gpgsm --gen-key with key on smartcard

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

gpgsm --gen-key with key on smartcard

Thomas Jarosch
Hello together,

gpgsm can be used to create X.509 certificates
for existing secret keys on a openpgp smartcard.


"gpg2 --card-status" looks like this:
*********************************************
..
Signature key ....: E642 8DAC 275A 3247 5B59  A16F A3E9 1268 663A 9918
      created ....: 2018-02-27 23:04:28
Encryption key....: 7BD4 D616 869A DABA 40EE  92CE 0B7C A078 D0C4 D69E
      created ....: 2018-02-27 23:04:28
Authentication key: 7DA6 B4FD 7E63 CA74 4BDC  CE17 A006 6D00 9AD9 3260
      created ....: 2018-02-27 23:04:28
sec>  rsa2048/A3E91268663A9918  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6D
ssb>  rsa2048/A0066D009AD93260  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6D
ssb>  rsa2048/0B7CA078D0C4D69E  created: 2018-02-27  expires: never
                                card-no: 0005 00003E6
*********************************************


When invoking

    gpgsm --armor --output public.pem --gen-key

one can choose (3) to use an existing key on a smartcard.

The next menu present is this:

*********************************************
Available keys:
   (1) C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
   (2) 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
   (3) 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
*********************************************

To me it seems it shows the 'keygrip' instead of the smartcard key IDs?


Debug output from gpgsm before the "available keys" prompt:
*********************************************
gpgsm: DBG: chan_5 <- S KEY-FPR 1 E6428DAC275A32475B59A16FA3E91268663A9918
gpgsm: DBG: chan_5 <- S KEY-FPR 2 7BD4D616869ADABA40EE92CE0B7CA078D0C4D69E
gpgsm: DBG: chan_5 <- S KEY-FPR 3 7DA6B4FD7E63CA744BDCCE17A0066D009AD93260
gpgsm: DBG: chan_5 <- S KEY-TIME 1 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 2 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 3 1519772668
gpgsm: DBG: chan_5 <- S CHV-STATUS +0+32+32+32+3+0+3
gpgsm: DBG: chan_5 <- S SIG-COUNTER 4
gpgsm: DBG: chan_5 <- S KEYPAIRINFO C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
gpgsm: DBG: chan_5 <- OK
*********************************************

I guessed which key is the correct one from the gnupg 2.2.4 debug output.


When using a smartcard, what about showing the openpgp key IDs
in the "Available keys" menu?

Cheers,
Thomas




_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm --gen-key with key on smartcard

GnuPG - User mailing list
Hi.

Am Mittwoch, den 28.02.2018, 10:56 +0100 schrieb Thomas Jarosch:
> To me it seems it shows the 'keygrip' instead of the smartcard key
> IDs?

Yes, that's correct.


> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I think this is not neccessary, since you can see the keygrip using
"gpg2 -K --with-Keygrip".

Regards,
Dirk

--
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350
_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm --gen-key with key on smartcard

Peter Lebbing
In reply to this post by Thomas Jarosch
On 28/02/18 10:56, Thomas Jarosch wrote:
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I don't think that's possible: keygrips are "protocol" agnostic, but key
IDs are not. So while the keygrip is the same for S/MIME and OpenPGP,
key ID's are inherently an OpenPGP thing. It doesn't make sense to
select a "key ID" for an S/MIME key. That's what I mean by protocol here.

My suggestion would be that

$ gpg --with-keygrip --card-status

would include keygrips in the output (it doesn't do that currently).

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm --gen-key with key on smartcard

Werner Koch
In reply to this post by Thomas Jarosch
On Wed, 28 Feb 2018 10:56, [hidden email] said:

> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

gpgsm does and shall not know anything about OpenPGP.  Thus it can't
display OpenPGP information.  In theory we could display the fingerprint
of the OpenPGP card because they are stored along with the key on the
OpenPGP card - however, that would only work for the OpenPGP card and
not for any other card which is supported by gpgsm.

