How to use a PKCS#15 with GnuPG?

classic Classic list List threaded Threaded
3 messages Options
NdK
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to use a PKCS#15 with GnuPG?

NdK
Hello all.

I'm trying to use an ePass2003 token (and possibly some Aventra MyID
cards) to have my keys around when I need 'em (especially for
authentication and signing). Both ePass2003 and MyID implement PKCS#15,
so IIUC they should be usable.
Too bad I can't find the needed infos...

I generated some test keys on the token (ssh one is imported, for
another test):
$ pkcs15-tool -D
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [NdK-test]:
        Version        : 0
        Serial number  : 0843420916091101
        Manufacturer ID: EnterSafe
        Last update    : 20170615092227Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [SSH key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x4], sign
        Access Flags   : [0xD], sensitive, alwaysSensitive, neverExtract
        ModLength      : 1024
        Key ref        : 0 (0x0)
        Native         : yes
        Path           : 3f0050152900
        Auth ID        : 01
        ID             : f3dcf75d07c02fd15ae7b7a335f84d46eda6049d
        MD:guid        : {323ba8f2-2b93-1900-fa3b-e1b4d2024011}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Private RSA Key [Signature key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0xC], sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : 3f0050152901
        Auth ID        : 01
        ID             : 9e67a012e0e45f3ae9b1398b912bbf2ba1aef2d4
        MD:guid        : {6c1033ed-c1df-5baa-4e87-5be41c0a8b03}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Private RSA Key [Decryption key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x22], decrypt, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : 3f0050152902
        Auth ID        : 01
        ID             : 7db41d5b2c07355dd361e0bffd543c0cfc51953b
        MD:guid        : {08884d6f-15a7-1ade-7183-04d4a4e6bc6f}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public RSA Key [SSH key]
        Object Flags   : [0x2], modifiable
        Usage          : [0x40], verify
        Access Flags   : [0x0]
        ModLength      : 1024
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153000
        ID             : f3dcf75d07c02fd15ae7b7a335f84d46eda6049d

Public RSA Key [Signature key]
        Object Flags   : [0x2], modifiable
        Usage          : [0xC0], verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153001
        ID             : 9e67a012e0e45f3ae9b1398b912bbf2ba1aef2d4

Public RSA Key [Decryption key]
        Object Flags   : [0x2], modifiable
        Usage          : [0x11], encrypt, wrap
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153002
        ID             : 7db41d5b2c07355dd361e0bffd543c0cfc51953b

$ gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

But:
$ gpg2 --card-edit

gpg: OpenPGP card not available: Not supported

gpg/card>

Well, actually it's not completely unexpected, but then I don't
understand why scdaemon is now locking my token, if it doesn't know how
to handle it:
$ pkcs15-tool -D
Using reader with a card: Feitian ePass2003 00 00
Failed to connect to card: Reader in use by another application

What am I missing?

Tks,
 Diego

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to use a PKCS#15 with GnuPG?

Werner Koch
On Thu, 15 Jun 2017 14:13, [hidden email] said:

> authentication and signing). Both ePass2003 and MyID implement PKCS#15,
> so IIUC they should be usable.

gpg expects an OpenPGP card.  For pkcs#15 you need to use gpgsm.  As a
starter do

 gpgsm --learn-card

which imports the certificates from such cards.  There is no --card-edit
etc, because in general PKCS#15 cards are distributed personalized.
Having done --learn-card once you can use the keys from the card for
X.509 or CMS (aks S/MIME) stuff.

But note, that PKCS#15 does not specifiy everything and card vendors
oftne implement proprietary extensions/modifications.  See
gnupg/scd/app-p15.c for some hints.



Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
NdK
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to use a PKCS#15 with GnuPG?

NdK
Il 17/06/2017 10:35, Werner Koch ha scritto:

> gpg expects an OpenPGP card.  For pkcs#15 you need to use gpgsm.  As a
> starter do
>  gpgsm --learn-card
> which imports the certificates from such cards.  There is no --card-edit
> etc, because in general PKCS#15 cards are distributed personalized.
> Having done --learn-card once you can use the keys from the card for
> X.509 or CMS (aks S/MIME) stuff.
Then I don't understand the reason for gpgsm (the "niche" it fills)...
opensc already supports many cards, and can even edit some. And (via
PKCS#11) Firefox and Thunderbird (and many other programs, but only one
at a time) can use the cards for auth (and signing).

> But note, that PKCS#15 does not specifiy everything and card vendors
> oftne implement proprietary extensions/modifications.
As usual. But even openpgp RFCs are often implemented with proprietary
extensions...

> See gnupg/scd/app-p15.c for some hints.
I'll have a look.

Tks,
 Diego


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...