search

alonbl / gnupg-pkcs11-scd

PKCS#11 GnuPG SCD
http://gnupg-pkcs11.sourceforge.net/
Other
68 stars 17 forks source link

gpg2 --card-status fails to list any key #42

Closed sztsian closed 2 years ago

sztsian commented 2 years ago

I'm trying to use pkcs11 with gpg on Fedora. The hardware I am using is a Yubikey, with PIV initialized. However, I never have any luck with gpg2 --card-status. The packages I have is

openssl-pkcs11-0.4.11-4.fc35.x86_64
pkcs11-helper-1.27.0-4.fc35.x86_64
opensc-0.22.0-1.fc35.x86_64
openssl-pkcs11-0.4.11-4.fc35.i686
pkcs11-helper-devel-1.27.0-4.fc35.x86_64
yubico-piv-tool-2.2.1-1.fc35.x86_64
gnupg-pkcs11-scd-0.10.0-1.fc37.x86_64

Note: gnupg-pkcs11-scd above is self-compiled. others are all from the official Fedora repo.

My config looks like the following

$ cat ~/.gnupg/gpg-agent.conf 
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program  /usr/bin/pinentry-gtk

$ cat ~/.gnupg/gnupg-pkcs11-scd.conf 
providers safenet
provider-safenet-library /usr/lib64/libykcs11.so.2
log-file /tmp/pkcs11log
verbose
debug-all
openpgp-sign E65944AA36C1A72A5EDFE7848E0D59F252920545

$ gpg-agent --server gpg-connect-agent << EOF
SCD LEARN
EOF
OK Pleased to meet you
S SERIALNO D276000124011150313115D60D5F1111
S APPTYPE PKCS11
S KEY-FRIEDNLY E65944AA36C1A72A5EDFE7848E0D59F252920545 /CN=SSH key on YubiKey PIV #4942750
S KEY-FPR 1 E65944AA36C1A72A5EDFE7848E0D59F252920545
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEYPAIRINFO E65944AA36C1A72A5EDFE7848E0D59F252920545 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEY-FRIEDNLY A569CDA604B5278BFB81FB9C9243F897E20BAD69 /CN=Yubico PIV Attestation on YubiKey PIV #4942750
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%19
S KEYPAIRINFO A569CDA604B5278BFB81FB9C9243F897E20BAD69 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%19
S KEY-FRIEDNLY E65944AA36C1A72A5EDFE7848E0D59F252920545 /CN=YubiKey PIV Attestation 9a on YubiKey PIV #4942750
S KEY-FPR 1 E65944AA36C1A72A5EDFE7848E0D59F252920545
S CERTINFO 101 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
S KEYPAIRINFO E65944AA36C1A72A5EDFE7848E0D59F252920545 pkcs11:model=YubiKey%20YK4;token=YubiKey%20PIV%20%234942750;manufacturer=Yubico%20%28www.yubico.com%29;serial=4942750;id=%01
OK

And the command output looks like

$ gpg2 --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.4)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found

Attached is the full debug log pkcs11log-yubikey.txt

Within the log, I find something suspecious:

gnupg-pkcs11-scd[26987.1355388736]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[26987.1355388736]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'

So I feel this is likely a bug somewhere. However, I have limited knowledge for debugging future, so I'm posting this issue for investigate.

sztsian commented 2 years ago

I also have an Safenet eToken 5110, it does not work either.

$ pkcs11-tool --module /usr/lib64/libeToken.so --login -O
Using slot 0 with a present token (0x0)
Logging in to "my5110".
Please enter User PIN: 
Private Key Object; RSA 
  label:      test@example.com
  ID:         01
  Usage:      decrypt, sign, unwrap
  Access:     sensitive, always sensitive, never extractable, local
Public Key Object; RSA 2048 bits
  label:      test@example.com
  ID:         01
  Usage:      encrypt, verify, wrap
  Access:     local
Certificate Object; type = X.509 cert
  label:      test@example.com
  subject:    DN: C=CN, L=Default City, O=Default Company Ltd, CN=test@example.com/emailAddress=test@example.com
  ID:         01
$ cat ~/.gnupg/gnupg-pkcs11-scd.conf 
providers safenet
provider-safenet-library /lib64/libeToken.so
log-file /tmp/pkcs11log
verbose
debug-all
$ gpg-agent --server gpg-connect-agent << EOF
SCD LEARN
EOF
OK Pleased to meet you
S SERIALNO D27600012401115031312FDDC3EC1111
S APPTYPE PKCS11
S KEY-FRIEDNLY 8DC2B2074EFAF0D03FA0EAB3DA0B5A9F8673B3D6 /C=CN/L=Default City/O=Default Company Ltd/CN=test@example.com/emailAddress=test@example.com on my5110
S CERTINFO 101 pkcs11:model=eToken;token=my5110;manufacturer=SafeNet%2c%20Inc.;serial=0248f688;id=%01
S KEYPAIRINFO 8DC2B2074EFAF0D03FA0EAB3DA0B5A9F8673B3D6 pkcs11:model=eToken;token=my5110;manufacturer=SafeNet%2c%20Inc.;serial=0248f688;id=%01
OK

gpg also fails to show card

$ gpg2 --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.10.0 < 2.3.4)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found

Full log pkcs11log-safenet5110.txt

Within the log, similar CKR_SESSION_HANDLE_INVALID also shows up.

gnupg-pkcs11-scd[35533.3827447616]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[35533.3827447616]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'

However, if I change the config to

$ cat ~/.gnupg/gnupg-pkcs11-scd.conf
providers safenet
provider-safenet-library /lib64/libeToken.so
provider-safenet-allow-protected-auth
provider-safenet-cert-private
log-file /tmp/pkcs11log.txt
verbose
debug-all

Then gpg-agent already reports error

$ gpg-agent --server gpg-connect-agent << EOF
SCD LEARN
EOF
OK Pleased to meet you
S SERIALNO D27600012401115031312FDDC3EC1111
S APPTYPE PKCS11
ERR 83902463 End of file <Pinentry>

But the pinentry is really a valid one that I can use with normal GPG

$ file /usr/bin/pinentry-gtk
/usr/bin/pinentry-gtk: symbolic link to pinentry-gtk-2

pkcs11log-5110-modified-config.txt

alonbl commented 2 years ago

Hi, You are using patched pkcs11-helper. Please build it yourself and send me logs. For yubikey to work you must use latest version of pkcs11-helper and latest gnupg-pkcs11. Alon

sztsian commented 2 years ago

Hi Alon,

Thanks for the hints. It seems it's caused by my environment somewhere.

Still with the Fedora version of pkcs11-helper and gnupg-pkcs11-scd I find that yubikey works with /usr/lib64/opensc-pkcs11.so but not libykpiv.so.2, although I haven't confirm if the library is actually using the piv/pkcs11 applet or the gpg applet. And the eToken 5110 starts to work as well. The only thing before this work is that after I posted this issue, I powered off my computer.

I'll double confirm later and if they all work as expected I'll close the issue.

sztsian commented 2 years ago

I managed to make this work and wrote my notes here. https://sztsian.github.io/2022/02/20/Using-PKCS11-Token-With-GPG.html

Closing.