If you need this information a small tool to present an enhanced menu
could be written.  That tool would then utilize gpgsm and gpg.  GPA
might be a candidate to implement this.


Salam-Shalom,

   Werner

--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm --gen-key with key on smartcard

Thomas Jarosch
On Wednesday, 28 February 2018 14:50:39 CET Werner Koch wrote:
> If you need this information a small tool to present an enhanced menu
> could be written.  That tool would then utilize gpgsm and gpg.  GPA
> might be a candidate to implement this.

what do you think about Peter's idea:

$ gpg --with-keygrip --card-status


to show key ID -> keygrip mapping?

Or is that not easily possible protocol wise?
(I have zero knowledge about the keygrip stuff)

Cheers,
Thomas




_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: gpgsm --gen-key with key on smartcard

Werner Koch
On Wed, 28 Feb 2018 16:30, [hidden email] said:

> what do you think about Peter's idea:
>
> $ gpg --with-keygrip --card-status

If you use that with --with-colons you can also script this.

But that is about gpg and not about gpgsm.  gpgsm has no external card
interface because the expected use case is that pre-presonalized cards
are used for X.509.


Shalom-Salam,

   Werner

--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[FEATURE REQ] Keygrips in --card-status (was: gpgsm --gen-key with key on smartcard)

Peter Lebbing
On 28/02/18 20:59, Werner Koch wrote:
> But that is about gpg and not about gpgsm.

Currently, it's not that easy to get the keygrip for an OpenPGP
smartcard key.

For keys for which the public part is available, it's:
$ gpg --card-status
Note desired KEYID
$ gpg --with-keygrip -k $KEYID
Find the KEYID in the certificate listed and see the keygrip below it.

I have smartcards with Auth keys that are not part of an OpenPGP
certificate. For these and other cases where the public part is not in
the keyring, it's more difficult to get the keygrip. Probably something
like:
$ gpg-connect-agent 'keyinfo --list' /bye|grep 87061340
for my GnuK with serial FFFE 87061340.

So if --card-status would actually use the --with-keygrip option, it
would be much easier to look up the keygrip for an OpenPGP smartcard,
*especially* when the smartcard is not currently in use by gpg. Even
though the query is done by "gpg --card-status", it is more a feature
for OpenPGP smartcards regardless of whether they are used for OpenPGP keys.

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [FEATURE REQ] Keygrips in --card-status

Werner Koch
On Thu,  1 Mar 2018 13:06, [hidden email] said:

> So if --card-status would actually use the --with-keygrip option, it
> would be much easier to look up the keygrip for an OpenPGP smartcard,

Good suggestion.  Here is the output you will see in 2.2.6 when
--with-keygrip is used with --card-status:

Signature counter : 4604
Signature key ....: C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
      created ....: 2015-02-18 18:12:18
      keygrip ....: 1D538E0FA8DFC2ED7F0382ED25ADE1EF23D12C5C
Encryption key....: DC9D AC60 8A8F 118F D8D0  F332 F4EC 45F1 1B45 7A45
      created ....: 2016-02-14 13:12:34
      keygrip ....: EE5A80CF605C7B8A2402E9CB41B553F2E5069B33
Authentication key: 59CE FA65 05DF 817B 3FE9  8F57 A588 F0D2 ABD0 CAF6
      created ....: 2016-02-14 13:14:07
      keygrip ....: EE5A80CF605C7B8A2402E9CB41B553F2E5069B33

and the --with-colons output has an addtional "grp: record (even without
--with-keygrip).


Shalom-Salam,

   Werner


--
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [FEATURE REQ] Keygrips in --card-status

Peter Lebbing
On 01/03/18 19:14, Werner Koch wrote:
> Good suggestion.  Here is the output you will see in 2.2.6 when
> --with-keygrip is used with --card-status:

Ah, great, thanks!

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment