command 'LEARN' failed: No inquire callback in IPC

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

command 'LEARN' failed: No inquire callback in IPC

Rogers, Dustin

Hi GnuPG community:

 

I have recently installed gnupg 2.1.20 from source on a centos6.8 box. For some reason I cannot get the pinentry prompt to appear on the terminal with this newest version.

 

gpg-connect-agent works as expected and asks for the PIN, but gpg-agent will not.

 

I have configured the gpg-agent.conf to use pinentry-curses

 

Here is output from gpg --card-edit

 

[root@system1 ~]# gpg --card-edit

 

gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159

gpg-agent[5158]: DBG: chan_8 <- RESET

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION ttyname=/dev/pts/0

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION ttytype=xterm

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- GETINFO version

gpg-agent[5158]: DBG: chan_8 -> D 2.1.20

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION allow-pinentry-notify

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- OPTION agent-awareness=2.1.0

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- SCD GETINFO version

gpg-agent[5158]: no running SCdaemon - starting it

gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

gpg-agent[5158]: DBG: first connection to SCdaemon established

gpg-agent[5158]: DBG: chan_9 -> GETINFO socket_name

gpg-agent[5158]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.uTRBtO/agent.S

gpg-agent[5158]: DBG: chan_9 <- OK

gpg-agent[5158]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.uTRBtO/agent.S'

gpg-agent[5158]: DBG: chan_9 -> OPTION event-signal=12

gpg-agent[5158]: DBG: chan_9 <- OK

gpg-agent[5158]: DBG: chan_9 -> GETINFO version

gpg-agent[5158]: DBG: chan_9 <- D 0.7.5

gpg-agent[5158]: DBG: chan_9 <- OK

gpg-agent[5158]: DBG: chan_8 -> D 0.7.5

gpg-agent[5158]: DBG: chan_8 -> OK

gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)

gpg-agent[5158]: DBG: chan_8 <- SCD SERIALNO openpgp

gpg-agent[5158]: DBG: chan_9 -> SERIALNO openpgp

gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0

gpg-agent[5158]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0

gpg-agent[5158]: DBG: chan_9 <- OK

gpg-agent[5158]: DBG: chan_8 -> OK

gpg-agent[5158]: DBG: chan_8 <- LEARN --sendinfo

gpg-agent[5158]: DBG: chan_9 -> LEARN --force

gpg-agent[5158]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0

gpg-agent[5158]: DBG: chan_9 <- S APPTYPE PKCS11

gpg-agent[5158]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)

gpg-agent[5158]: DBG: chan_9 -> END

gpg-agent[5158]: DBG: chan_9 <- OK

gpg-agent[5158]: DBG: agent_card_learn failed: No inquire callback in IPC

gpg-agent[5158]: command 'LEARN' failed: No inquire callback in IPC

gpg-agent[5158]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent>

gpg: OpenPGP card not available: No inquire callback in IPCI have tried to set the GPG_TTY variable, but I still don’t get the PIN prompt. GPG_TTY=`tty`

 

I have this working with manual pinentry in a gnupg 2.0 environment, but eventually I would like to use the unattended pinentry-mode loopback, which seems to be available in the gnupg 2.1.20 version only. I am trying to automate batch operations of gpg.

 

Thus, SCD LEARN will dutifully prompt for PIN when I launch the gpg-agent alongside the gpg-connect-agent like this:

gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --pinentry-program=/usr/bin/pinentry-curses --daemon gpg-connect-agent

 

But SCD LEARN does not dutifully prompt for PIN, if I launch without the gpg-connect-agent

gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --pinentry-program=/usr/bin/pinentry-curses --daemon  

 

I have a feeling I have a small configuration error, or am not understanding something. But I have reviewed bug reports which seem similar to this issue I am having also. Can anyone tell me why the gpg-connect-agent can invoke the pinentry, but gpg-agent cannot? I am trying su’d as root, but I have the same issue when Im not su as root.

 

Thank you,

-Dustin Rogers

 

 



The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: command 'LEARN' failed: No inquire callback in IPC

NIIBE Yutaka
"Rogers, Dustin" <[hidden email]> wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root@system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
--

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: command 'LEARN' failed: No inquire callback in IPC

Dustin Rogers


Hi Mr. Yutaka:


Thank you for your input and all the dev work you have done. 


This is a cloud environment so I dont have the luxury of physical access to a usb port. I do not leverage libusb because this is using network attached Safenet Luna SA HSM (gemalto brand) PKCS11 smart card provider. 


I just gave the native scdaemon a try. It doesnt seem to recognize this card provider at all. 


LEARN
ERR 100663404 Card error <SCD>

In fact the native support for smart cards does not seem to support network attached HSM "virtual tokens" devices at all. It could be possible that I need to specify the local port the installed HSM agent is running on, but I dont think I will be that lucky.

Perhaps I could help build the support into the native scdaemon, but you are an expert at this, so I dont want to come off rude.  I know the work isnt simple.

I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg 2.0, but with manual pinentry for each operation. I cant get it working with gnupg 2.1. (again, I am looking for the unattended pinentry support the later version seems to have) Thus, I really dont think this is an issue with the scdaemon I am using. Moreover, I can see the INQUIRE PIN callback is there, the pinentry is just not appearing. Really I would like to understand why the gpg-connect-agent is allowing the pin call back through, and the gpg-agent itself is not? 

Thank you,
-Dustin Rogers

Here is my config file thus far for native scdaemon:

#Debug Level
debug-level guru
#Smartcard Provider SO object
pcsc-driver /usr/lib/libCryptoki2_64.so
#pcsc-driver /usr/lib/libCryptoki2.so
log-file scdaemon.log
#card-timeout 1




From: Gnupg-users <[hidden email]> on behalf of NIIBE Yutaka <[hidden email]>
Sent: Tuesday, May 16, 2017 2:24 AM
To: Rogers, Dustin; [hidden email]
Subject: Re: command 'LEARN' failed: No inquire callback in IPC
 
"Rogers, Dustin" <[hidden email]> wrote:
> I have recently installed gnupg 2.1.20 from source on a centos6.8 box.

What's the configure option?  Did you enable smart card support with
libusb?

> [root@system1 ~]# gpg --card-edit
>
> gpg-agent[5158]: DBG: chan_8 -> OK Pleased to meet you, process 5159
[...]
> gpg-agent[5158]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready

This is not the scdaemon from GnuPG.

Please install scdaemon of GnuPG and try again with that.
--

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
lists.gnupg.org
GnuPG user help mailing list. The topic of this is list is help and discussion among users of GnuPG. This includes questions on how to script GnuPG, how to create or ...



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: command 'LEARN' failed: No inquire callback in IPC

NIIBE Yutaka
Dustin Rogers <[hidden email]> wrote:
> In fact the native support for smart cards does not seem to support
> network attached HSM "virtual tokens" devices at all. It could be
> possible that I need to specify the local port the installed HSM agent
> is running on, but I dont think I will be that lucky.

No, scdaemon doesn't support it.

> I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg 2.0,

Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or
2.1.  It is a kind of... independently developed program, unfortunately.
It was just coincidence (from my view point) it worked with GnuPG 2.0.

It would be good if someone around gnupg-pkcs11-scd shares developement
information with GnuPG.

> but with manual pinentry for each operation. I cant get it working
> with gnupg 2.1. (again, I am looking for the unattended pinentry
> support the later version seems to have) Thus, I really dont think
> this is an issue with the scdaemon I am using. Moreover, I can see the
> INQUIRE PIN callback is there, the pinentry is just not
> appearing. Really I would like to understand why the gpg-connect-agent
> is allowing the pin call back through, and the gpg-agent itself is
> not?

Well, it's the detail of protocol between gpg-agent and scdaemon.
INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN
--force is issued.  This situation is same in GnuPG 2.0.

We don't know how gnupg-pkcs11-scd works, according to your log, it
breaks the protocol for LEARN.

gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it
is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD.

For gpg-connect-agent with SCD command, it is prepared, thus it works.

I think that it would be good to check why gnupg-pkcs11-scd called back
with INQUIRE NEEDPIN for LEARN command.
--

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users