alonbl
commented
4 years ago Please read the gnupg-pkcs11-scd man page and follow the Typical steps to set up a card for >=gpg-2.1.19 usage: instructions.
Closed ya-zero closed 4 years ago
alonbl
commented
4 years ago Please read the gnupg-pkcs11-scd man page and follow the Typical steps to set up a card for >=gpg-2.1.19 usage: instructions.
ya-zero
commented
4 years ago good.
gpg --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. gpg: OpenPGP card not available: Bad session key
gnupg-pkcs11-scd.conf
providers p1 >provider-p1-library /usr/lib/librtpkcs11ecp.so question : need openpgp-sign KEY-FRIEDNLY ?
gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd >pinentry-program /usr/bin/pinentry
gpg-agent server SCD LEARN https://pastebin.com/nXZAb9Qt
gpg --expert --full-generate-key gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key Your selection? 13 Enter the keygrip: BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A No key with this keygrip
may be requared GPG_AGENT_INFO ?
alonbl
commented
4 years ago Please send debug log of gnupg-pkcs11.
alonbl
commented
4 years ago Is this includes the key gen or just the learn? Please also attach exact configuration. First we need gpg to work.
בתאריך יום ב׳, 30 בספט׳ 2019 ב-14:50 מאת ya-zero notifications@github.com:
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/21?email_source=notifications&email_token=AAJURLLY3XH3MJOSHYSC5T3QMHRZNA5CNFSM4I3R57L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD75L72Q#issuecomment-536526826, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJURLN4OBZ4ORGWODJTPNDQMHRZNANCNFSM4I3R57LQ .
ya-zero
commented
4 years ago ya-zero
commented
4 years ago 1)
gnupg-pkcs11-scd.conf
debug-all
verbose
log-file /root/gnupg-pkcs11-scd.log
providers p1
provider-p1-library /usr/lib/librtpkcs11ecp.so
openpgp-sign BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
2) need learn key on token
alonbl
commented
4 years ago For som reason I cannot get raw content from you post, everything is mistakenly wrapped. Please remove L openpgp statements and make sure to paste it so I can see lines properly. And produce debug again.
בתאריך יום ב׳, 30 בספט׳ 2019 ב-15:04 מאת ya-zero notifications@github.com:
1.
gnupg-pkcs11-scd.conf debug-all verbose log-file /root/gnupg-pkcs11-scd.log providers p1 provider-p1-library /usr/lib/librtpkcs11ecp.so #provider-p1-cert-private
emulate-openpgp openpgp-sign BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
openpgp-encr BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A #openpgp-auth
BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
1.
need leard key on token
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/21?email_source=notifications&email_token=AAJURLKOTUBDOFVIWT2DYXTQMHTOJA5CNFSM4I3R57L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD75NBOQ#issuecomment-536531130, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJURLJSHDKTGCDI4TTOVADQMHTOJANCNFSM4I3R57LQ .
ya-zero
commented
4 years ago alonbl
commented
4 years ago Please also upload raw config used by this log and exact command sequence, as it seems like you kept openpgp statement. I may be wrong. Just to make sure.
בתאריך יום ב׳, 30 בספט׳ 2019 ב-15:22 מאת ya-zero notifications@github.com:
https://github.com/ya-zero/ya-zero.github.io/blob/master/uploads/gnupg-pkcs11-scd.log
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/21?email_source=notifications&email_token=AAJURLNIKLUDTNXE3SXDNP3QMHVRTA5CNFSM4I3R57L2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD75ONRA#issuecomment-536536772, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJURLNTBEAXKNELEGPHEK3QMHVRTANCNFSM4I3R57LQ .
ya-zero
commented
4 years ago 1) https://github.com/ya-zero/ya-zero.github.io/blob/master/uploads/gnupg-pkcs11-scd.conf 2) https://github.com/ya-zero/ya-zero.github.io/blob/master/uploads/gpg-agent.conf 3) command no enter , i'm try run in shell start gnupg-pkcs11-scd --daemon gpg-agent --daemon gpg-agent --server 4) gpg --card-status
ya-zero
commented
4 years ago i'm configure openpgp-sign BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A openpgp-encr BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A openpgp-auth BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D2760001240111503131CBAA96721111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: CBAA9672 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: BEDF 773D 43C5 B817 E5B7 DA16 4DA6 DF21 B9F4 4C2A Encryption key....: [none] Authentication key: [none] General key info..: [none]
gpg --expert --full-generate-key 13 Existing key enter BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
Your selection? 13 Enter the keygrip: BEDF773D43C5B817E5B7DA164DA6DF21B9F44C2A
next question Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished
what to choose ?
ya-zero
commented
4 years ago if i'm toggle Current allowed actions: Sign Certify next question Please specify how long the key should be valid. 0 = key does not expire
alonbl
commented
4 years ago Please remove any openpgp statements from configuration. I requested this several times already. You should strictly follow the man page instructions.
The information gpg requires is the same information in gpg docs to produce a key.
ya-zero
commented
4 years ago very cool. always present in examples openpgp-sign/encr/auth . after remove whis string everything is working.
pub rsa2048 2019-09-30 [SC] E15216754A57D7448C83DD4B257BB235AD7BAFF3 uid [ultimate] sept_29@pch.ru (0) sept_29@pch.ru
sec> rsa2048 2019-09-30 [SC] E15216754A57D7448C83DD4B257BB235AD7BAFF3 Card serial no. = 3131 CBAA9672 uid [ultimate] sept_29@pch.ru (0) sept_29@pch.ru
alonbl
commented
4 years ago gpgsm should learn the certificate from the card
i'm howto from https://craftware.xyz/securitybricks/2017/07/17/using-tokens-in-Ubuntu-with-pgp.html
but I don’t understand at what point and what actions should lead to key inegration from the token to the host.
