alonbl
commented
3 years ago Please use latest and follow the instructions in the man page regarding the gnupg-2.2.x integration.
Closed shunselva12 closed 2 years ago
alonbl
commented
3 years ago Please use latest and follow the instructions in the man page regarding the gnupg-2.2.x integration.
shunselva12
commented
3 years ago Thanks Alon for your time, I couldnt locate any particular man page for GPG 2.2 integration
could you please pin point the changes or refer documents if it is handy
alonbl
commented
3 years ago Please read “ Typical steps to set up a card for >=gpg-2.1.19 usage:”
On Tue, 3 Nov 2020 at 11:58 shunselva12 notifications@github.com wrote:
Thanks Alon for your time, I couldnt locate any particular man page for GPG 2.2 integration
could you please pin point the changes or refer documents if it is handy
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/26#issuecomment-721016880, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLJTGH4AEZOO56Z5VFLSN7H57ANCNFSM4TFDXMYQ .
shunselva12
commented
3 years ago Thanks Alon, I referred this document https://manpages.debian.org/testing/gnupg-pkcs11-scd/gnupg-pkcs11-scd.1.en.html the first step fails with card not found [ITUD@eaasrt ~]$ gpg --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.9) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. gpg: OpenPGP card not available: Not found [ITUD@eaasrt ~]$
please advise
shunselva12
commented
3 years ago attaching log and conf files
[root@eaasrt ~]# cat /etc/gnupg-pkcs11-scd.conf # Log file. log-file /var/log/scd.log
# Default is not verbose. verbose
# Default is no debugging. debug-all
providers safenet provider-safenet-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
[ITUD@eaasrt ~]$ cat .gnupg/gpg-agent.conf scdaemon-program /usr/bin/gnupg-pkcs11-scd-proxy pinentry-program /home/ITUD/.gnupg/pinentry-file.home [ITUD@eaasrt ~]$
log scd.txt
alonbl
commented
3 years ago There are no slots with token
gnupg-pkcs11-scd[100709.2232595904]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=0Please use opensc pkcs11-tool to list slots, you will probably see the same.
shunselva12
commented
3 years ago Yes Alon, No available slots [ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3
However, even with working gpg also, pkcs11-tool not listing any slots
[ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 [ITUD@eaasrt ~]$ gpg --card-status Application ID ...: D2760001240111503131C2D4773A1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C2D4773A Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 1R 1R 1R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 4C23 3EE7 3837 A49F 0540 C67D 5CD1 F0B9 65D2 1C94 Encryption key....: [none] Authentication key: [none] General key info..: [none] [ITUD@eaasrt ~]$ pkcs11-tool -L
alonbl
commented
3 years ago As long as there is no key and certificate within the hsm nothing will work, same as any previous version. Please read the documentation.
On Sat, 7 Nov 2020 at 10:40 shunselva12 notifications@github.com wrote:
Yes Alon, No available slots [ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3
However, even with working gpg also, pkcs11-tool not listing any slots
[ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 [ITUD@eaasrt ~]$ gpg --card-status Application ID ...: D2760001240111503131C2D4773A1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C2D4773A Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 1R 1R 1R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 4C23 3EE7 3837 A49F 0540 C67D 5CD1 F0B9 65D2 1C94 Encryption key....: [none] Authentication key: [none] General key info..: [none] [ITUD@eaasrt ~]$ pkcs11-tool -L
— You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/26#issuecomment-723419049, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLKSCH554GBMZ2SOD5LSOUBY7ANCNFSM4TFDXMYQ .
shunselva12
commented
3 years ago Hi Alon,
We use HSM card just for RPM signing, the HSM card contains key and certificates. gpg 2.0 is able to fetch the key whereas gpg 2.2 is unable to fetch the key from the same HSM
[ITUD@eaasrt ~]$ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO D2760001240111503131C2D4773A1111 S APPTYPE PKCS11 S KEY-FRIEDNLY 4C233EE73837A49F0540C67D5CD1F0B965D21C94 /CN=Dummy 1 on par1 S KEY-FPR 1 4C233EE73837A49F0540C67D5CD1F0B965D21C94 S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E2/543519014/par1/01 S KEYPAIRINFO 4C233EE73837A49F0540C67D5CD1F0B965D21C94 Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E2/543519014/par1/01 OK
[ITUD@eaasrt ~]$ gpg-agent --server gpg-connect-agent OK Pleased to meet you SCD LEARN S SERIALNO S APPTYPE PKCS11 OK
Not sure what we miss here
alonbl
commented
3 years ago Is it the same machine? Same credentials? You already stated that the pkcs11-tool does not see any tokens as well, it is very difficult to gather relevant information from your description. Please send pkcs11-tool output to show slot state and make sure this is done on the same machine you experience the issue with the same settings. Only after we see correct output we can proceed.
