Re: Fwd: gnupg SmartCard V3.3

[NIIBE Yutaka]

Hello,

Werner Koch  wrote:
> @gniibe: Do you have any more up to date information on macOS and
> smartcard readers?

If possible, I recommend to use GnuPG's in-stock driver to access
smartcard.  It is direct access by libusb, not using PC/SC service.

For GNU/Linux, if you don't have any other use of PC/SC service, please
uninstall it, or disable the service, and try again with GnuPG's
in-stock driver.

For the driver, I maintain this list:

https://wiki.debian.org/GnuPG/CCID_Driver

For macOS, I think that it still uses old PC/SC and libccid library.
I'm afraid that new readers (with new features like pinpad support)
don't work well, or don't work at all.

I need macOS developers who build GnuPG with libusb.  Currently, GnuPG
scdaemon uses PC/SC service on macOS and Windows.  On GNU/Linux, people
can use both ways (in-stock driver or PC/SC).


> - Cherry GmbH SmartBoard XX44

  02 Short APDU level exchange

Because of this limitation, this reader cannot handle larger APDU (~=
packet), which is needed for recent RSA key size.  You can still use it
with RSA-1024.

> -  KOBIL EMV CAP - SecOVID Reader III

  bPINSupport: 0x03
 PIN Verification supported
 PIN Modification supported

I'm afraid it doesn't work on macOS.

> - Alcor Micro AU9540 00 00

I had a bug report with this reader: 

https://dev.gnupg.org/T1947

I think it now works fine by GnuPG's in-stock driver on GNU/Linux.
Please test.

It seems that this reader has a problem in PC/SC service, and it's not
supported by PC/SC-lite + libccid.

   https://pcsclite.alioth.debian.org/ccid/unsupported.html#0x058F0x9540

*   *   *

Supporting users' freedom on computing (for their privacy in digital
world), I need have/collect/maintain knowledge of those hardware.

But... when there is a problem, it tends to be because of bad firmware
implementation, which is proprietary.  In the proprietary world, the
practice is... to be "fixed" in the proprietary driver (than the
firmware).  But that "fix" has tendency not to be published to users or
developers of free software.

For me, it's a pity that I somehow need to have knowledge around those
proprietary firmware.

Perhaps, someday, in free software, I will write CCID reader
implementation which accesses smartcard, by free software (I mean,
development environment), for free software (= GnuPG maintenance); Then,
we can proceed to free firmware of smartcard itself.

# About ten years ago, I didn't take that approach but a short cut, that
# was Gnuk.  The reason was that it was difficult to find hardware
# vendors which allowed developing free firmware implementation of
# smartcard.

Having free CCID reader implementation still makes sense, to encourage
free firmware implementation of smartcard.  I'd like to work for some
part this year.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm as a CA

[Werner Koch]

On Wed, 28 Feb 2018 18:57, andr...@andrewg.com said:

> Is there any support for using gpgsm as a certificate authority?

There is some basic support to create certificates:

   The format of the parameter file is described in the manual under
   "Unattended Usage".

   [...]

   This parameter file was used to create the STEED CA:
 Key-Type: RSA
 Key-Length: 1024
 Key-Grip: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
 Key-Usage: cert
 Serial: 1
 Name-DN: CN=The STEED Self-Signing Nonthority
 Not-Before: 2011-11-11
 Not-After: 2106-02-06
 Subject-Key-Id: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
 Extension: 2.5.29.19 c 30060101ff020101
 Extension: 1.3.6.1.4.1.11591.2.2.2 n 0101ff
 Signing-Key: 68A638998DFABAC510EA645CE34F9686B2EDF7EA
 %commit

Here a Root CA certificate is created.  However, the Signing-Key
parameter is a generic feature and thus it can also be used to let this
CA sign another key.  What's missing in gpgsm are a parser for the CSR
and code to filter the values of a CSR into a new certificate.  The
parser can be quite easily added the other stuff needs some thinking.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpAESnHaFLLb.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issuing non self-signed certificate without having the private key in gpgsm keyring

[Jean-Yves Migeon]

Le 2018-02-28 15:35, Werner Koch a écrit :

On Fri, 23 Feb 2018 19:21, j...@netbsd.org said:


ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
certificate for which a public key has been imported but without an
associated private key to it (disregarding the self-signing


What you here is to create CSR (Certifciate Signing Request) for a new
certificate.  This involves a signature done with the private key for
the public key in that CSR.


gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
No such file or directory
gpgsm: error creating certificate request: No such file or directory


You simply don't have that key.  What you enter there is the key grip
For example:

[snip]

If you enter the value in the last line at the prompt, the very same 
key

would be used for a new certificate.


