alonbl / gnupg-pkcs11-scd Goto Github PK
View Code? Open in Web Editor NEWPKCS#11 GnuPG SCD
Home Page: http://gnupg-pkcs11.sourceforge.net/
License: Other
gnupg-pkcs11-scd's Introduction
gnupg-pkcs11-scd -- PKCS#11 enabled gnupg scd. Copyright (c) 2006-2007 Zeljko Vrba <[email protected]> Copyright (c) 2006-2017 Alon Bar-Lev <[email protected]> ABOUT gnupg-pkcs11 is a project to implement a BSD-licensed smart-card daemon to enable the use of PKCS#11 tokens with GnuPG. PKCS#11 is the de-facto standard for accessing cryptographic tokens, and thus we strongly disagree with WK's attitude towards it. AUTHORS Zeljko Vrba <[email protected]> Alon Bar-Lev <[email protected]> SUPPORT http://gnupg-pkcs11.sourceforge.net/
gnupg-pkcs11-scd's People
Contributors
Stargazers
Watchers
Forkers
mbrossard cvaske juice500ml dg-i flyn-org magicbuffer ugochirico wolneykien llogar mnkolev chripell invidian psztoch istr rkeene olegshtch kloczekgnupg-pkcs11-scd's Issues
Support for SSH authentication
It seems that right now when you add enable-ssh-support to ~/.gnupg/gpg-agent.conf and the right keygrip to .gnupg/sshcontrol, listing SSH keys sort of works:
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsRFFnVTl5kuLYKLgAWTg7KR9aDdDuxkvJgKnQklm/hfnGQy+1bz5mqXNUtPQKnxqBmYDljTTPzCce67C+GnUi5VsVBhsc9TrKJBFLpBN0Tkvi7mMPyP2ULjQ/jwm99MBKDs66dkBOCDPGHtMNesKM49QeIAuz8aRdxLMTe0X3EP5qbftDCpK7VJoG52ecCzssxnc4ec6hYjGHF7n211cZSFto19X4Idl/YSmdfksa64GbLrRZ7QKP9GPxI4zjWbxsAJMAJsoBRChFzT7VzKXQlay4jjfiDxIIlY+HKwISijR1LJISHQa5uCNkgEmeljAE8Ts31gjejhj8/UoPMyNr (none)
Debug logs:
gnupg-pkcs11-scd[956916]: chan_0 <- SERIALNO
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x557b79910d60, token_present=1, pSlotList=0x7ffe01aac088, pulCount=0x7ffe01aac090
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x557b7997cfe8
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe01aac020
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='(null)'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x7f419c009120, *max=0000000000000062, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x557b7997cfe0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[956916]: chan_0 -> S SERIALNO D2760001240111503131B68474111111 0
gnupg-pkcs11-scd[956916]: chan_0 -> OK
gnupg-pkcs11-scd[956916]: chan_0 <- GETINFO card_list
gnupg-pkcs11-scd[956916]: chan_0 -> ERR 79 Invalid data <Unspecified source>
gnupg-pkcs11-scd[956916]: chan_0 <- RESTART
gnupg-pkcs11-scd[956916]: chan_0 -> OKHowever, SSH authentication does not work:
$ ssh -o ControlMaster=ask -o PreferredAuthentications=publickey localhost echo -n
sign_and_send_pubkey: signing failed for RSA "(none)" from agent: agent refused operation
invidian@localhost: Permission denied (publickey,password).Debug logs:
gnupg-pkcs11-scd[956916]: chan_0 <- SERIALNO
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x557b79910d60, token_present=1, pSlotList=0x7ffe01aac088, pulCount=0x7ffe01aac090
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x557b7997d8c8
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe01aac020
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='(null)'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x7f419c009120, *max=0000000000000062, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x557b7997d8c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[956916]: chan_0 -> S SERIALNO D2760001240111503131B68474111111 0
gnupg-pkcs11-scd[956916]: chan_0 -> OK
gnupg-pkcs11-scd[956916]: chan_0 <- GETINFO card_list
gnupg-pkcs11-scd[956916]: chan_0 -> ERR 79 Invalid data <Unspecified source>
gnupg-pkcs11-scd[956916]: chan_0 <- SERIALNO --demand=D2760001240111503131B68474111111
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x557b79910d60, token_present=1, pSlotList=0x7ffe01aac088, pulCount=0x7ffe01aac090
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x557b7997cfe8
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe01aac020
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffe01aac1c0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='(null)'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x7f419c009120, *max=0000000000000062, token_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E'
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x557b7997cfe0
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x557b7997d900
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[956916.2890780032]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[956916]: chan_0 -> S SERIALNO D2760001240111503131B68474111111 0
gnupg-pkcs11-scd[956916]: chan_0 -> OK
gnupg-pkcs11-scd[956916]: chan_0 <- SETDATA 3051300D0609608648016503040203050004405D4778142FFEB2E6E215544214A79E155D4BAFC9FECCB9CA5804B5777C9A00DE39205FCF88CEC767B740919F574DA6B35FF98A5EDC5EB4CA9989ACB377A47E2F
gnupg-pkcs11-scd[956916]: chan_0 -> OK
gnupg-pkcs11-scd[956916]: chan_0 <- PKAUTH piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/01
gnupg-pkcs11-scd[956916]: chan_0 -> ERR 536870992 Unspecific Assuan server fault <User defined source 1> - no handler registered
gnupg-pkcs11-scd[956916]: chan_0 <- RESTART
gnupg-pkcs11-scd[956916]: chan_0 -> OK
Would it be difficult to get this to work? Do you have some pointer how this could be done?
My motivation was to simplify the setup a bit, to be able to not use ssh-agent at all. I was hoping GPG could handle entering PIN and unplugged smart card better than ssh-agent with PKCS#11.
Please change tagging convention
tar ball from https://github.com/alonbl/gnupg-pkcs11-scd//archive/gnupg-pkcs11-scd-0.9.2.tar.gz has as base directory gnupg-pkcs11-scd-gnupg-pkcs11-scd-0.9.2/.
Please use just as tag next time.
Utimaco problem: Bad session key
cat /etc/gnupg-pkcs11-scd.conf
verbose
providers utimaco
provider-utimaco-library /usr/local/lib64/libcs_pkcs11_R2.so
provider-utimaco-private-mask 0
openpgp-sign 8E3F2428B781C1D84862D0543545DA1AC411AA54
gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.3_master < 2.2.27)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Bad session key
There is journal log: journal-card-status.log
FIle /.gnupg/private-keys-v1.d/8E3F2428B781C1D84862D0543545DA1AC411AA54.key has been created with Key: (shadowed-private-key (rsa (n....
gpg -K --with-colons
sec:u:4096:1:5B1B91B3668C9F09:1542237988:2172957988::u:::scSC:::+:::23::0:
fpr:::::::::68A1CCA9D09289608707E02A5B1B91B3668C9F09:
grp:::::::::C8C1D1BFA04FF264B6FCDE344A9101B6C9A0A4F3:
uid:u::::1542237988::3BE7367BA66F95CA0FC8EF6E58C70BA927289453::EtherMotic Repository <[email protected]>::::::::::0:
ssb:u:4096:1:F248520952DB247B:1620598921:1872886921:::::s:::D2760001240111503131E848EB1B1111:::23:
fpr:::::::::FC5013CAA0A3B871F3F708E8F248520952DB247B:
grp:::::::::8E3F2428B781C1D84862D0543545DA1AC411AA54:
gpg -K
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2018-11-14 [SC] [expires: 2038-11-09]
68A1CCA9D09289608707E02A5B1B91B3668C9F09
uid [ultimate] EtherMatic Repository <[email protected]>
ssb> rsa4096 2021-05-09 [S] [expires: 2029-05-07]
[windows] assuan_accept failed: Input/output error
Hello there,
I am unable to make gnupg-pkcs11-scd work on windows. The daemon reports the following error when I issue the command "scd learn":
[...]
gnupg-pkcs11-scd[8956]: chan_0x00000000 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[8956.0]: assuan_accept failed: Input/output error
gnupg-pkcs11-scd[8956.0]: cleanup connection
[...]
I have build the following softwares on an archlinux build system using mingw-w64:
- openssl-1.0.2l
- libgcrypt-1.8.1
- libassuan-2.4.3
- libgpg-error-1.27
- libksba-1.3.5
- pkcs11-helper-master
- gnupg-pkcs11-scd-0.9.1
- gnupg-2.1.23
You will find in attachment:
- The list of mingw packages installed on my build system (mingw-info.txt)
- The gnupg-pkcs11-scd log (gnupg-pkcs11-scd.log)
- The output of gpg-agent when issuing the "scd learn" command (gpg-agent.txt)
- My gnupg-pkcs11-scd configuration file (gnupg-pkcs11-scd.conf.txt)
I must say I have no idea if the constellation of gnupg packages I have built play well with gnupg-pkcs11-daemon.
