solokeys / openpgp Goto Github PK

View Code? Open in Web Editor NEW

107.0 107.0 10.0 1.75 MB

OpenPGP functionality for Solo

Makefile 0.07% Python 5.06% C 80.49% C++ 14.38%

openpgp's People

Contributors

Stargazers

Watchers

Forkers

corbolais surfndez jnaulty icedream kasecato craigcomstock d4nte isabella232 jauderho

openpgp's Issues

Missing 'device.h' file

Hi, I'm trying to compile this on MacOs and I see that there's a device.h file missing (included on ./src/opgpdevice.h). I wonder where that's been sourced from, because many of the packages you reference on the README are linux only.

PS: I can try to fixup the build for this platform and submit a pull request as well.

in Readme.md git clone needs --recurse-submodules

Could not get this to work when following the actual readme.md
Turns out the git clone command needed to be
git clone --recurse-submodules https://github.com/solokeys/openpgp.git
to work for me (Ubuntu 18.04)

can't build on debian host

After I fixed the bearssl include problem with

I get

craig@other:~/src/solokeys-openpgp$ make
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -c -o obj/opgpdevice.o ./pc/opgpdevice.cpp
./pc/opgpdevice.cpp:31:10: fatal error: spiffs.h: No such file or directory
 #include <spiffs.h>
          ^~~~~~~~~~
compilation terminated.
make: *** [Makefile:28: obj/opgpdevice.o] Error 1

workaround is to remove the 'pc' directory so I just build for the solokeys hacker device

craig@other:~/src/solokeys-openpgp$ git diff
diff --git a/Makefile b/Makefile
index a37b4ea..0a8c2af 100644
--- a/Makefile
+++ b/Makefile
@@ -5,8 +5,7 @@ RM = rm -rf
 rwildcard=$(wildcard $1$2) $(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2))
 
 OBJ_DIR := ./obj
-SRC_DIRS := ./pc \
-            ./src \
+SRC_DIRS := ./src \
             ./src/applications \
             ./src/applications/openpgp \
             ./libs/stm32fs

but that leaves me with the next error:

c/cryptolib.cpp
./src/cryptolib.cpp:15:10: fatal error: device.h: No such file or directory
 #include "device.h"
          ^~~~~~~~~~
compilation terminated.
make: *** [Makefile:27: obj/cryptolib.o] Error 1

I will continue working through these errors and see if I can fix things up and submit a PR.

Additional test-case: ensure functionality with the Secure Shell App/Extension (hterm SSH utility) in Chrome and on ChromeOS

As stated it would be awesome if you could test the GPG implementation with the Secure Shell App/Extension. See the directions/dependencies here and you can probably ping the Chromium team get your awesome Solo/Somu added to this page once it is working.

I have this working with a Yubikey with GPG so I could probably help run through some test scenarios as well.

Can't use openpgp

I' tried running the openpgp app on Linux but I got an issue with importing bearSSL, it couldn't be found.
I saw in the post that it should also work on Windows, is there an install guide for windows?

cant set or reset pin

admin and unblock pins both return 'bad pin' when trying to set.
resetting user pin from 123456 to something else returns 'card error'
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5

Ed25519 Support?

I am curious if the Solo OpenPGP firmware will support Ed25519 curves? This is my biggest issue with Yubikeys, I've contacted them and they do not have a roadmap for adding it.

I'd much prefer to use my Solo full time, and once it has GPG support I will be able to, and ideally it would support Ed25519.

Non-extractable keys

It would be beneficial if the solokeys were capable of generating non-extractable gpg and ssh keys.

Protection against malware stealing keys
Protection against leaking the key
Protection against extracting the key by malicious actor

gpg2 --card-edit generate not works

commands

gpg2 --card-edit
admin
generate

result

gpg: key generation failed: General error
Key generation failed: General error

it looks like some of constants in DO are wrong...

Some responses to GET DATA are not properly wrapped

For constructed DO GET DATA requests, it looks like the replies should be 1 single constructed DO/TLV.

