scd-pkcs11's Introduction

SCD-PKCS#11

The scd-pkcs#11 module is a prototype / proof of concept PKCS#11 provider interfacing to GnuPG's smart card daemon (scdaemon).

It allows PKCS#11 aware applications such as Firefox or OpenSSH to use smart cards via GnuPG's builtin smart card support. scd-pkcs#11 is an alternative to the OpenSC PKCS#11 module.

Component Overview

Scenario A - with SCD-PKCS#11

This Scenario is the focus of this project.

USB SmartCard
  |-- scdaemon -- gpg-agent -- GnuPG / SSH (via gpg-agent's builtin ssh-agent)
                    |-- SCD-PKCS#11 provider
                          |-- client app (Firefox, SSH, ...)

Scenario B - with and without SCD-PKCS#11

Problem: scdaemon needs exclusive access to the smart card

USB SmartCard
  |-- pcscd
  |     |-- CCID driver
  |           |-- PKCS#11 provider (e.g. opensc-pkcs11.so)
  |                 |-- client app (Firefox, SSH, ...)
  |
  |-- scdaemon ---- gpg-agent -- GnuPG (or SSH via gpg-agent builtin ssh-agent)
                          |-- SCD-PKCS#11 provider
                                |-- client app

Scenario C - without SCD-PKCS#11, but with gnupg-pkcs11-scd:

USB token
  |-- pcscd
        |-- CCID driver
              |-- PKCS#11 provider (e.g. opensc-pkcs11.so)
                    |-- client app (Firefox, SSH, ...)
                    |-- gnupg-pkcs11-scd (alternative scdaemon)
                          |-- gpg-agent -- GnuPG

Scenario D - OSX component overview

USB token -- PCSCD -- CCID driver bundle -- PKCS#11 provider -- client app
  |-- .. .. .. .. .. .. |-- tokend -- tokend.bundle -- Keychain -- OSX App (Safari, Chrome, ...)
  |
  |-- scdaemon -- gpg-agent -- GnuPG
                    |-- SCD-PKCS#11 provider -- client app

Problems:

scdaemon and CCID do not work simultaneously.
scdaemon does not quit after use.
CCID is not up to date. New hardware may need custom drivers.
tokend is not well documented. The relevant open source OpenSC.tokend seems to lack maintenance since OSX 10.6, but appears to work (even if somewhat by coincidence).

Compiling / Installation

Please read the wiki installation page.

Quick-Install from source:

./configure
make
make install

That's it. See the wiki for further documentation.

Quick Installation on OSX / macOS

brew install sektioneins/tap/scd-pkcs11

Related Projects

Scute - "Scute is a PKCS #11 module that adds support for the OpenPGP smartcard card to the Mozilla Network Security Services (NSS)."
YKCS11 - "This is a PKCS#11 module that allows to communicate with the PIV application running on a YubiKey."

Feedback

Please use the issue tracker.

When reporting a bug, please provide

Operating System and version
library version, e.g. commit id or package version
PKCS#11 client, e.g. Firefox
Short description of what to do to reproduce the bug
If needed, log files, screen shots, additional information.

License

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

scd-pkcs11's People

Contributors

Stargazers

Watchers

scd-pkcs11's Issues

dereferencing pointer to incomplete type ‘X509’

Hi there! I'm trying to build your great project from sources, but make tells me

cc -c sec.c  -Werror -Wall -std=c99 -fPIC -DHAVE_SSL -I/usr/include/libassuan2 
sec.c: In function ‘sec_convert_cert3_to_attribute_list’:
sec.c:118:22: error: dereferencing pointer to incomplete type ‘X509’ {aka ‘struct x509_st’}
   n = i2d_X509_NAME(x->cert_info->subject, NULL);
                      ^~
make: *** [Makefile:23: sec.o] Error 1

scd is incompatible with 32 bit systems

offending function is

gpg_error_t scd_unescape_data(uchar *out, size_t *poutlen, uchar *data, size_t datalen)

size_t on 32 bit systems is unsigned int
size_t on 64 bit systems is unsigned long

On line 233 of scd.c gpg_error_t scd_sign_data is called with unsigned long, which of course causes an error at build time.

gpg_error_t scd_sign_data(assuan_context_t ctx, uchar *pSignature, unsigned long *pulSignatureLen, uchar *pData, unsigned long ulDataLen)

There is a build log available here:
https://build.opensuse.org/package/live_build_log/home:hurricanehernandez/scd-pkcs11/openSUSE_Tumbleweed/i586

Use of gpgsm certificates

Hi,

Just an idea. My current understanding is that scd-pkcs11 requires an authentication x509 certificate to be written to the OpenPGP card certificate slot. Some smartcards (I'm looking at you, Yubikey 4) have a very limited size for data in this slot meaning that a certificate chain and certificate using a RSA 4096 bit key won't fit.

Therefore I was thinking it would be nice to use certificates stored with the gpgsm command line, just like scute does. This could also open up the possibility of having multiple certificates exposed as you can store multiple certificates with gpgsm.

Interested to know your thoughts. Cheers

Recommend Projects

sektioneins / scd-pkcs11 Goto Github PK