Am I doing something wrong? I'll be happy to help you out, so if you need anything please do let me know.
Cheers
Signing broken with OpenSC 0.18.0 on macsOS X 10.13.5 with Yubikey
Hi,
after Upgrading my OpenSC to 0.18.0 (on macsOS X 10.13.5 with Yubikey) gpg sining broke:
with 0.18.0 "provider-p1-library /Library/OpenSC/lib/opensc-pkcs11.so"
==> /Users/MYHOME/Library/Logs/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[77942]: chan_0 <- [ 44 20 34 32 35 35 36 32 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
==> /Users/MYHOME/Library/Logs/gpg-agent.log <==
2018-06-20 00:32:27 gpg-agent[77941] DBG: chan_9 -> END
==> /Users/MYHOME/Library/Logs/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[77942]: chan_0 <- END
gnupg-pkcs11-scd[77942]: chan_0 -> ERR 108 Card error
==> /Users/MYHOME/Library/Logs/gpg-agent.log <==
2018-06-20 00:32:27 gpg-agent[77941] DBG: chan_9 <- ERR 108 Card error
2018-06-20 00:32:27 gpg-agent[77941] smartcard signing failed: Card error
2018-06-20 00:32:27 gpg-agent[77941] command 'PKSIGN' failed: Card error
2018-06-20 00:32:27 gpg-agent[77941] DBG: chan_8 -> ERR 67108972 Card error
2018-06-20 00:32:27 gpg-agent[77941] DBG: chan_8 <- [eof]
2018-06-20 00:32:27 gpg-agent[77941] DBG: chan_9 -> RESTART
**with 0.17.0 "provider-p1-library /Users/MYHOME/lib/opensc-pkcs11-old.so" **
Works well,
9.3 release segfaults on PKAUTH command
When trying 9.3 release, doing simple SSH, I get the following backtrace:
(gdb) bt
#0 0x00005591555a62ce in _cmd_pksign_type (ctx=0x559155e0f940, line=<optimized out>, typehint=3) at command.c:1135
#1 0x00007f94964a7552 in () at /usr/lib/libassuan.so.0
#2 0x00007f94964a795b in assuan_process () at /usr/lib/libassuan.so.0
#3 0x00005591555a4f3a in command_handler (global=global@entry=0x7ffceb048290, fd=fd@entry=-1) at scdaemon.c:265
#4 0x00005591555a3e80 in main (argc=<optimized out>, argv=<optimized out>) at scdaemon.c:1407
Logs when running SSH:
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> OK PKCS#11 smart-card server for GnuPG ready
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053.3118523968]: processing connection
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 <- GETINFO version
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> D 0.9.3
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> OK
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 <- SERIALNO
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S SERIALNO D2760001240111503131B68474111111 0
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> OK
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 <- LEARN --force
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 <- SERIALNO --demand=D2760001240111503131B68474111111
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S SERIALNO D2760001240111503131B68474111111
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S APPTYPE PKCS11
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FRIEDNLY 4A831446A7F8D45F1A9A52DDFFD798F9B9F5FA90 /CN=Mateusz Gozdek's Authentication Key on Mateusz Gozdek's Authenticati...
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FPR 3 4A831446A7F8D45F1A9A52DDFFD798F9B9F5FA90
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S CERTINFO 101 piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/01
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEYPAIRINFO 4A831446A7F8D45F1A9A52DDFFD798F9B9F5FA90 piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/01
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FRIEDNLY 362ED45F52914D3D3CC4232125DB34D94110B29B /CN=Mateusz Gozdek's Signing Key on Mateusz Gozdek's Authenticati...
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FPR 1 362ED45F52914D3D3CC4232125DB34D94110B29B
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S CERTINFO 101 piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/02
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 -> S SERIALNO D2760001240111503131B68474111111 0
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEYPAIRINFO 362ED45F52914D3D3CC4232125DB34D94110B29B piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/02
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 -> OK
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773051]: detected card with S/N D2760001240111503131B68474111111
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FRIEDNLY 51B10D3D8E36460D8BC13959186D738CA26FE72E /CN=Mateusz Gozdek's Encryption Key on Mateusz Gozdek's Authenticati...
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 <- SETDATA 3051300D0609608648016503040203050004403C0CE589063F5F0D3B02FCF80A1BDB616E44AAD0700F2AC916AD2A5EA0270ED0CC37A729D120A67A2F02605C930510381ABD042E3D9441ABBAEE9FBA43BAE7BF
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEY-FPR 2 51B10D3D8E36460D8BC13959186D738CA26FE72E
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S CERTINFO 101 piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/03
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 -> OK
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> S KEYPAIRINFO 51B10D3D8E36460D8BC13959186D738CA26FE72E piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/03
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_11 -> OK
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773053]: gnupg-pkcs11-scd[3773053]: chan_0 <- PKAUTH piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/01
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773051]: card has S/N: D2760001240111503131B68474111111
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773051]: smartcard signing failed: End of file
Jan 04 15:15:24 dellxps15mateusz gpg-agent[3773051]: ssh sign request failed: End of file <GPG Agent>
And logs with debug and verbose enabled:
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_11 -> OK PKCS#11 smart-card server for GnuPG ready
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2178057792]: processing connection
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_11 <- GETINFO version
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_11 -> D 0.9.3
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_11 -> OK
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 <- SERIALNO --demand=D2760001240111503131B68474111111
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffce7b8adc0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x561b3bad4a90, token_present=1, pSlotList=0x7ffce7b8ac90, pulCount=0x7ffce7b8ac88
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_11 <- SERIALNO
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2178057792]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7f3381d276f0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x561b3bb42cb8
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffce7b8ac30
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x561b3bb435d0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x561b3bb435d0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffce7b8adc0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x561b3bb435d0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='(null)'
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x561b3bb03b90, *max=0000000000000062, token_id=0x561b3bb435d0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000062, sz='piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E'
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x561b3bb42cb0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x561b3bb435d0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_freeTokenId return
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2213723520]: PKCS#11: pkcs11h_token_freeTokenIdList return
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 -> S SERIALNO D2760001240111503131B68474111111 0
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 -> OK
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3773051]: detected card with S/N D2760001240111503131B68474111111
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890.2178057792]:
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x561b3bad4a90, token_present=1, pSlotList=0x7f3381d275c0, pulCount=0x7f3381d275b8
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 <- SETDATA 3051300D060960864801650304020305000440D7DB68EB2925AA34161DEB3CF02EA245F866199B5DB94A28ACA355113B28AFB592E76A7378401B54850138E4F1C995609C6C84E427235480B429632E04144960
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 -> OK
Jan 04 15:17:38 dellxps15mateusz gpg-agent[3774890]: gnupg-pkcs11-scd[3774890]: chan_0 <- PKAUTH piv_II/PKCS\x2315\x20emulated/498c934e2cd3f42b/Mateusz\x20Gozdek\x27s\x20Authenticati\x2E\x2E\x2E/01
Support for PKCS#11 Modules without Certificates
I have a PKCS#11 module which has objects with CKA_CLASS of CKO_PUBLIC_KEY and CKO_PRIVATE_KEY but not CKO_CERTIFICATE.
I tried to use this with gnupg-pkcs11-scd0.10.0 but it was not able to find any keys. It called C_FindObjects() looking for objects where CKA_CLASS is set to CKO_CERTIFICATE, but did not look for public keys.
Can this interface support Yubikey 5?
Hello.
I use Yubikey on Gitlab and OTP. I wanted to also use it to carry my private GPG key, but I am constantly failing. I am trying on Fedora 36. I would like to have pkcs11 interface accessible, so exclusive use of key is no option for me.
I tried to configure this plugin, but reported values look bad. Especially Key attributes have weird values.
$ LC_ALL=C.UTF-8 gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.7)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131EF19C56F1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: EF19C56F
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
But with original scdaemon it reports better values.
$ LC_ALL=C.UTF-8 gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 00 00
Application ID ...: D2760001240100000006106447820000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: 10644782
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
Package version: gnupg-pkcs11-scd-0.10.0-1.fc36.x86_64
$ cat gpg-agent.conf
# redirect to pkcs11
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gnome3
# increase verbosity
verbose
verbose
verbose
$ grep -v '^\s*#' gnupg-pkcs11-scd.conf
providers yk
provider-opensc-library /usr/lib64/pkcs11/opensc-pkcs11.so
provider-yk-library /usr/lib64/libykcs11.so.2
Is there something to be tuned? It does not seem to allow working gpg --edit-card operations.
But journalctl --user -xeu gpg-agent seems reporting useful values.
gnupg-pkcs11-scd[633033]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[632989]: first connection to daemon /usr/libexec/scdaemon established
gpg-agent[633033]: gnupg-pkcs11-scd[633033.10749760]: processing connection
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETINFO socket_name
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> D /tmp/gnupg-pkcs11-scd.SZyHdX/agent.S
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- OPTION event-signal=12
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETINFO version
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> D 0.10.0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- SERIALNO
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S SERIALNO D2760001240111503131EF19C56F1111 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- LEARN --force
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S SERIALNO D2760001240111503131EF19C56F1111
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S APPTYPE PKCS11
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-FRIEDNLY 6E74D2394243D7806B6F803191574143F1B1F84B /CN=Yubico PIV Attestation on YubiKey PIV #10644782
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S CERTINFO 101 pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEYPAIRINFO 6E74D2394243D7806B6F803191574143F1B1F84B pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.>
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[632989]: card has S/N: D2760001240111503131EF19C56F1111
gpg-agent[632989]: id: pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19 (type=101)
gpg-agent[632989]: id: pkcs11:model=YubiKey%20YK5;token=YubiKey%20PIV%20%2310644782;manufacturer=Yubico%20%28www.yubico.com%29;serial=10644782;id=%19 (grip=6E74D2394243D7806B6F803191574143F1B1F8>
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- GETATTR KEY-ATTR
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 1 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 2 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> S KEY-ATTR 3 1 1 2048 0
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 <- RESTART
gpg-agent[633033]: gnupg-pkcs11-scd[633033]: chan_0 -> OK
``
Is there anything I am doing wrong? Should it work this way?
Provide Support for libassuan v3.x
When attempting to run ./configure, currently receive error: Need assuan-2 with libassuan v3.0.1 installed in environment.
0.9.0 build failure on macOS: incomplete type 'struct ucred' and undeclared identifier 'SO_PEERCRED'
==> ./configure --disable-dependency-tracking --with-libgpg-error-prefix=/usr/local/opt/libgpg-error --with-libassuan-prefix=/usr/local/opt/libassuan --with-libgcrypt-prefix=/usr/local/opt/libgcrypt --prefix=/usr/local/Cellar/gnupg-pkcs11-scd/0.9.0
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for style of include used by make... GNU
checking for gcc... /usr/bin/clang
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether /usr/bin/clang accepts -g... yes
checking for /usr/bin/clang option to accept ISO C89... none needed
checking whether /usr/bin/clang understands -c and -o together... yes
checking dependency style of /usr/bin/clang... none
checking how to run the C preprocessor... /usr/bin/clang -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking build system type... x86_64-apple-darwin15.6.0
checking host system type... x86_64-apple-darwin15.6.0
checking for gcc... (cached) /usr/bin/clang
checking whether we are using the GNU C compiler... (cached) yes
checking whether /usr/bin/clang accepts -g... (cached) yes
checking for /usr/bin/clang option to accept ISO C89... (cached) none needed
checking whether /usr/bin/clang understands -c and -o together... (cached) yes
checking dependency style of /usr/bin/clang... (cached) none
checking for pkg-config... /usr/local/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for m4... m4
checking whether time.h and sys/time.h may both be included... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking for alarm... yes
checking for working mktime... no
checking return type of signal handlers... void
checking for vprintf... yes
checking for _doprnt... no
checking for gettimeofday... yes
checking for memmove... yes
checking for memset... yes
checking for socket... yes
checking for strchr... yes
checking for strdup... yes
checking for strerror... yes
checking for strrchr... yes
checking for snprintf... yes
checking for timegm... yes
checking for unsetenv... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking whether /usr/bin/clang is Clang... yes
checking whether Clang needs flag to prevent "argument unused" warning when linking with -pthread... no
checking for joinable pthread attribute... PTHREAD_CREATE_JOINABLE
checking whether more special flags are required for pthreads... no
checking for PTHREAD_PRIO_INHERIT... yes
checking for libgpg-error... found
checking for libassuan... found
checking for libgcrypt... found
checking for OPENSSL... yes
checking for GNUTLS... no
checking for PKCS11_HELPER... yes
checking pkcs11-helper features... ok
checking cryptographic library to use... Using OpenSSL
checking for ANSI C header files... (cached) yes
checking for an ANSI C-conforming const... yes
checking for working volatile... yes
checking for inline... inline
checking for off_t... yes
checking for pid_t... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... (cached) yes
checking whether struct tm is in sys/time.h or time.h... time.h
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking stdargs.h usability... no
checking stdargs.h presence... no
checking for stdargs.h... no
checking malloc.h usability... no
checking malloc.h presence... no
checking for malloc.h... no
checking ctype.h usability... yes
checking ctype.h presence... yes
checking for ctype.h... yes
checking for string.h... (cached) yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking signal.h usability... yes
checking signal.h presence... yes
checking for signal.h... yes
checking dlfcn.h usability... yes
checking dlfcn.h presence... yes
checking for dlfcn.h... yes
checking for unistd.h... (cached) yes
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating Makefile
config.status: creating gnupg-pkcs11-scd-proxy/Makefile
config.status: creating gnupg-pkcs11-scd-proxy/gnupg-pkcs11-scd-proxy.service.in
config.status: creating gnupg-pkcs11-scd/Makefile
config.status: creating distro/Makefile
config.status: creating distro/debian/Makefile
config.status: creating distro/rpm/Makefile
config.status: creating distro/rpm/gnupg-pkcs11-scd.spec
config.status: creating config.h
config.status: executing depfiles commands
==> make install
Making install in gnupg-pkcs11-scd
/usr/bin/clang -DHAVE_CONFIG_H -I. -I.. -I/usr/local/opt/openssl/include -F/usr/local/Frameworks -I/usr/local/opt/libgpg-error/include -I/usr/local/opt/libassuan/include -I/usr/local/opt/libgpg-error/include -I/usr/local/opt/libgcrypt/include -I/usr/local/opt/libgpg-error/include -I/usr/local/Cellar/pkcs11-helper/1.22/include -I/usr/local/Cellar/openssl/1.0.2l/include -pthread -Os -w -pipe -march=native -mmacosx-version-min=10.11 -c -o scdaemon.o scdaemon.c
scdaemon.c:180:16: error: variable has incomplete type 'struct ucred'
struct ucred ucred;
^
scdaemon.c:180:10: note: forward declaration of 'struct ucred'
struct ucred ucred;
^
scdaemon.c:183:34: error: use of undeclared identifier 'SO_PEERCRED'
if (getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len) == -1) {
^
2 errors generated.
make[1]: *** [scdaemon.o] Error 1
make: *** [install-recursive] Error 1
https://jenkins.brew.sh/job/Homebrew%20Core%20Pull%20Requests/7376/version=el_capitan/console
https://jenkins.brew.sh/job/Homebrew%20Core%20Pull%20Requests/7376/version=sierra/console
Homebrew/homebrew-core#17259
Instructions on compiling for Windows
Hello,
I apologise in advance if the instructions are already somewhere and I didn't notice them, but I have already searched the Wiki section, the mailing lists on SourceForge etc., and haven't found anything.
How do I compile for Windows? My system is Windows 10 64-bit and I have Mingwin64, Cygwin4 and msys2 available.
Thanks!
gpg 2.3.x regression
Hi Alonbl,
I am integrating GPG with Thales Luna HSM but when I am running the command "gpg --card-status" it is failing with an error and when I am trying to generate the key it returns "no key with this keygrip", however keys are avaialble on HSM Partition and "gpg-agent --server gpg-connect-agent" command showing all the avaialable keys on HSM partition. Below is the steps and also all my related configuration files for reference.
root@marif-virtual-machine:# pkcs11-tool --module /usr/safenet/lunaclient/lib/libcklog2.so -T# gpg --version
Available slots:
Slot 0 (0x1): Net Token Slot
token label : INTG_Par01
token manufacturer : Safenet, Inc.
token model : LunaSA 7.7.0
token flags : rng, login required, PIN initialized, token initialized, other flags=0x20
hardware version : 0.0
firmware version : 7.7
serial num : 1312109861420
root@marif-virtual-machine:
gpg (GnuPG) 2.3.2
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
AEAD: EAX, OCB
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed
root@marif-virtual-machine:# gpg --card-status# gpg-agent --server gpg-connect-agent
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.3.2)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: No inquire callback in IPC
root@marif-virtual-machine:
OK Pleased to meet you
SCD LEARN
S SERIALNO D2760001240111503131FF422ADE1111
S APPTYPE PKCS11
S KEY-FRIEDNLY F5A771B38377DF87D4B53B0372361E1062E00370 /C=In/ST=UPST/L=Noida/O=Thales/OU=HSM/CN=GPG-Auth on INTG_Par01
S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/DDD943EC192D40F4DA84B039A1ED9975
S KEYPAIRINFO F5A771B38377DF87D4B53B0372361E1062E00370 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/DDD943EC192D40F4DA84B039A1ED9975
S KEY-FRIEDNLY A331F253E198DB0C2ADB1B73749B4B5E4C0C4CC8 /C=IN/ST=UPST/L=Noida/O=Thales/OU=HSM/CN=GPG-Encr on INTG_Par01
S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/B1308321E2CBA6CE5C516A3FB6AE8AD7
S KEYPAIRINFO A331F253E198DB0C2ADB1B73749B4B5E4C0C4CC8 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/B1308321E2CBA6CE5C516A3FB6AE8AD7
S KEY-FRIEDNLY B1658AFE0DB150D34C15D671818C175E8E15CF25 /C=IN/ST=UPST/L=Noida/O=Thales/OU=HSM/CN=GPG-Sign on INTG_Par01
S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/C9B4CB811F29A17F7FD9C00DFFF2D37E
S KEYPAIRINFO B1658AFE0DB150D34C15D671818C175E8E15CF25 Safenet\x2C\x20Inc\x2E/LunaSA\x207\x2E7\x2E0/1312109861420/INTG_Par01/C9B4CB811F29A17F7FD9C00DFFF2D37E
OK
^C
root@marif-virtual-machine:~# vi /.gnupg/gnupg-pkcs11-scd.conf# gpg --expert --full-generate-key
root@marif-virtual-machine:
gpg (GnuPG) 2.3.2; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC (sign and encrypt) default
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 13
Enter the keygrip: B1658AFE0DB150D34C15D671818C175E8E15CF25
No key with this keygrip
Enter the keygrip:
gpg-files.zip
Please help us to find what we are missing and doing wrong so that GPG is not able to get the keys from HSM partition where keys are avaialable on partition.
Command GETATTR APPTYPE and $DISPSERIALNO is not implemented
When I trying to add subkey I got error:
gpg> addcardkey
gpg: key operation not possible: Invalid data
In log I see:
gnupg-pkcs11-scd[17167]: chan_0 <- GETATTR SERIALNO
gnupg-pkcs11-scd[17167.4179323968]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffc0e12dc20
...
gnupg-pkcs11-scd[17167.4179323968]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[17167]: chan_0 -> S SERIALNO D2760001240111503131B71F5E411111
gnupg-pkcs11-scd[17167]: chan_0 -> OK
gnupg-pkcs11-scd[17167]: chan_0 <- GETATTR APPTYPE
gnupg-pkcs11-scd[17167]: chan_0 -> ERR 79 Invalid data <Unspecified source>
Same for
gnupg-pkcs11-scd[17167]: chan_0 <- GETATTR $DISPSERIALNO
gnupg-pkcs11-scd[17167]: chan_0 -> ERR 79 Invalid data <Unspecified source>
GnuPG version is 2.2.40
Issue with data longer than 256 bytes
I'm not sure since when this happens, but in my current setup [ gpg (GnuPG) 2.1.15 ], the SETDATA call can have more than 256 bytes ( 257 in my case ) where there basically is zero prefix.
For instance :
SETDATA 0096431DB6EB6EF6D9E77AAEF08C3C3E37225B8A4B01CDA2519745F933E57BC87BC3B8765B1DD0E8E91B16B12CE73206355BE488F700AEB3E40C51AC588D97E140C7C3B6AE351B6ACF2CE32995A249E65D8FAFE16F967D55D3DCC6E106C76BF5F7B5AD8F0A633E004D91EFDE3C2C46FC49FED4C963A29267B4CFDA5C227E42F5EF724758CCBE1844357EF32130B8351CDD87697AC9B5797461BC371BABDA7E3935DC1E2E9CB543C5EF88D9037AA55DF280048929D2D34C1D2EA626AC3784275341AABC097C1B82021A1A6C9CBB15C57F971E5C91CD9E30741C2C3FF289E02BF51D20DD7393E56CCBBC62D8E9E0AA08A9C9C668CE971AEB785E89D893E501CB20B5
This is an issue because then the call to pkcs11h_certificate_decryptAny will fail because of an internal error ( Private key operation failed rv=33-'CKR_DATA_LEN_RANGE' ). Because for a 2048 bit RSA, the max data length is 256 bytes. But the first byte being '00' can be dropped (after all that string represent just a big number that must be lower than the modulus).
Here's the 'hacked up' patch I'm using to strip zero data :
It definitely use to work. I'm not sure if gpg changed, or if the pkcs11helper used to strip data, or if opensc used to do it ... but atm using:
- OpenSC 0.16.0
- GnuPG 2.1.15
- pkcs11-helper 1.11
this isn't working for me.
Unable to work with eToken
I'm trying to generate keys on Alladin eToken pro 64k using gpg --card-edit and I get Key generation failed: Bad session key
gpg (GnuPG) 2.2.15
gnupg-pkcs11-scd 0.9.2
Issue with Serial number
Trying to generate a key based on an existing key results in a repeated message from pinentry (tested with GnuPG 2.1.19 (and 2.1.20) and gnupg-pkcs11-scd 0.7.5):
Please remove the current card and insert the one with serial number:
D2760001240111504B4353233131111100
In the gpg-agent.log I could only find gpg-agent demanding for this card-number and gnupg-pkcs11-scd responding with a similar looking serial number:
2017-04-15 17:58:58 gpg-agent[10393] no running SCdaemon - starting it
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- OK PKCS#11 smart-card server for GnuPG ready
2017-04-15 17:58:58 gpg-agent[10393] DBG: first connection to SCdaemon established
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 -> GETINFO socket_name
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- D /tmp/gnupg-pkcs11-scd.6S6lKI/agent.S
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- OK
2017-04-15 17:58:58 gpg-agent[10393] DBG: additional connections at '/tmp/gnupg-pkcs11-scd.6S6lKI/agent.S'
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 -> OPTION event-signal=12
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- OK
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 -> SERIALNO --demand=D2760001240111504B4353233131111100
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- S SERIALNO D2760001240111504B43532331311111 0
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_10 <- OK
2017-04-15 17:58:58 gpg-agent[10393] DBG: detected card with S/N D2760001240111504B43532331311111
2017-04-15 17:58:58 gpg-agent[10393] starting a new PIN Entry
2017-04-15 17:58:58 gpg-agent[10393] DBG: connection to PIN entry established
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_9 -> INQUIRE PINENTRY_LAUNCHED 10400 qt 1.0.0 ? ? ?
2017-04-15 17:58:58 gpg-agent[10393] DBG: chan_9 <- END
2017-04-15 17:59:00 gpg-agent[10393] DBG: chan_10 -> SERIALNO --demand=D2760001240111504B4353233131111100
2017-04-15 17:59:00 gpg-agent[10393] DBG: chan_10 <- S SERIALNO D2760001240111504B43532331311111 0
2017-04-15 17:59:00 gpg-agent[10393] DBG: chan_10 <- OK
2017-04-15 17:59:00 gpg-agent[10393] DBG: detected card with S/N D2760001240111504B43532331311111
2017-04-15 17:59:00 gpg-agent[10393] starting a new PIN Entry
2017-04-15 17:59:00 gpg-agent[10393] DBG: connection to PIN entry established
2017-04-15 17:59:00 gpg-agent[10393] DBG: chan_9 -> INQUIRE PINENTRY_LAUNCHED 10403 qt 1.0.0 ? ? ?
