssl x509 -inform DER -in ernad.cert.der -out ernad.cert.pem| File | Description |
|---|---|
ernad.txt |
Original document |
ernad.txt.sig |
Digital signature (RSA-SHA256) |
ernad.cert.pem |
Your certificate (public key) |
The recipient can verify the signature using:
openssl dgst -sha256 \
-verify <(openssl x509 -in ernad.cert.pem -pubkey -noout) \
-signature ernad.txt.sig ernad.txtOutput:
Verified OK
Launch SafeNet Authentication Client GUI:
SACToolsIf you get LIBUSB_ERROR_ACCESS:
# Quick fix
sudo chmod 666 /dev/bus/usb/001/018 # Adjust device path
# Permanent fix - unplug and replug token after creating udev rule# Check if pcscd is running
sudo systemctl status pcscd
# Restart pcscd
sudo systemctl restart pcscd
# Scan for cards
pcsc_scanOpenSC's generic PKCS#15 driver does not support SafeNet eToken. You must use the proprietary libeToken.so module from sac-core package.
| Package | Purpose |
|---|---|
ccid |
USB CCID smartcard reader driver |
opensc |
Smartcard utilities |
pcsc-tools |
PC/SC diagnostic tools |
sac-core |
SafeNet PKCS#11 module (libeToken.so) |
sac-gui |
SafeNet GUI tools (SACTools) |
libp11 |
OpenSSL PKCS#11 engine |
Ernad Husremović, hernad@bring.out.ba