alonbl
commented
4 years ago Please use English locale when providing information. Please provide debug log.
Closed caseychao closed 2 years ago
alonbl
commented
4 years ago Please use English locale when providing information. Please provide debug log.
alonbl
commented
4 years ago Please comment very private and sign key hash. Why have you added these?
On Sat, 30 May 2020 at 17:30 Alon Bar-Lev notifications@github.com wrote:
Please use English locale when providing information. Please provide debug log.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/24#issuecomment-636338690, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLKIMNB3GTG2POH6CFDRUEJ7BANCNFSM4NOWQASA .
caseychao
commented
4 years ago sorry for local os language, i'm change to english way. the key is demo, that's fine the debug log as this link. thanks https://drive.google.com/file/d/1-56IVIboEdopWQRB85nVWO2LlT9fZGua/view?usp=sharing
alonbl
commented
4 years ago Have you performed the changed I requested? I do not see this from the log.
caseychao
commented
4 years ago Dear Sir:
i has common the signing key, the configuration as bellow:
if i common the cert private will not perform slot login to type the password. will not got any KEY FRIENDLY hash.
root@debian:~/.gnupg# cat gnupg-pkcs11-scd.conf log-file /tmp/gpglog verbose debug-all providers p1 provider-p1-library /opt/Utimaco/libcs_pkcs11_R2.so provider-p1-cert-private
root@debian:~/.gnupg# gpg-agent --server gpg-connect-agent OK Pleased to meet you scd learn S SERIALNO D2760001240111503131C55D0E5C1111 S APPTYPE PKCS11 S KEY-FRIEDNLY 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD /C=DE/ST=NRW/L=Aachen/O=Utimaco IS GmbH/OU=SystemEngineering HSM/CN=Max Mustermann on CryptoServer PKCS11 Token S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEYPAIRINFO 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEY-FRIEDNLY FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 /CN=UtimacoGPG on CryptoServer PKCS11 Token S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 S KEYPAIRINFO FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 OK bye OK closing connection
root@debian:~/.gnupg# gpg2 --card-edit
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D2760001240111503131C55D0E5C1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C55D0E5C Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
gpg/card> admin Admin commands are allowed
gpg/card> generate Please specify how long the key should be valid. 0 = key does not expire
alonbl
commented
4 years ago You are not following the right procedure, please follow:
Typical steps to set up a card for >=gpg-2.1.19 usage:Dear Sir: that's follow the procedure process as bellow: config:
root@debian:~/.gnupg# cat gnupg-pkcs11-scd.conf log-file /tmp/gpglog verbose debug-all providers p1 provider-p1-library /opt/Utimaco/libcs_pkcs11_R2.so provider-p1-cert-private
root@debian:~/.gnupg# cat gpg-agent.conf scdaemon-program /usr/bin/gnupg-pkcs11-scd pinentry-program /usr/bin/pinentry-curses
Process: root@debian:~/.gnupg# gpg --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D2760001240111503131C55D0E5C1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C55D0E5C Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] root@debian:~/.gnupg# gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240111503131C55D0E5C1111 S APPTYPE PKCS11 S KEY-FRIEDNLY 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD /C=DE/ST=NRW/L=Aachen/O=Utimaco IS GmbH/OU=SystemEngineering HSM/CN=Max Mustermann on CryptoServer PKCS11 Token S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEYPAIRINFO 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEY-FRIEDNLY FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 /CN=UtimacoGPG on CryptoServer PKCS11 Token S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 S KEYPAIRINFO FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 OK bye OK closing connection root@debian:~/.gnupg# gpg --expert --full-generate-key gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key Your selection? 13 Enter the keygrip: 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD No key with this keygrip Enter the keygrip: FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 No key with this keygrip Enter the keygrip: gpg: signal Interrupt caught ... exiting
root@debian:~/.gnupg#
the log in https://drive.google.com/file/d/1z-qxPlEloFy4kt8ciaHwq2HfK2TMVjSK/view?usp=sharing
alonbl
commented
4 years ago Hi, Very strange... The LEARN command should not have worked if cert is private... as the gpg-agent does not support asking for PIN during LEARN. I still cannot understand why do you use cert-private directive. Please try to remove it and send me LEARN log. Please make sure you kill gpg-agent before each step so we can find out what happens.
Apart from that I tested with cert-private and it works for me using softhsm as far as I can tell. The LEARN must run with:
$ ./gnupg-pkcs11-scd/gnupg-pkcs11-scd --server
OK PKCS#11 smart-card server for GnuPG ready
LEARN
S SERIALNO D27600012401115031319909A5ED1111
S APPTYPE PKCS11
INQUIRE NEEDPIN PIN required for token 'test1' (try 0)
PIN user
OK
LEARN
S SERIALNO D27600012401115031319909A5ED1111
S APPTYPE PKCS11
S KEY-FRIEDNLY 1C3CB645DFB02A293E90EA32BA4CB248C14628F3 /CN=Dummy 02 on test1
S CERTINFO 101 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/02
S KEYPAIRINFO 1C3CB645DFB02A293E90EA32BA4CB248C14628F3 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/02
S KEY-FRIEDNLY B909930630609FFE2A8FD5FE0B01BDF02D342BB4 /CN=Dummy 01 on test1
S CERTINFO 101 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/01
S KEYPAIRINFO B909930630609FFE2A8FD5FE0B01BDF02D342BB4 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/01
S KEY-FRIEDNLY 9B8B4D6947B1D0518F086E53BE73A9AE47B3AAB1 /CN=Dummy 03 on test1
S CERTINFO 101 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/03
S KEYPAIRINFO 9B8B4D6947B1D0518F086E53BE73A9AE47B3AAB1 SoftHSM\x20project/SoftHSM\x20v2/f2f2365644bd82bd/test1/03
OKThen run:
$ gpg --card-statusHowever, the gpg--card fails as it does not prompt for PIN during its run... GPG does not expect to have private certificates.