Hi Werner,

Thanks for taking the time to answer.


Would it make sense to relax the test in [1] and allow certificate
creation when we are not issuing a self-sign cert?


That would violate the standard for creating a CSR.


Indeed. But that is not what I am asking.

I am actually attempting to have the CSR <> certificate issuance done in 
two different steps.


In some PKI setups, the CSR gets signed by the requesting entity and 
sent over to the CA. The CA then performs all kind of checks, including 
signature (through the pub provided in the CSR), then CA issues a 
certificate signed with its own private key which is then sent back to 
the requesting entity.


ATM --gen-key can issue CSR and issue self-signing certificates, but in 
addition it can generate non self-signed cert in batch mode when 
"Key-Grip" and "Signing-Key" are different (Key-Grip corresponding to 
the entity, whereas Signing-Key is the key-grip of the CA).


However the check performed in [1] does not offer this possibility 
trivially because it will check the presence of the "Key-Grip" entity 
private key, which is technically not needed there and may be absent. 
The CSR can have been generated elsewhere, and only the entity public 
key has been imported inside keyring (via a PEM file for example).


Thanks,

--
Jean-Yves Migeon

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm as a CA

[Jean-Yves Migeon]

> Hi, all.
> 
> Is there any support for using gpgsm as a certificate authority?

Hi,

FWIW I have put up a guide recently on how I achieved this with gpgsm +
an OpenPGP card for private key handling. You can drop the card thing if
you don't intend using and keep the private key instead.

https://github.com/jymigeon/gpgsm-as-ca

It is still a bit rough, I expect to expand it a bit in a few days.

All certificates I issue through this method work with the openssl
stacks we have around, so it is working from my PoV.

Did not investigate how to handle the CRL part though, and the X.509
extensions need a bit more work to be user-friendly, but you can safely
figure this out via openssl asn1parse.

-- 
Jean-Yves Migeon


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Werner Koch]

On Wed, 28 Feb 2018 16:30, thomas.jaro...@intra2net.com said:

> what do you think about Peter's idea:
>
> $ gpg --with-keygrip --card-status

If you use that with --with-colons you can also script this.

But that is about gpg and not about gpgsm.  gpgsm has no external card
interface because the expected use case is that pre-presonalized cards
are used for X.509.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpPti8yjxDWD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpgsm as a CA

[Andrew Gallagher]

Hi, all.

Is there any support for using gpgsm as a certificate authority?

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Thomas Jarosch]

On Wednesday, 28 February 2018 14:50:39 CET Werner Koch wrote:
> If you need this information a small tool to present an enhanced menu
> could be written.  That tool would then utilize gpgsm and gpg.  GPA
> might be a candidate to implement this.

what do you think about Peter's idea:

$ gpg --with-keygrip --card-status


to show key ID -> keygrip mapping?

Or is that not easily possible protocol wise?
(I have zero knowledge about the keygrip stuff)

Cheers,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: entropy gathering daemon

[Werner Koch]

On Wed, 28 Feb 2018 15:53, ed...@pettijohn-web.com said:

> for chroot'd programs that need it on a filesystem mounted nodev. I
> sent some patches awhile back to add arc4random_buf as the entropy
> gathering 'device'. Which I've been using with no problems since. And

In case you have a problem with scarce entropy you may want to add

only-urandom

to /etc/gcrypt/random.conf - in almost all cases this okay for all
libgcrypt users.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpMFsUA99SaL.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: gnupg SmartCard V3.3

[Werner Koch]

On Tue, 27 Feb 2018 01:04, k...@glsys.de said:

> gpg2 --version is 2.1.11

That is a pretty old an somewhat buggy version which will likely have
problems with newer smartcards.

