alonbl
commented
2 years ago Please send gnupg-pkcs11-scd debug log.
Closed alireza11048 closed 2 years ago
alonbl
commented
2 years ago Please send gnupg-pkcs11-scd debug log.
alireza11048
commented
2 years ago Please send gnupg-pkcs11-scd debug log.
Could you please tell me how can i get the debug log?
alonbl
commented
2 years ago Configuration
# Log file.
#log-file log1
# Default is not verbose.
#verbose
# Default is no debugging.
#debug-allPlease also attach the entire configuration.
chris-dmg
commented
2 years ago Dear all, I guess I face the same problem. I created a RSA-Keypair on my hsm device (nitrokey hsm2) and imported the certificate:
$ pkcs11-tool --keypairgen --key-type rsa:3072 --label gpg.test --login
# create self signed certificate
openssl req -x509 -engine pkcs11 -keyform engine -new -key 08e88816bac7acbdab75869d91829d87e3a521f5 -sha256 -out cert.pem -subj "/CN=gpg.test"
# convert certificate
openssl x509 -outform der -in cert.pem -out cert.der
# write certificate to hsm
pkcs11-tool -l --write-object cert.der --type cert --id 08e88816bac7acbdab75869d91829d87e3a521f5 --label "gpg.test"
$ pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: gpg.test
subject: DN: CN=gpg.test
ID: 08e88816bac7acbdab75869d91829d87e3a521f5
Public Key Object; RSA 3072 bits
label: gpg.test
ID: 08e88816bac7acbdab75869d91829d87e3a521f5
Usage: encrypt, verify
Access: localgpg --status-card provides the following output:
$ gpg --card-status
gpg: WARNUNG: Der Server 'scdaemon' is älter als wir selbst (Version 0.9.2 < 2.2.27)
gpg: Hinweis: Wichtige Sicherheits-Fixes können in veralteten Servern fehlen.
gpg: Hinweis: Der Befehl "gpgconf --kill all" startet diese Server neu.
Reader ...........: [none]
Application ID ...: D2760001240111503131A4240B5E1111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: ?
Serial number ....: A4240B5E
Name of cardholder: [nicht gesetzt]
Language prefs ...: [nicht gesetzt]
Salutation .......:
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa48 rsa48 rsa48
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]Output of SCD LEARN:
$ gpg-agent --server gpg-connect-agent << EOF
SCD LEARN
EOF
gpg-agent[11147]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
OK Pleased to meet you
S SERIALNO D2760001240111503131A4240B5E1111
S APPTYPE PKCS11
S KEY-FRIEDNLY 6C3EF6D3AAFDA54DBD2FB5B01952950B034ACF43 /CN=gpg.test on CELOS OS BIOS Keys (UserPIN)
S CERTINFO 101 www\x2ECardContact\x2Ede/PKCS\x2315\x20emulated/DENK0106097/CELOS\x20OS\x20BIOS\x20Keys\x20\x28UserPIN\x29/08E88816BAC7ACBDAB75869D91829D87E3A521F5
S KEYPAIRINFO 6C3EF6D3AAFDA54DBD2FB5B01952950B034ACF43 www\x2ECardContact\x2Ede/PKCS\x2315\x20emulated/DENK0106097/CELOS\x20OS\x20BIOS\x20Keys\x20\x28UserPIN\x29/08E88816BAC7ACBDAB75869D91829D87E3A521F5
OKOutput when I try to import the key to GPG (key with given keygrip not found)
$ gpg --expert --full-generate-key --homedir .
gpg: WARNUNG: Unsichere Zugriffsrechte des Home-Verzeichnis `/home/chris/workspace/tmp'
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Bitte wählen Sie, welche Art von Schlüssel Sie möchten:
(1) RSA und RSA (voreingestellt)
(2) DSA und Elgamal
(3) DSA (nur signieren/beglaubigen)
(4) RSA (nur signieren/beglaubigen)
(7) DSA (Nutzung selber einstellbar)
(8) RSA (Nutzung selber einstellbar)
(9) ECC und ECC
(10) ECC (nur signieren)
(11) ECC (Nutzung selber einstellbar)
(13) Vorhandener Schlüssel
(14) Vorhandener Schlüssel auf der Karte
Ihre Auswahl? 13
Geben Sie den "Keygrip" ein: 6C3EF6D3AAFDA54DBD2FB5B01952950B034ACF43
Kein Schlüssel mit diesem "Keygrip"my config files:
cat ~/.gnupg/gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry
log-file /home/chris/workspace/tmp/gpg-agent.log
verbose
debug-all
cat ~/.gnupg/gnupg-pkcs11-scd.conf
log-file /home/chris/workspace/tmp/pkcs11-scd.log
verbose
debug-all
providers smartcardhsm
provider-smartcardhsm-library /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#provider-smartcardhsm-cert-privateHello @chris-dmg,
You are using non-default complex configuration for testing... please revert to a minimum configuration and test, it is much easier to reach a working setup and then break it than debug a complex non working one.
In your case I can see that:
$ gpg --card-statusis run within different home directory than the second command.
also when pasting please set LC_ALL=C so that the output will be in English so people can understand :)
Thanks,
chris-dmg
commented
2 years ago Hello @alonbl ,
thanks for your hint and sorry for pasting german stuff. I now added a "export LC_ALL=C" to my .bashrc and now it worked without problems to my surprise. Is it possible that there is something which depends on the locale?
Thanks, Chris
alonbl
commented
2 years ago The card status and the generate key should use the same home.
chris-dmg
commented
2 years ago Thanks - it works now as expected!
Hi, I have a pkcs11 capable token and private-key, certificate, and public key in it. this is the output of SCD LEARN:
But when I try to load the key with "04B70DFA6C7A559FC5E1B932ADAF9F0804B25CE2" key-friendly, i got the below result:
I want to point that the same process is successful with an older key that exists in the token with the "EA518B3E6D66EDCA8B9DA5ADF59798B34C5D1A51" key-friendly.
any advice to solve the problem is appreciated.
the log file is as below: