card serials change and keys without certifificates are not shown during learn?

[inorton-entrust]

Hi, I'm using an nCipher HSM as my pkcs11 device. I have my key available and can do normal pkcs11 signing with it but this key isnt appearing during the LEARN command.

When I originally got the key into gpg on another system the application ID value (and card serial) shown by doing "gpg --card-status" showed different values.

Application ID ...: D27600012401115031312CF4EEE61111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 2CF4EEE6

Now, with a different computer the same command now reports.

Application ID ...: D2760001240111503131476E4A811111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 476E4A81

This now means that the agent prompts me to insert a card with the "2CF4EEE6" serial.

If however I hex edit the gpg shadow file to set the new value, my token is loaded and signs correctly.

Where are we getting this application ID string from? is it possible to override it? or generate it in a way that is consistent with only data on a token?

[inorton-entrust]

I see now! The hex string "application id" is a serialised string made up by pkcs11-helper out of:

    { /* Must be after assert */
        sources[0] = token_id->manufacturerID;
        sources[1] = token_id->model;
        sources[2] = token_id->serialNumber;
        sources[3] = token_id->label;
        sources[4] = NULL;
    }

In my case I have several HSMs and each HSM has a different serial, my pkcs11 token can be loaded on any one of these devices

[inorton-entrust]

I've also noticed that gnupg-pkcs11-scd only searches the first token it finds, that is useful to know