Added configuration option for serial number to deal with multiple tokens

[manonfgoo]

Hi,

when setting up a keychain with the master key on a differentr token it is necceary to tell gpg which keys are on wich token, therefore i added the config option "serial-number"

[alonbl]

Hi,

There was a problem in the past to have serial number, the gnupg either ignored it or got it wrong. I do not remember the exact issue... So we must check it again with stable rhel version.

Since serial number is constant, it should work with whatever token you have available, it should work without a change by only switching tokens as worse case an error will be returned. What issue are you experiencing?

If we go this route, we should derive the serial out of some hash of the token id that is returned by the pkcs11-helper not have it configured. But first let's answer the above two.

Thanks!

[manonfgoo]

Hi,

if i want to work with different smartcards, eg one with the master key and one with keys for everyday work gpg needs to import them with different serial numbers.

when I try to access the smartcard with the serialnumber of the card withe the master key but currently my smartcard for daily work is inserted gnupg-pkcs11-scd answers to the "SERIALNO openpgp" request. gpg seed the card with the wrong serial-numer is inserted and promts me

afterwords I cahnge the card, change the config and tell gpg that the new card is inserted

cp ~/.gnupg/gnupg-pkcs11-scd.conf.master ~/.gnupg/gnupg-pkcs11-scd.conf ; pkill -9 gnupg-pkcs11-scd-with-appid

[alonbl]

I do not understand how it asks you for a different serial number in current implementation as the same serial number is returned for all objects. Is it before this change or after?

[manonfgoo]

What I outlined is the functionality after the patch.

Von meinem iPhone gesendet

---

Manon Goo Dembach Goo Informatik GmbH & Co. KG Hohenzollernring 72 D-50672 K?ln

Tel.: +49 221 12095-211<tel:+49%20221%2012095-211> Mobil: +49 151 12222781<tel:+49%20151%2012222781> Fax: +49 221 12095-220<tel:+49%20221%2012095-220> E-Mail:manon.goo@dg-i.netmailto:manon.goo@dg-i.net

Support-Hotline: 0800 / 100 4323<tel:0800%20/%20100%204323>

Amtsgericht K?ln HRA 22794, USt-IdNr.: DE242 159 527 Haftende Gesellschafterin: Dembach Goo Verwaltungsgesellschaft mbH Deren Gesch?ftsf?hrer: Andreas Dembach, Manon Goo

Am 11.05.2017 um 13:19 schrieb Alon Bar-Lev notifications@github.com<mailto:notifications@github.com>:

I do not understand how it asks you for a different serial number in current implementation as the same serial number is returned for all objects. Is it before this change or after?

- You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/alonbl/gnupg-pkcs11-scd/pull/7#issuecomment-300760125, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AGb9dF-1ij3ae_b0380qABuHPySo84Mjks5r4u8FgaJpZM4NXZ0d.

[alonbl]

On 11 May 2017 at 15:29, manonfgoo notifications@github.com wrote:

What I outlined is the functionality after the patch.

ok, it makes sense now. but before the patch, why couldn't you just switch to the other card when needed? I begin to understand that you want to sign your sub key and at the middle you want it to ask for the token of the primary.

[manonfgoo]

Motivations for my pacth:

1.) because the openpgp-card proto only has three slots per card: sign, encrypt, and authenticate. for a master key / subkey setup one usually uses a siging key as master key from the Card-Master and The singing keys from Card-Daily for email singing. If I want to work with more subkeys I need a a card with a seperate serial number

2.) When I want to import the Card-Daily:singing_key and gpg bvelives that this key is on the same card as the Card-Master:singing_key it does not promt for the card change but tries to sign the Card-Daily:singing_key with Card-Master:singing_key and runs into en error because it accesses the Card-Daily:singing_key insted of the Card-Master:singing_key and beacuse it is not possible to specify two different :singing_keys

3.) If you do not specify the "serial-number" filed in the config the code bahaves like before

4.) untested scenario, may require some more tweaking: if you switch from the openpgp-applet on card to pksc11, and have a copy of your RSA keys left, you may want to import the RSA keys into the pkcs11 token and give the pkcs11 token the same serial / application_id as the old card had to have a smooth migration

[alonbl]

In recent gnupg-2.1 there is no such limitation, example:

$ gpg --expert --list-keys C341A4AFCF3874AE3DDBBF30774626AFF3F3474D
pub   rsa2048 2017-05-11 [SCE]
      C341A4AFCF3874AE3DDBBF30774626AFF3F3474D
uid           [ultimate] test1 <test1@test.com>
sub   rsa2048 2017-05-11 [SE]
sub   rsa2048 2017-05-11 [SE]
sub   rsa2048 2017-05-11 [SE]
sub   rsa2048 2017-05-11 [SE]
sub   rsa2048 2017-05-11 [SE]
sub   rsa2048 2017-05-11 [SE]

[manonfgoo]

This limitation is lifted in gnupg-2.1 but not in the openpgp-card protocol that gnupg-pkcs11-scd is iimplementing.

AFAIK gpg2 --card-status only displays three slots in gnupg-2.1 as well

[alonbl]

On 11 May 2017 at 16:47, manonfgoo notifications@github.com wrote:

This limitation is lifted in gnupg-2.1 but not in the openpgp-card protocol that gnupg-pkcs11-scd is iimplementing.

AFAIK gpg2 --card-status only displays three slots in gnupg-2.1 as well

I do not think that card status is relevant... the gpg now access the key based on name not id (0-2), so I believe it should be possible to use multiple subkeys. The question is what parameter to use :)

[manonfgoo]

PKCS11 URL may be a good parameter for the new stuff. But

• a lot of people are stuck with gunpg-2.0
• your code is emulating the openpgp-card protocol, and openpgp-card in contrast to pkcs11 describes card with three slots, a lot of implementations are relying on this, for the ssh-agent emulation in gpg-agent is as far as i undestand one of them

my patch makes it easier for gunpg-2.0 userrs to work with multiple cards, if you like I could add a second option or change the patch to make OPENPGP_PKCS11_SERIAL a configurable. This adds flexibility to those who need it, for the rest everything stays the was it is

[alonbl]

OK, so let's agree on these:

1. This patch is for gnupg-2.0, not sure why one cannot just build gnupg-2.1 as these people made a progress in smartcard support.

2. If we support serial number it should be based on the actual card serial number not switch files. I can probably work out something for this.

[manonfgoo]

1.) ok

2.) Ok, but which card will you use when multiple cards attached to the computer ? maybe the card that has the key corresponding to key reffernced by "openpgp-sign"? but if I am withe gnupg-2.0 and i want to use my backup card and present gpg exactly the same application ID,

maybe it would be a good solution to have a application_id cconfiguration variable, if this contains "%s". %s is expanded to the first 2 Byte als hex of the hash of the Vendor and 5 Bytes as hex of the hash of cards seriayl number

the config value would default to D276000124011150%s1111

[alonbl]

Hi, Can you please checkout the token branch? I expect it will meet your needs while generating the serial number out of the token content. Thanks!

[alonbl]

@manonfgoo: have you tried this?

[manonfgoo]

Back online on Tuesday next week, will come back to you asap afterwards

[alonbl]

ping?

[alonbl]

last ping?

[alonbl]

token branch merged.