2017-04-15 17:59:00 gpg-agent[10393] DBG: chan_9 <- END
2017-04-15 17:59:02 gpg-agent[10393] DBG: error calling pinentry: Bewerking geannuleerd <Pinentry>
2017-04-15 17:59:02 gpg-agent[10393] smartcard signing failed: Bewerking geannuleerd
2017-04-15 17:59:02 gpg-agent[10393] command 'PKSIGN' failed: Bewerking geannuleerd <Pinentry>
2017-04-15 17:59:02 gpg-agent[10393] DBG: chan_9 -> ERR 83886179 Bewerking geannuleerd <Pinentry>
2017-04-15 17:59:02 gpg-agent[10393] DBG: chan_9 <- [eof]
2017-04-15 17:59:02 gpg-agent[10393] DBG: chan_10 -> RESTART
2017-04-15 17:59:02 gpg-agent[10393] DBG: chan_10 <- OK
At the changelog is stated there were some changes in handling of the serial number for GnuPG 2.1.19. But it still doesn't seem to work on my setup.
gpg --expert --full-generate-key fails to recognize card
While trying to setup gpg to utilize the RSA signature certificate on the YubiKey the setup in
gpg --expert --full-generate-key
works as expected until the last step where it indefinitely prompts the user to insert the card with the same id shown in gpg --card-status. This is independent whether a handle is provided for the option "existing key" or the option "existing key on card" is chosen. In the later case all three keys on the card are correctly recognized and offered to chose, but no customization is permitted.
I'm unable to further debug this without assistance.
`Justus.Wingert@dm-****** ~ % cat .gnupg/gpg.conf
use-agent
Justus.Wingert@dm-****** ~ % cat .gnupg/gpg-agent.conf
default-cache-ttl 600
max-cache-ttl 7200
enable-ssh-support
pinentry-program /usr/local/bin/pinentry
scdaemon-program /usr/local/bin/gnupg-pkcs11-scd
Justus.Wingert@dm-****** ~ % cat .gnupg/gpg-pkcs11-scd.conf
providers pkcs11
provider-pkcs11-library /usr/local/lib/opensc-pkcs11.so
log-file ~/.gnupg/gnupg-pkcs11-scd.log
verbose
debug-all
Justus.Wingert@dm-****** ~ % `
Incompatibility with GnuPG 2 generates bad signatures
GnuPG 2 (at least recent versions) sends both the algorithm OID as prefix in SETDATA as well as the hash algorithm in PKSIGN. This results in gnupg-pkcs11-scd adding yet another instance of the algorithm OID to the buffer which will then be part of the signed data.
Forcing inject = INJECT_NONE in cmd_pksign fixes the issue for me, but for backward compatibility I guess one would have to add an actual check for the hash/data size.
Cannot sign, asks PIN-code, but no success
My problem is similar to #25. It allows me to enter pin 5 times but with no success, cannot sign anything...
gpg-agent.conf:
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gnome3
(tried various pinentries)
gnupg-pkcs11-scd.conf:
providers pkcs11
provider-pkcs11-library /usr/lib/opensc-pkcs11.so
log-file ~/.gnupg/gnupg-pkcs11-scd.log
verbose
debug-all
It seems like I use correct versions from Arch Linux community repo.
$ pacman -Q pkcs11-helper gnupg-pkcs11-scd
pkcs11-helper 1.29.0-1
gnupg-pkcs11-scd 0.10.0-1
pkcs11-helper seems to be dynamically linked:
ldd /usr/bin/gnupg-pkcs11-scd
...
libpkcs11-helper.so.1 => /usr/lib/libpkcs11-helper.so.1
...
gnupg-pkcs11-scd.log:
https://gist.github.com/L11R/448a10648259f1b78fde2a0f0544a4f1
Ambiguous license
I am trying to package gnupg-pkcs11-scd for Fedora [1]. The COPYING file provided with the gnupg-pkcs11-scd is a bit ambiguous. It lists six licenses:
BSD
Seems to be the primary license. The code in gnupg-pkcs11-scd/ bears this license in comments.
The code in gnupg-pkcs11-scd-proxy/ does not bear such comments. What license covers this code?
All rights reserved
Applies to "pkcs11-helper." What is that? Is any component of gnupg-pkcs11-scd not open source?
m4 Macros License
Is this necessary?
OpenSSL license
This code is not shipped with gnupg-pkcs11-scd. Why is this needed?
GNUTLS license
This code is not shipped with gnupg-pkcs11-scd. Why is this needed?
libgcrypt license
This code is not shipped with gnupg-pkcs11-scd. Why is this needed?
Support for cards with EC keys
I have an Estonian ID-card with an EC certificate. How hard would be to get gnupg-pkcs11-scd working with EC keys?
$ pkcs15-tool --read-certificate 01 | openssl x509 -text | grep -A1 OID
ASN1 OID: secp384r1
NIST CURVE: P-384
$ pkcs11-tool -O
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: Isikutuvastus
subject: DN: C=EE, O=ESTEID (DIGI-ID E-RESIDENT), OU=authentication, CN=...
ID: 01
Public Key Object; EC EC_POINT 384 bits
EC_POINT: ...
EC_PARAMS: ....
label: Isikutuvastus
ID: 01
Usage: encrypt, verify
There's a second slot also with OU=digital signature.
It seems like gnupg-pkcs11-scd is not aware of anything else but RSA, as per manual.
$ gnupg-pkcs11-scd --server
gnupg-pkcs11-scd[29335.1873246016]: accepting connection
gnupg-pkcs11-scd[29335]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[29335.1873246016]: processing connection
LEARN
gnupg-pkcs11-scd[29335]: chan_0 <- LEARN
gnupg-pkcs11-scd[29335]: chan_0 -> S SERIALNO D2760000000111
S SERIALNO D2760000000111
gnupg-pkcs11-scd[29335]: chan_0 -> S APPTYPE PKCS11
S APPTYPE PKCS11
gnupg-pkcs11-scd[29335]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>
ERR 41 Wrong public key algorithm <Unspecified source>
$ gnupg-pkcs11-scd --version
gnupg-pkcs11-scd 0.9.2
Problem in loading keys to the gpg
Hi,
I have a pkcs11 capable token and private-key, certificate, and public key in it. this is the output of SCD LEARN:
SCD LEARN
EOF
OK Pleased to meet you
gnupg-pkcs11-scd[17127.1195300672]: Listening to socket '/tmp/gnupg-pkcs11-scd.QGvO7h/agent.S'
gnupg-pkcs11-scd[17127.1195300672]: accepting connection
gnupg-pkcs11-scd[17127]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[17127.1195300672]: processing connection
gnupg-pkcs11-scd[17127]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[17127]: chan_0 -> D /tmp/gnupg-pkcs11-scd.QGvO7h/agent.S
gnupg-pkcs11-scd[17127]: chan_0 -> OK
gnupg-pkcs11-scd[17127]: chan_0 <- LEARN
gnupg-pkcs11-scd[17127]: chan_0 -> S SERIALNO D276000124011150313195AC51031111
gnupg-pkcs11-scd[17127]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D276000124011150313195AC51031111
S APPTYPE PKCS11
gnupg-pkcs11-scd[17127]: chan_0 -> S KEY-FRIEDNLY EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 /CN=CN on infratesttune
gnupg-pkcs11-scd[17127]: chan_0 -> S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
gnupg-pkcs11-scd[17127]: chan_0 -> S KEYPAIRINFO EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
S KEY-FRIEDNLY EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 /CN=CN on infratesttune
S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
S KEYPAIRINFO EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
gnupg-pkcs11-scd[17127]: chan_0 -> S KEY-FRIEDNLY 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 /CN=CN on infratesttune
gnupg-pkcs11-scd[17127]: chan_0 -> S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
S KEY-FRIEDNLY 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 /CN=CN on infratesttunegnupg-pkcs11-scd[17127]:
chan_0 -> S KEYPAIRINFO 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
gnupg-pkcs11-scd[17127]: chan_0 -> OK
S KEYPAIRINFO 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
OK
gnupg-pkcs11-scd[17127]: chan_0 <- RESTART
gnupg-pkcs11-scd[17127]: chan_0 -> OK
gnupg-pkcs11-scd[17127]: chan_0 <- [eof]
gnupg-pkcs11-scd[17127.1195300672]: post-processing connection
gnupg-pkcs11-scd[17127.1195300672]: accepting connection
gnupg-pkcs11-scd[17127.1195300672]: cleanup connection
gnupg-pkcs11-scd[17127.1195300672]: Terminating
gnupg-pkcs11-scd[17127.1169278720]: Thread command terminate
gnupg-pkcs11-scd[17127.1169278720]: Cleaning up threads
But when I try to load the key with "04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2" key-friendly, i got the below result:
gpg --expert --full-generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 13
Enter the keygrip: 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2
No Key with this keygrip
I want to point that the same process is successful with an older key that exists in the token with the "EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51" key-friendly.
any advice to solve the problem is appreciated.