Some examples:

Currently looks like:

>> GET DATA [CA] var. Application Related Data. [006e]
<< 
    5-16. Full AID. [004f]: d2760001240102010005000031880000 (216 bytes total)

>> GET DATA [CA] var. Cardholder related data. [0065]
<< 
    0-39. Name. [005b]:  (9 bytes total)

Should be like this:

>> GET DATA [CA] var. Application Related Data. [006e]
<< 
    var. Application Related Data. [006e]: 
        5-16. Full AID. [004f]: d2760001240102010006086910620000
        0-15.  Historical bytes. [5f52]: 0073000080059000
        3. Optional general feature management. [7f74]: 
            RSA modulus. [0081]: 20
        var. Discretionary data objects. [0073]: 
            10. Extended capabilities. [00c0]: 3c00000004c000ff00ff
            var. Algorithm attributes signature. [00c1]: 010800001100
            var. Algorithm attributes decryption. [00c2]: 011000001100
            var. Algorithm attributes authentication. [00c3]: 011000001100
            7. PW status Bytes (PW1, PW1 max length, RC max length, PW3 max length, ...) [00c4]: 017f7f7f030003
            60. fingerprints, 20 bytes each for sig,dec,auth. [00c5]: 682626763c5676d3f13b9d5adf6990fc44fc439243eee30ef73bfd53e25cb0d1dae105de65de9c0407c3573447987972785915e1bd5c5f1fc3c313bb
            60. CA fingerprints, 20 bytes each. [00c6]: 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
            12. List of 3, 4-byte dates for pubkey pairs. [00cd]: 5dfcf74e5dfc0bbc5dfc0c54 (224 bytes total)

>> GET DATA [CA] var. Cardholder related data. [0065]
<< 
    var. Cardholder related data. [0065]: 
        0-39. Name. [005b]: 
        2-8. Language preferences. [5f2d]: 
        1. Sex. [5f35]: 39 (11 bytes total)

Can't build on arch

Hi there,

Trying to build on arch, getting:

▶ make
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/ -Ilibs/spiffs/default -Ilibs/spiffs/test -c -o obj/opgpdevice.o ./pc/opgpdevice.cpp
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/ -Ilibs/spiffs/default -Ilibs/spiffs/test -c -o obj/cryptolib.o ./src/cryptolib.cpp
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/ -Ilibs/spiffs/default -Ilibs/spiffs/test -c -o obj/opgputil.o ./src/opgputil.cpp
./src/opgputil.cpp:9:10: fatal error: led.h: No such file or directory
    9 | #include "led.h"
      |          ^~~~~~~
./pc/opgpdevice.cpp:31:10: fatal error: spiffs.h: No such file or directory
   31 | #include <spiffs.h>
      |          ^~~~~~~~~~
compilation terminated.
compilation terminated.
make: *** [Makefile:31: obj/opgpdevice.o] Error 1
make: *** Waiting for unfinished jobs....
make: *** [Makefile:31: obj/opgputil.o] Error 1
./src/cryptolib.cpp:15:10: fatal error: device.h: No such file or directory
   15 | #include "device.h"
      |          ^~~~~~~~~~
compilation terminated.
make: *** [Makefile:31: obj/cryptolib.o] Error 1

Then with #24, I fixed spiffs. I used submodule strategy, let me know if you prefer another method.

▶ make
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/src -Ilibs/spiffs/src/default -Ilibs/spiffs/src/test -c -o obj/opgpdevice.o ./pc/opgpdevice.cpp
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/src -Ilibs/spiffs/src/default -Ilibs/spiffs/src/test -c -o obj/cryptolib.o ./src/cryptolib.cpp
g++ -std=c++17 -Os -Wall -g3 -I. -Ipc/ -Isrc/ -Ilibs/mbedtls/ -Ilibs/mbedtls/mbedtls/crypto/include/ -Ilibs/stm32fs/ -Ilibs/bearssl/ -Ilibs/spiffs/src -Ilibs/spiffs/src/default -Ilibs/spiffs/src/test -c -o obj/opgputil.o ./src/opgputil.cpp
./src/opgputil.cpp:9:10: fatal error: led.h: No such file or directory
    9 | #include "led.h"
      |          ^~~~~~~
compilation terminated.
make: *** [Makefile:31: obj/opgputil.o] Error 1
make: *** Waiting for unfinished jobs....
./src/cryptolib.cpp:15:10: fatal error: device.h: No such file or directory
   15 | #include "device.h"
      |          ^~~~~~~~~~
compilation terminated.
make: *** [Makefile:31: obj/cryptolib.o] Error 1
./pc/opgpdevice.cpp: In function ‘void hw_spiffs_mount()’:
./pc/opgpdevice.cpp:71:26: error: invalid conversion from ‘s32_t (*)(u32_t, u32_t, u8_t*)’ {aka ‘int (*)(unsigned int, unsigned int, unsigned char*)’} to ‘spiffs_read’ {aka ‘int (*)(spiffs_t*, unsigned int, unsigned int, unsigned char*)’} [-fpermissive]
   71 |         cfg.hal_read_f = hw_spiffs_read;
      |                          ^~~~~~~~~~~~~~
      |                          |
      |                          s32_t (*)(u32_t, u32_t, u8_t*) {aka int (*)(unsigned int, unsigned int, unsigned char*)}
./pc/opgpdevice.cpp:72:27: error: invalid conversion from ‘s32_t (*)(u32_t, u32_t, u8_t*)’ {aka ‘int (*)(unsigned int, unsigned int, unsigned char*)’} to ‘spiffs_write’ {aka ‘int (*)(spiffs_t*, unsigned int, unsigned int, unsigned char*)’} [-fpermissive]
   72 |         cfg.hal_write_f = hw_spiffs_write;
      |                           ^~~~~~~~~~~~~~~
      |                           |
      |                           s32_t (*)(u32_t, u32_t, u8_t*) {aka int (*)(unsigned int, unsigned int, unsigned char*)}
./pc/opgpdevice.cpp:73:27: error: invalid conversion from ‘s32_t (*)(u32_t, u32_t)’ {aka ‘int (*)(unsigned int, unsigned int)’} to ‘spiffs_erase’ {aka ‘int (*)(spiffs_t*, unsigned int, unsigned int)’} [-fpermissive]
   73 |         cfg.hal_erase_f = hw_spiffs_erase;
      |                           ^~~~~~~~~~~~~~~
      |                           |
      |                           s32_t (*)(u32_t, u32_t) {aka int (*)(unsigned int, unsigned int)}
./pc/opgpdevice.cpp: In function ‘int ireadfile(char*, uint8_t*, size_t, size_t*)’:
./pc/opgpdevice.cpp:271:15: error: ordered comparison of pointer with integer zero (‘FILE*’ and ‘int’)
  271 |         if (f <= 0)
      |             ~~^~~~
./pc/opgpdevice.cpp: In function ‘int iwritefile(char*, uint8_t*, size_t)’:
./pc/opgpdevice.cpp:314:15: error: ordered comparison of pointer with integer zero (‘FILE*’ and ‘int’)
  314 |         if (f <= 0)
      |             ~~^~~~
make: *** [Makefile:31: obj/opgpdevice.o] Error 1