1)providers p1 provider-p1-library /usr/lib/librtpkcs11ecp.so #emulate-openpgp openpgp-sign 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 openpgp-encr 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 openpgp-auth 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 2) root@ubuntu1904:~/.gnupg# gpg-agent --server OK Pleased to meet you SCD LEARN gnupg-pkcs11-scd[1807.1476360000]: Listening to socket '/tmp/gnupg-pkcs11-scd.avYjJa/agent.S' gnupg-pkcs11-scd[1807.1476360000]: accepting connection gnupg-pkcs11-scd[1807]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[1807.1476360000]: processing connection gnupg-pkcs11-scd[1807]: chan_0 <- GETINFO socket_name gnupg-pkcs11-scd[1807]: chan_0 -> D /tmp/gnupg-pkcs11-scd.avYjJa/agent.S gnupg-pkcs11-scd[1807]: chan_0 -> OK gnupg-pkcs11-scd[1807]: chan_0 <- LEARN gnupg-pkcs11-scd[1807]: chan_0 -> S SERIALNO D27600012401115031313A46EA651111 gnupg-pkcs11-scd[1807]: chan_0 -> S APPTYPE PKCS11 S SERIALNO D27600012401115031313A46EA651111 S APPTYPE PKCS11 gnupg-pkcs11-scd[1807]: chan_0 -> S KEY-FRIEDNLY 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 /C=RU/ST=1/L=2/O=3/OU=4/CN=5/emailAddress=1@1.com on rutoken_29 gnupg-pkcs11-scd[1807]: chan_0 -> S KEY-FPR 1 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 gnupg-pkcs11-scd[1807]: chan_0 -> S CERTINFO 101 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01 gnupg-pkcs11-scd[1807]: chan_0 -> S KEYPAIRINFO 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01 gnupg-pkcs11-scd[1807]: chan_0 -> OK S KEY-FRIEDNLY 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 /C=RU/ST=1/L=2/O=3/OU=4/CN=5/emailAddress=1@1.com on rutoken_29 S KEY-FPR 1 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 S CERTINFO 101 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01 S KEYPAIRINFO 88E23DFBAA20FA2F8D42A2F62C24E409E8417662 Aktiv\x20Co\x2E/Rutoken\x20ECP/333d7d35/rutoken_29/01 OK
3)gpg2 --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D27600012401115031313A46EA651111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: 3A46EA65 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 88E2 3DFB AA20 FA2F 8D42 A2F6 2C24 E409 E841 7662 Encryption key....: [none] Authentication key: [none] General key info..: [none]
4) pkcs11-tool --module /usr/lib/librtpkcs11ecp.so --login --list-objects -Ol Using slot 0 with a present token (0x0) Logging in to "rutoken_29". WARNING: user PIN to be changed Please enter User PIN: Public Key Object; RSA 2048 bits label: sept_29@pch.ru ID: 01 Usage: encrypt, verify, wrap Private Key Object; RSA label: sept_29@pch.ru ID: 01 Usage: decrypt, sign, unwrap Certificate Object; type = X.509 cert label: sept_29@pch.ru subject: DN: C=RU, ST=1, L=2, O=3, OU=4, CN=5/emailAddress=1@1.com ID: 01
5) gpgsm --import file (x.509 to pem) root@ubuntu1904:~/.gnupg# gpgsm --import ./my.pem gpgsm: total number processed: 1 gpgsm: imported: 1
root@ubuntu1904:~/.gnupg# gpgsm --list-key /root/.gnupg/pubring.kbx
chain length: unlimited fingerprint: 80:CD:58:96:90:83:68:7B:48:51:65:46:06:7B:26:EB:9A:5D:97:CB
P.S. in debian doc write https://manpages.debian.org/stretch/gnupg-pkcs11-scd/gnupg-pkcs11-scd.1.en.html GNUPG INTEGRATION Typical steps to set up a card for gpgsm usage: Import the CA certificate of your issuer: gpgsm --import < ca-certificate You should also manually import all self-signed certificates. Instruct GnuPG to discover all useful certificates on the card: gpgsm --learn-card Signing, verification, etc. work as usual with gpgsm.
Typical steps to set up a card for gpg usage:
Acquire key ids: gpg-agent --server gpg-connect-agent Enter "SCD LEARN" and look for "KEY-FRIEDNLY" responses, the first field is the hash, the second is the subject name. Configure gnupg-pkcs11-scd for opengpg emulation, specify the public key hashes to be used for signature, encryption and authentication. Instruct GnuPG to discover all useful information of card: gpg --card-status You should see valid card status. Now, you should virtual generate keys, the keys are not actually generated, but returned to gpg to be registered. gpg --card-edit admin generate (DO NOT BACKUP KEYS) Disable the opengpg emulation. Now you can use the same card with your gpg and gpgsm keys. We don't know if this is a bug or feature in gnupg, but we glad that it works. Signing, verification, etc. work as usual with gpg.
try in old version 0.7.4
debug gpg2 --card-edit https://pastebin.com/jzv52kpz