the log file is as below:
gnupg-pkcs11-scd[2208.2169505600]: Listening to socket '/tmp/gnupg-pkcs11-scd.BLemoa/agent.S'
gnupg-pkcs11-scd[2208.2169505600]: accepting connection
gnupg-pkcs11-scd[2208]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[2208.2169505600]: processing connection
gnupg-pkcs11-scd[2208]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[2208]: chan_0 -> D /tmp/gnupg-pkcs11-scd.BLemoa/agent.S
gnupg-pkcs11-scd[2208]: chan_0 -> OK
gnupg-pkcs11-scd[2208]: chan_0 <- LEARN
gnupg-pkcs11-scd[2208]: chan_0 -> S SERIALNO D276000124011150313195AC51031111
gnupg-pkcs11-scd[2208]: chan_0 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[2208]: chan_0 -> S KEY-FRIEDNLY EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 /CN=CN on infratesttune
gnupg-pkcs11-scd[2208]: chan_0 -> S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
gnupg-pkcs11-scd[2208]: chan_0 -> S KEYPAIRINFO EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/85
gnupg-pkcs11-scd[2208]: chan_0 -> S KEY-FRIEDNLY 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 /CN=CN on infratesttune
gnupg-pkcs11-scd[2208]: chan_0 -> S KEY-FPR 1 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2
gnupg-pkcs11-scd[2208]: chan_0 -> S CERTINFO 101 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
gnupg-pkcs11-scd[2208]: chan_0 -> S KEYPAIRINFO 04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2 Amnafzar\x20Corp\x2E/C/52FBF4423C4292A6/infratesttune/7777
gnupg-pkcs11-scd[2208]: chan_0 -> OK
gnupg-pkcs11-scd[2208]: chan_0 <- RESTART
gnupg-pkcs11-scd[2208]: chan_0 -> OK
gnupg-pkcs11-scd[2208]: chan_0 <- [eof]
gnupg-pkcs11-scd[2208.2169505600]: post-processing connection
gnupg-pkcs11-scd[2208.2169505600]: accepting connection
gnupg-pkcs11-scd[2208.2169505600]: cleanup connection
gnupg-pkcs11-scd[2208.2169505600]: Terminating
gnupg-pkcs11-scd[2208.2143487744]: Thread command terminate
gnupg-pkcs11-scd[2208.2143487744]: Cleaning up threads
cert-private: can't add key grip
Dear Sir:
I'm trying to using this package and connect to pkcs11 HSM. but seem's has problem. can't add token to the agent.
my config as bellow:
log-file /tmp/gpglog
verbose
debug-all
providers p1
provider-p1-library /opt/Utimaco/libcs_pkcs11_R2.so
provider-p1-cert-private
#emulate-openpgp
openpgp-sign 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
#openpgp-encr 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
#openpgp-auth 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
and we can got SCD LEARN and get KEY FRIENDLY
root@debian:~/.gnupg# gpg-agent --server gpg-connect-agent
OK Pleased to meet you
scd learn
S SERIALNO D2760001240111503131C55D0E5C1111
S APPTYPE PKCS11
S KEY-FRIEDNLY 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD /C=DE/ST=NRW/L=Aachen/O=Utimaco IS GmbH/OU=SystemEngineering HSM/CN=Max Mustermann on CryptoServer PKCS11 Token
S KEY-FPR 1 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01
S KEYPAIRINFO 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01
S KEY-FRIEDNLY FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 /CN=UtimacoGPG on CryptoServer PKCS11 Token
S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341
S KEYPAIRINFO FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341
OK
but when I execute gpg2 --card-status show as below:
root@debian:/.gnupg# gpg2 --card-status/.gnupg#
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131C55D0E5C1111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: C55D0E5C
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
root@debian:
it's didn't show up Signature key... is i missing some configuration?
and if i using gpg2 --card-edit to generate key will show bad session key:
root@debian:~/.gnupg# gpg2 --card-edit
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131C55D0E5C1111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: C55D0E5C
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card>
gpg/card> admin
Admin commands are allowed
gpg/card> generate
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: casey
Email address: [email protected]
Comment:
You selected this USER-ID:
"casey [email protected]"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: key generation failed: Bad session key
Key generation failed: Bad session key
My gpg2 environment are bellow:
root@debian:~/.gnupg# gpg2 --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
thanks~
gpg --card-status shows different results when used with scdaemon and gnupg-pkcs11-scd
Hi everybody,
gpg --card-status shows different results when used with scdaemon and gnupg-pkcs11-scd
For example with scdaemon it shows:
Reader ...........: Cherry GmbH SmartTerminal ST-2xxx [Vendor Interface] (21121324107485) 00 00
(...)
wheras with gnupg-pkcs11-scd it only shows:
Reader ...........: [none]
(...)
I don't know whether this is related, but the debug log contains some:
gnupg-pkcs11-scd[2117546]: chan_0 <- GETATTR $SIGNKEYID
gnupg-pkcs11-scd[2117546]: chan_0 -> ERR 79 Invalid data
and some:
Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
(there are no keys stored on this smartcard yet, so this might be ok)
Otherwise there are only: rv=0-'CKR_OK'
Do you have any idea what went wrong? I am using gnupg-pkcs11-scd v0.10.0
gpg2 --card-status fails to list any key
I'm trying to use pkcs11 with gpg on Fedora. The hardware I am using is a Yubikey, with PIV initialized. However, I never have any luck with gpg2 --card-status. The packages I have is
openssl-pkcs11-0.4.11-4.fc35.x86_64
pkcs11-helper-1.27.0-4.fc35.x86_64
opensc-0.22.0-1.fc35.x86_64
openssl-pkcs11-0.4.11-4.fc35.i686
pkcs11-helper-devel-1.27.0-4.fc35.x86_64
yubico-piv-tool-2.2.1-1.fc35.x86_64
gnupg-pkcs11-scd-0.10.0-1.fc37.x86_64
Note: gnupg-pkcs11-scd above is self-compiled. others are all from the official Fedora repo.
My config looks like the following
$ cat ~/.gnupg/gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gtk
$ cat ~/.gnupg/gnupg-pkcs11-scd.conf
providers safenet
provider-safenet-library /usr/lib64/libykcs11.so.2
log-file /tmp/pkcs11log
verbose
debug-all
openpgp-sign E65944AA36C1A72A5EDFE7848E0D59F252920545
$ gpg-agent --server gpg-connect-agent << EOF
SCD LEARN
EOF
OK Pleased to meet you
S SERIALNO D276000124011150313115D60D5F1111
S APPTYPE PKCS11
S KEY-FRIEDNLY E65944AA36C1A72A5EDFE7848E0D59F252920545 /CN=SSH key on YubiKey PIV #4942750
S KEY-FPR 1 E65944AA36C1A72A5EDFE7848E0D59F252920545
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEYPAIRINFO E65944AA36C1A72A5EDFE7848E0D59F252920545 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEY-FRIEDNLY A569CDA604B5278BFB81FB9C9243F897E20BAD69 /CN=Yubico PIV Attestation on YubiKey PIV #4942750
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%19
S KEYPAIRINFO A569CDA604B5278BFB81FB9C9243F897E20BAD69 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%19
S KEY-FRIEDNLY E65944AA36C1A72A5EDFE7848E0D59F252920545 /CN=YubiKey PIV Attestation 9a on YubiKey PIV #4942750
S KEY-FPR 1 E65944AA36C1A72A5EDFE7848E0D59F252920545
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEYPAIRINFO E65944AA36C1A72A5EDFE7848E0D59F252920545 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
OK
And the command output looks like
$ gpg2 --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.4)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found
Attached is the full debug log
pkcs11log-yubikey.txt
Within the log, I find something suspecious:
gnupg-pkcs11-scd[26987.1355388736]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[26987.1355388736]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
So I feel this is likely a bug somewhere. However, I have limited knowledge for debugging future, so I'm posting this issue for investigate.
why importing same key from same token in different machine lead to different keyids
Hi,
I have a token with an RSA key pair in it and it works perfectly with the gpg thanks to gnupg-pkcs11-scd, but I have a problem with it. when I have imported this token resident key in different machines, I got different key-ids as I listed them below:
gpg -k result in system1 pub rsa2048 2022-02-27 [SCE] 758C5B2525F619372C77818F0F369ACF84FDABDD uid [ultimate] PatchSigner <[email protected]>
and
gpg -k result in system2 pub rsa2048 2022-02-27 [SCE] C538148C640D7C84BF696C2F0E6AD49E15C7F922 uid [ultimate] PatchSigner <[email protected]>
with this behavior a critical problem arises in the below scenario:
consider that I use system1 to sign patches of a product and in the product, I use the corresponding public key with id "758C5B2525F619372C77818F0F369ACF84FDABDD" to verify the signature. if something goes wrong with system1 and I set up system2 with the same token to sign patches, the product couldn't verify that patch as the key id of the new patch is "C538148C640D7C84BF696C2F0E6AD49E15C7F922" while the product expects the previous id.
is there any workaround for this problem?
how key id's with the gnupg-pkcs11-scd is generated?