Please set our certificates to be public objects if they are not (I guess they are not as LEARN works) for gpg to work properly.
caseychao
commented
4 years ago Dear Sir; Thanks your kindly response. if i common out the cert private. and using LEARN will not ask my PIN entry. the process as bellow: root@debian:~/.gnupg# ps -ef|grep gpg root 3926 3844 0 13:02 pts/0 00:00:00 grep gpg root@debian:~/.gnupg# cat gnupg-pkcs11-scd.conf log-file /tmp/gpglog verbose debug-all providers p1 provider-p1-library /opt/Utimaco/libcs_pkcs11_R2.so
root@debian:~/.gnupg# gnupg-pkcs11-scd --server OK PKCS#11 smart-card server for GnuPG ready LEARN S SERIALNO D2760001240111503131C55D0E5C1111 S APPTYPE PKCS11 OK
the log as link of following: https://drive.google.com/file/d/18X_OJumLYHcrmpue7HcbeRB6e1AXVAU1/view?usp=sharing
alonbl
commented
4 years ago Interesting the version of hog I use does not ask for pin during this stage.
If it works for you kill gpg-agent and run gpg —card-status before executing the full generate to force gpg to learn the keys. If you will be prompted for pin it will probably work.
However, I recommend to modify the certificate attributes to be public, it is standard layout and expected by gpg... at least the recent version does not expect this configuration.
alonbl
commented
4 years ago Can you please try the following patch?
Use GNUPG_PKCS11_SCD_PIN environment when executing the gpg-agent/gpg agent to specify PIN to workaround gpg not acquiring the PIN from the askpin program.
psztoch
commented
2 years ago I have similar problem. I have got master branch with your patch and it is not solution:
gpg --edit-card
gpg: WARNING: server 'scdaemon' is older than us (0.9.3_master < 2.2.27)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
Reader ...........: [none]
Application ID ...: D2760001240111503131E848EB1B1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: E848EB1B
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......:
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: F2A4 4544 DA1B A0EB 267D 6696 CC0C 46A4 970C C530
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
gpg/card> admin
gpg/card> generate
(...)
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Key generation failed: Bad session key Please make sure logs are similar before joining an issue. Please post a new one if unsure. Always attach logs.
psztoch
commented
2 years ago Can you please try the following patch?
Use GNUPG_PKCS11_SCD_PIN environment when executing the gpg-agent/gpg agent to specify PIN to workaround gpg not acquiring the PIN from the askpin program.
This patch solved the problem of working with HSM Utimaco.
Can we add a parameter with a pin to the configuration (gnupg-pkcs11-scd.conf) ?
alonbl
commented
2 years ago I already provided a solution for you in #34. And logs still missing with the new configuration.
This hack is a workaround for generate phase while certificates are private, in which gpg does not run pinentry but use scd directly, so one may provide environment in cmdline when enrolling the key.
I am waiting for the logs of the learn command. Please continue discussion at #34.
alonbl
commented
2 years ago Closing as no info
Dear Sir:
I'm trying to using this package and connect to pkcs11 HSM. but seem's has problem. can't add token to the agent.
my config as bellow: log-file /tmp/gpglog verbose debug-all providers p1 provider-p1-library /opt/Utimaco/libcs_pkcs11_R2.so provider-p1-cert-private
emulate-openpgp
openpgp-sign 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
openpgp-encr 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
openpgp-auth 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD
and we can got SCD LEARN and get KEY FRIENDLY
root@debian:~/.gnupg# gpg-agent --server gpg-connect-agent OK Pleased to meet you scd learn S SERIALNO D2760001240111503131C55D0E5C1111 S APPTYPE PKCS11 S KEY-FRIEDNLY 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD /C=DE/ST=NRW/L=Aachen/O=Utimaco IS GmbH/OU=SystemEngineering HSM/CN=Max Mustermann on CryptoServer PKCS11 Token S KEY-FPR 1 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEYPAIRINFO 24E5AB1851E4CECC6C1C90F4390A71BC08CF97DD Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/01 S KEY-FRIEDNLY FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 /CN=UtimacoGPG on CryptoServer PKCS11 Token S CERTINFO 101 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 S KEYPAIRINFO FB9BA8B4CC4FA11AA94C69043E7D538A0ABB7138 Utimaco\x20IS\x20GmbH/CryptoServer/CS670040_0000/CryptoServer\x20PKCS11\x20Token/525341 OK
but when I execute gpg2 --card-status show as below: root@debian:~/.gnupg# gpg2 --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D2760001240111503131C55D0E5C1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C55D0E5C Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] root@debian:~/.gnupg#
it's didn't show up Signature key... is i missing some configuration? and if i using gpg2 --card-edit to generate key will show bad session key: root@debian:~/.gnupg# gpg2 --card-edit
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.12) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. Reader ...........: [none] Application ID ...: D2760001240111503131C55D0E5C1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C55D0E5C Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: rsa48 rsa48 rsa48 Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none]
gpg/card>
gpg/card> admin Admin commands are allowed
gpg/card> generate Please specify how long the key should be valid. 0 = key does not expire