Makefile is incomplete

Whilst trying to follow the steps from the readme the make command failed. At least there is a typo in the applet/applets name in the Makefile, but there also seem to be a few files missing.

In the end I was unable to make the main app because of the mbedtls lib. I guess I'm a bit too soon to the party for my level of experience.

Missing depend in README

Following the README compile instructions it gave me the following

$ make
g++ -std=c++17 -O2 -Wall -g3 -I. -Ipc/ -Isrc/ -c -o obj/apduexecutor.o ./src/apduexecutor.cpp
In file included from src/applets/openpgp/openpgpstruct.h:17,
                 from src/applets/openpgp/security.h:18,
                 from src/applets/openpgp/openpgpfactory.h:13,
                 from src/applets/openpgpapplet.h:14,
                 from src/applets/appletstorage.h:19,
                 from src/apduexecutor.h:15,
                 from ./src/apduexecutor.cpp:10:
src/cryptolib.h:19:10: fatal error: mbedtls/config.h: No such file or directory
 #include <mbedtls/config.h>
          ^~~~~~~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:23: obj/apduexecutor.o] Error 1

It's missing libmbedtls-dev when running Ubuntu 19.04.

sudo apt install libmbedtls-dev fixes it.

Status on building?

Apologies for re-raising a type of question that has already been brought up multiple times.

I have spent some time trying to build this project, however, even reading the other related issues, and looking at @merlokk 's MR solokeys/solo1#447 my attempts to build have so far been unsuccessful.

I'd appreciate any help towards understanding how to build this project - or information that it's not currently feasible. Thanks in advance!

OpenPGP resources

If you guys are looking to implement CCID interface I thought I would share something I came across that might help. As you probably know GNUK is GPLv3 which is probably not going to work for a device that only allows signed updates (tivoization). However, here is an LGPL implementation I found - https://patchwork.ozlabs.org/patch/61775/

I have been meaning to try and get something like this working with OnlyKey but have not had the time to do it yet.

Secure messaging

There is a Secure messaging in the specification.
is it needs?

Writing key to card with gpg doesn't work

Gnupg is having some issue with the current openpgp implementation. I suspect it's something small in the "Application Related Data" (006e).

Steps to reproduce.

Generate a key with gpg2

gpg2 --expert --full-generate-key

Select (1) RSA and RSA. 2048 bit RSA key.

Write key to card.

gpg2 --expert --edit-key <key-id>

Then:

key 1
keytocard

It should prompt for the admin PIN, and then fail with "gpg: KEYTOCARD failed: General error".

I was able to get traces of the APDUs with Wireshark using this script, and also just running pcscd in the foreground: sudo pcscd -f -T -a.

Solokey v2?

Are you considering merging the work done here with the Solokey v2?
Seems this is python and that is all Rust 😔