Yubikey - Multiple PIV Certs encryption/signing issue
Hi,
I'm using gpgme with gnupg-pkcs11-scd & a pkcs11 lib for a yubikey5 (does not matter if i use the opensc lib, libykcs11 or p11-kit) to sign & encrypt email. My Yubikey contains a standard set of PIV certificates.
For PIV it is common to have 3 seperate certs/keys. One each for Authentication, Digital Signature and Encryption.
The key usage in these are set correct for each one and those keys can have different pin policies.
I am able to sign emails with the correct key when i configure:
provider-p1-private-mask 1
However i can then not encrypt/decrypt at all.
When i configure
provider-p1-private-mask 4
i can successfully encrypt/decrypt but no longer sign anything :/
If I set the private-mask not at all or to 0 then i can do neither.
I looked through the code but only found that the private-mask is passed on to the pkcs11 provider.
Any ideas?
Select slot/token and env for library in configuration
On shared HSM PKCS#11 driver lists a lot of slots (in example from 0 to 54).
Is it possible to add configuration parameter to select a permanent slot?
Additional identification using the token label would be the peak of expectations.
The ability to set environment variables would also be convenient as some PKCS libraries sometimes require additional settings.
provider-p1-library /usr/local/lib64/libcs_pkcs11_R2.so
provider-p1-slot 17
provider-p1-token-label my_label
provider-p1-env SOME_ENV=some_value
safenet HSM card not found with gpg 2.2.9
Hi,
Thanks for having option to open issues
we use safenet HSM with gpg 2.0.22 for RPM signing. As part of RHEL OS upgrade to RHEL8, gpg also got upgraded to 2.2.9 and the new gpg version is unable to find smartcard. we kindly request your valuable input to pin point the issue
Hereaby pasting the config files and attaching the debug log
cat /etc/gnupg-pkcs11-scd.conf
# Log file.
log-file /var/log/scd.log
# Default is not verbose.
verbose
# Default is no debugging.
debug-all
providers safenet
provider-safenet-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
openpgp-sign *************************************************
openpgp-encr *************************************************
openpgp-auth *************************************************
cat gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd-proxy
pinentry-program /home/ITUD/.gnupg/pinentry-file.home
[ITUD@eaasrt ~]$ gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.9)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found
Log file
scd.txt
9.3 release always requires PIN for signing operation
It seems after upgrading to 9.3, I'm prompted for PIN on every sign operation. With 9.2, PIN has been cached until my YubiKey was unplugged. Both authentication and and encryption operations caches PIN properly.
As a workaround, one can create /etc/opensc.conf file with the following content:
app default {
framework pkcs15 {
pin_cache_ignore_user_consent = true;
}
}
However, this is insecure, as PIN is being cached and re-used even when YubiKey gets re-plugged.
Do you have any idea why this behavior occurs? I was investigating and perhaps this is related to OpenSC/pkcs11-helper@cbb453f?
Or maybe there is some configuration option which could be used to restore previous behavior?
EDIT:
Also, when YubiKey is plugged, I get asked for PIN twice. In consecutive signing operations, I get asked only once. I've also tried adding:
default-cache-ttl 34560000
maximum-cache-ttl 34560000
to gpg-agent.conf, but it does not make a difference.
ERR 41 Wrong public key algorithm <Unspecified source>
Ehlo.
I'm getting the following error in my logs and my attempts to use my smart card fails:
gnupg-pkcs11-scd[3885]: chan_0 <- KEYINFO --list
gnupg-pkcs11-scd[3885]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>
I'm using libcryptoki.so provider as described here, so there are quite a lot of variables in this setup.
The error seems to happen with all the KEYINFO commands. My setup was working previously, but clearly some underlying component has updated down the road and now it's broken.
Any advice on where to look to get this sorted out? I'm happy to provide any additional information.
Versions
| Software | Version |
|---|---|
| gpg | 2.4.3 |
| libgcrypt | 1.10.3 |
| gnupg-pkcs11-scd | 3b84225 |
Documentation Isuse for Yubikey with OpenSC
For Yubikey to propperly sign with OpenSC and gnupg-pkcs11-scd the opensc.conf may need the follwing entires:
# opensc.conf
app default {
framework pkcs15 {
pin_cache_ignore_user_consent = true;
}
}
[Nitrokey HSM2] gpg --expert --full-generate-key returns: gpg: signing failed: Card error
Hi
I'm facing this issue when using Nitrokey hsm2
tested on Ubuntu 22.04 to 24.04 (latest opensc + gnutls) + different opetions in .conf file all the times fails with the same signature:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: signing failed: Card error
gpg: make_keysig_packet failed: Card error
Key generation failed: Card error
Config options:
cat ~/.gnupg/gpg-agent.conf
daemon
verbose
log-file /tmp/gpg-agent.log
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry
cat ~/.gnupg/gnupg-pkcs11-scd.conf
verbose
debug-all
#pin-cache 5
log-file /tmp/gnupg-pkcs11-scd.log
providers nitrokey
provider-nitrokey-library /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
#provider-nitrokey-allow-protected-auth
#provider-nitrokey-cert-private
Can you please advise on how to debug this issue ?
regards
Cannot use PIN-pad reader
Hello,
Summary: gnupg-pkcs11-scd fails o sign or decrypt when PIN-pad usage is required.
Environment:
- OS: macOS 10.14
- OpenSC 0.19
- reader: REINER SCT cyberjack komfort
- card: SmartCard-HSM v1.0
- GPG: GPGSuite 2020.1 (gpg (GnuPG/MacGPG2) 2.2.20)
- gnupg-pkcs11-scd 0.9.2_1 (homebrew version)
Steps to reproduce:
- note that these steps are specific to this type of card, but I do not have a different one o test if it is a general problem
- Prerequisites: all software is installed, drivers for the reader too, the card is initialised, the card has a keypair and x509 certificate (FYI, this is a setup which I previously used with success with gnupg-pkcs11-scd's older versions and different combinations of older versions of the rest of the software including the operating system and other Reiner PIN-pad readers) For details, steps outlined here are useful:
- https://blogs.gnome.org/danni/2017/07/07/using-the-nitrokey-hsm-with-gpg-in-macos/
- https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
- gpg-agent.conf:
default-cache-ttl 30
max-cache-ttl 60
scdaemon-program /usr/local/bin/gnupg-pkcs11-scd
pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac
- gnupg-pkcs11-scd
pin-cache 1
providers opensc
provider-opensc-library /Library/OpenSC/lib/opensc-pkcs11.so
provider-opensc-allow-protected-auth
- get the card status
gpg --card-status
- encrypt and sign a file
echo test > test.txt
gpg -se -r <mail associated with the key> test.txt
# here PIN is requested, entered in the reader, accepted, and...
gpg: signing failed: Card error
gpg: test.txt: sign+encrypt failed: Card error
If provider-opensc-allow-protected-auth is not used, then the PIN provided via pinentry-program is accepted and the signing/encryption operation is successful.
gnupg-pkcs11-scd log shows:
gnupg-pkcs11-scd[35148]: chan_0 <- PKSIGN --hash=sha512 www\x2ECardContact\x2Ede/PKCS\x2315\x20emulated/DECM0104457/UserPIN\x20\x28SmartCard\x2DHSM\x29/02
gnupg-pkcs11-scd[35148]: chan_0 -> ERR 108 Card error <Unspecified source>
gnupg-pkcs11-scd[35148]: chan_0 <- RESTART
gnupg-pkcs11-scd[35148]: chan_0 -> OK
Please let me know which other information I need to provide. Thank you.
gpg --sign not triggering pin entry using a key with 'always authenticate'
Hi,
big thanks for developing and maintaining gnupg-pkcs11-scd!
I am trying to set up my smartcard-hsm cards to be used with GPG using a reader with a pinpad and I have discovered a behavior that has surprised me quite a bit.
I have written a script and prepared a docker image to reproduce the issue, it's @ https://github.com/filip-zyzniewski/issues/blob/main/gnupg-pkcs11-scd/gpg_sign_without_auth/run.sh .
I have uploaded the output of the script @ https://gist.github.com/filip-zyzniewski/fed564bb5b7418506931fe8104b02d83, adding <PINENTRY> everywhere where I was offered pin entry.
The surprising fact is that not each gpg --sign has triggered a pin entry:
filip@dell1:~/git/github.com/filip-zyzniewski/issues/gnupg-pkcs11-scd/gpg_sign_without_auth$ egrep 'gpg_setup_sign|<PINENTRY' gpg_sign_without_auth-66677653961753f4551fef254dab18bdc4051321.log
2023-09-07T20:06:50,174221277+00:00 gpg_setup_sign: waiting for the card to be available
2023-09-07T20:06:50,799849867+00:00 gpg_setup_sign: information about the card
2023-09-07T20:06:51,218269729+00:00 gpg_setup_sign: initializing the card
2023-09-07T20:06:51,584758698+00:00 gpg_setup_sign: generating a key pair
<PINENTRY>
2023-09-07T20:07:01,347624564+00:00 gpg_setup_sign: creating the certificate
<PINENTRY>
2023-09-07T20:07:07,629788009+00:00 gpg_setup_sign: converting /tmp/cert-1694117211.pem to /tmp/cert-1694117211.der
2023-09-07T20:07:07,699249192+00:00 gpg_setup_sign: writing the certificate to the card
<PINENTRY>
2023-09-07T20:07:14,044661298+00:00 gpg_setup_sign: looking up the key grip
2023-09-07T20:07:14,493354103+00:00 gpg_setup_sign: adding the key to GPG
<PINENTRY>
2023-09-07T20:07:20,471903691+00:00 gpg_setup_sign: objects on the card
<PINENTRY>
2023-09-07T20:07:27,134262824+00:00 gpg_setup_sign: first signing of a message
<PINENTRY>
2023-09-07T20:07:33,993742142+00:00 gpg_setup_sign: second signing of a message
2023-09-07T20:07:34,206958795+00:00 gpg_setup_sign: resetting the card
2023-09-07T20:07:35,278657808+00:00 gpg_setup_sign: third signing of a message
<PINENTRY>
<PINENTRY>
2023-09-07T20:07:49,924574029+00:00 gpg_setup_sign: fourth signing of a message
filip@dell1:~/git/github.com/filip-zyzniewski/issues/gnupg-pkcs11-scd/gpg_sign_without_auth$
As you can see, the second and fourth signing of a message have been done without authenticating to the card. I don't think it should be possible given that the private key is marked as 'always authenticate' (https://gist.github.com/filip-zyzniewski/fed564bb5b7418506931fe8104b02d83#file-gpg_sign_without_auth-66677653961753f4551fef254dab18bdc4051321-log-L5370)
The script ran in the container (https://github.com/filip-zyzniewski/issues/blob/main/gnupg-pkcs11-scd/gpg_sign_without_auth/gpg_setup_sign.sh) contains all steps taken, starting from initializing the card with sc-hsm-tool.
Is this a problem with one of the components of this setup, or am I misunderstanding something?
Error on gpg card-status
Hello,
I am on GnuPG version 2.1.15(shipped by ubuntu zesty)
I get gpg: OpenPGP card not available: Bad session key on card-edit or card-status. Currently using the master branch.Only the 7.4 release works(with emulate-openpgp); other versions give same error.
support rutoken
i'm howto from https://craftware.xyz/securitybricks/2017/07/17/using-tokens-in-Ubuntu-with-pgp.html
but I don’t understand at what point and what actions should lead to key inegration from the token to the host.
1)providers p1 provider-p1-library /usr/lib/librtpkcs11ecp.so #emulate-openpgp openpgp-sign 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 openpgp-encr 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 openpgp-auth 88E23DFBAA20FA2F8D42A2F62C24E409E8417662
2)
root@ubuntu1904:~/.gnupg# gpg-agent --server
OK Pleased to meet you
SCD LEARN
gnupg-pkcs11-scd[1807.1476360000]: Listening to socket '/tmp/gnupg-pkcs11-scd.avYjJa/agent.S'
gnupg-pkcs11-scd[1807.1476360000]: accepting connection
gnupg-pkcs11-scd[1807]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[1807.1476360000]: processing connection
gnupg-pkcs11-scd[1807]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[1807]: chan_0 -> D /tmp/gnupg-pkcs11-scd.avYjJa/agent.S
gnupg-pkcs11-scd[1807]: chan_0 -> OK
gnupg-pkcs11-scd[1807]: chan_0 <- LEARN
gnupg-pkcs11-scd[1807]: chan_0 -> S SERIALNO D27600012401115031313A46EA651111
gnupg-pkcs11-scd[1807]: chan_0 -> S APPTYPE PKCS11
S SERIALNO D27600012401115031313A46EA651111
S APPTYPE PKCS11
gnupg-pkcs11-scd[1807]: chan_0 -> S KEY-FRIEDNLY 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 /C=RU/ST=1/L=2/O=3/OU=4/CN=5/emailAddress=[email protected] on rutoken_29
gnupg-pkcs11-scd[1807]: chan_0 -> S KEY-FPR 1 88E23DFBAA20FA2F8D42A2F62C24E409E8417662
gnupg-pkcs11-scd[1807]: chan_0 -> S CERTINFO 101 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01
gnupg-pkcs11-scd[1807]: chan_0 -> S KEYPAIRINFO 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01
gnupg-pkcs11-scd[1807]: chan_0 -> OK
S KEY-FRIEDNLY 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 /C=RU/ST=1/L=2/O=3/OU=4/CN=5/emailAddress=[email protected] on rutoken_29
S KEY-FPR 1 88E23DFBAA20FA2F8D42A2F62C24E409E8417662
S CERTINFO 101 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01
S KEYPAIRINFO 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01
OK
3)gpg2 --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D27600012401115031313A46EA651111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 3A46EA65
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 88E2 3DFB AA20 FA2F 8D42 A2F6 2C24 E409 E841 7662
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
-
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --login --list-objects -Ol
Using slot 0 with a present token (0x0)
Logging in to "rutoken_29".
WARNING: user PIN to be changed
Please enter User PIN:
Public Key Object; RSA 2048 bits
label: [email protected]
ID: 01
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: [email protected]
ID: 01
Usage: decrypt, sign, unwrap
Certificate Object; type = X.509 cert
label: [email protected]
subject: DN: C=RU, ST=1, L=2, O=3, OU=4, CN=5/emailAddress=[email protected]
ID: 01 -
gpgsm --import file (x.509 to pem)
root@ubuntu1904:~/.gnupg# gpgsm --import ./my.pem
gpgsm: total number processed: 1
gpgsm: imported: 1
root@ubuntu1904:~/.gnupg# gpgsm --list-key
/root/.gnupg/pubring.kbx
ID: 0x9A5D97CB
S/N: 4A68A5C4438F5A572831D58040CB9C9D887274A4
Issuer: /CN=5/OU=4/O=3/L=2/ST=1/C=RU/[email protected]
Subject: /CN=5/OU=4/O=3/L=2/ST=1/C=RU/[email protected]
validity: 2019-09-29 10:09:08 through 2019-10-29 10:09:08
key type: 2048 bit RSA
chain length: unlimited
fingerprint: 80:CD:58:96:90:83:68:7B:48:51:65:46:06:7B:26:EB:9A:5D:97:CB
P.S.
in debian doc write
https://manpages.debian.org/stretch/gnupg-pkcs11-scd/gnupg-pkcs11-scd.1.en.html
GNUPG INTEGRATION
Typical steps to set up a card for gpgsm usage:
Import the CA certificate of your issuer:
gpgsm --import < ca-certificate
You should also manually import all self-signed certificates.
Instruct GnuPG to discover all useful certificates on the card:
gpgsm --learn-card
Signing, verification, etc. work as usual with gpgsm.
Typical steps to set up a card for gpg usage:
Acquire key ids:
gpg-agent --server gpg-connect-agent
Enter "SCD LEARN" and look for "KEY-FRIEDNLY" responses, the first field is the hash, the second is the subject name.
Configure gnupg-pkcs11-scd for opengpg emulation, specify the public key hashes to be used for signature, encryption and authentication.
Instruct GnuPG to discover all useful information of card:
gpg --card-status
You should see valid card status.
Now, you should virtual generate keys, the keys are not actually generated, but returned to gpg to be registered.
gpg --card-edit
admin
generate (DO NOT BACKUP KEYS)
Disable the opengpg emulation.
Now you can use the same card with your gpg and gpgsm keys. We don't know if this is a bug or feature in gnupg, but we glad that it works.
Signing, verification, etc. work as usual with gpg.
try in old version 0.7.4
debug gpg2 --card-edit
https://pastebin.com/jzv52kpz
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.