shunselva12
commented
3 years ago Server-client architecture is implemented for HSM. Whichever machine needs to sign the RPM, HSM client will be installed on the machine and trust link will be made with HSM server
Machines with GPG 2.0 are able to sign RPM properly whereas machines with GPG 2.2 are unable to fetch the keys
As per your guidance, I installed opensc on both machines(gpg2.0 and gpg2,2) and checked the slot, both machines outputted no slot available. Since the properly working gpg 2.0 machine also outputted the same result, I got confused with the approach
[ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3
[ITUD@eaasrt ~]$ pkcs11-tool -L Available slots: No slots. [ITUD@eaasrt ~]$ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3
is our situation clear? do you need any more info
alonbl
commented
3 years ago You should specify the module name when using pkcs11-tool to get valid results.
shunselva12
commented
3 years ago Thanks for your time and input
this is the output of pkcs11-tool from problematic machine
[root@eaasrt ~]# pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L Available slots: Slot 0 (0x0): LunaNet Slot token label : par1 token manufacturer : Safenet, Inc. token model : LunaSA 6.2.2 token flags : login required, rng, token initialized, PIN initialized, other flags=0x20 hardware version : 0.0 firmware version : 6.10 serial num : 543519014 pin min/max : 7/255 Slot 1 (0x1): Luna UHD Slot (empty) Slot 2 (0x2): Luna UHD Slot (empty) Slot 3 (0x3): Luna UHD Slot (empty) Slot 4 (0x4): Luna G7 Slot (empty) Slot 5 (0x5): Luna G7 Slot (empty) Slot 6 (0x6): Luna G7 Slot (empty)
shunselva12
commented
3 years ago I notice another behavior on the machine, Slot has output on root user but not on other (ITUD) user
Does it explain something?
[ITUD@eaasrt ~]$ pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L Available slots: Slot 0 (0x0): Luna UHD Slot (empty) Slot 1 (0x1): Luna UHD Slot (empty) Slot 2 (0x2): Luna UHD Slot (empty) Slot 3 (0x3): Luna G7 Slot (empty) Slot 4 (0x4): Luna G7 Slot (empty) Slot 5 (0x5): Luna G7 Slot (empty) [ITUD@eaasrt ~]$ exit logout
[root@eaasrt ~]# pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L Available slots: Slot 0 (0x0): LunaNet Slot token label : par1 token manufacturer : Safenet, Inc. token model : LunaSA 6.2.2 token flags : login required, rng, token initialized, PIN initialized, other flags=0x20 hardware version : 0.0 firmware version : 6.10 serial num : 543519014 pin min/max : 7/255 Slot 1 (0x1): Luna UHD Slot (empty) Slot 2 (0x2): Luna UHD Slot (empty) Slot 3 (0x3): Luna UHD Slot (empty) Slot 4 (0x4): Luna G7 Slot (empty) Slot 5 (0x5): Luna G7 Slot (empty) Slot 6 (0x6): Luna G7 Slot (empty) [root@eaasrt ~]#
alonbl
commented
3 years ago Sure... please fix so that you have the right configuration, this is not a Luna support forum.
Hi,
Thanks for having option to open issues
we use safenet HSM with gpg 2.0.22 for RPM signing. As part of RHEL OS upgrade to RHEL8, gpg also got upgraded to 2.2.9 and the new gpg version is unable to find smartcard. we kindly request your valuable input to pin point the issue
Hereaby pasting the config files and attaching the debug log
cat /etc/gnupg-pkcs11-scd.conf # Log file. log-file /var/log/scd.log
# Default is not verbose. verbose
# Default is no debugging. debug-all
providers safenet provider-safenet-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
openpgp-sign openpgp-encr openpgp-auth *****
cat gpg-agent.conf scdaemon-program /usr/bin/gnupg-pkcs11-scd-proxy pinentry-program /home/ITUD/.gnupg/pinentry-file.home
[ITUD@eaasrt ~]$ gpg --card-status gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.9) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. gpg: OpenPGP card not available: Not found
Log file scd.txt