> Tried gpg (GnuPG/MacGPG2) 2.2.3
> on a completely different machine (mac)

That version is recent enough and as long as macOS is properly
configured for the card it will work.  You maywant to ask over at
gpgtools.org, though.

> Tried three different card-reader:
> - Cherry GmbH SmartBoard XX44

IIRC that is the old Omnikey reader based keyboard.  I have one myself.
It does not work with 2048 bit keys unless you use their Windows driver.

> -  KOBIL EMV CAP - SecOVID Reader III

I am not sure which reader this is, I had to dump my Kobil reader a logn
time ago wehn I moved to 2048 bit keys.  The problem is slightly
different than with Omnicard keys but I can't remember the details.

> - Alcor Micro AU9540 00 00

I am not sure about them.  Quite some time ago they simply did not worked.

@gniibe: Do you have any more up to date information on macOS and
smartcard readers?


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpw4K8cDI0C4.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Configuration for offline usage - best practice tips?

[Werner Koch]

On Fri, 23 Feb 2018 23:08, jc.gnupg...@unser.net said:

> Yes, that's what I plan to do, generate a subkey for each month in advance
> and use this to encrypt my backups.

That raises the question for us whether it will make sense to change

  --quick-add-key fpr [algo [usage [expire]]]

to add new parameter "creationdate" to make it easier to create keys for
future periods.  The parameter controlled batch key generation already
allows for this.

Background: gpg will not consider a future encryption subkey so that
keys for the next period can instantly be distributed.

> these keys. That is, if I have to restore certain files from a backup, and
> the machine where the decryption happens might be compromised, I don't want
> all backups to be compromised in a single step. 

You may also want to look into gpg-agent remote feature which is
designed to protect your private key during restore operations.  Here is
an older description:



You don't need to use smartcards and the extra socket is meanwhile by
default configured.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpNME_4ysnZX.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: entropy gathering daemon

[edgar]

On Feb 28, 2018 8:22 AM, Werner Koch  wrote:
>
> On Sun,  4 Feb 2018 08:44, ed...@pettijohn-web.com said:
>
> > Is it no longer possible to use egd? Most of the info I can find seems
>
> If Libgcrypt has been configured with EGD support this should still
> work.  I have not tested it for more than a decade, though.
>
> Why do you want to use it?  Which OS does not support /dev/random and
> why don't you want to use the fallback rndunix driver in Libgcrypt.
>
>
> Shalom-Salam,
>
>    Werner
>

I overlooked the configure switches. Got it working. The use case is for 
chroot'd programs that need it on a filesystem mounted nodev. I sent some 
patches awhile back to add arc4random_buf as the entropy gathering 'device'. 
Which I've been using with no problems since. And it's a little faster than 
going through the egd.

Thanks,

Edgar
>
> -- 
> #  Please read:  Daniel Ellsberg - The Doomsday Machine  #
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

[Thomas Jarosch]

Hello Klaus,

On Tuesday, 27 February 2018 01:04:27 CET Klaus Römer wrote:
> i bought two V3.3 cards, but can`t get them to work …
> the keytocard command does not move the key but copy it and further on the
> gpg2 --card-status -> fetch followed by gpg2 --card-status does not create
> the stub keys, so gpg2 --list-secret-keys does not show any keys ... I have
> the same (rsa4096) sub-key loaded to each slot 1,2,3 eg SEA and card-status
> does show them … gpg2 --version is 2.1.11
> 
> 
> I did further tests by calling gpg2 —card-edit -> generate with keylength
> 2048 and 4096 which fail with „card-error“
> 
> Tried gpg (GnuPG/MacGPG2) 2.2.3
> on a completely different machine (mac)
> 
> Tried the other card (i bought two with consecutive serial numbers)
> 
> Tried three different card-reader:
> - Cherry GmbH SmartBoard XX44
> -  KOBIL EMV CAP - SecOVID Reader III
> - Alcor Micro AU9540 00 00
> 
> Can anybody help?

I just tested an openpgp card V3.3 with a Cherry ST-2000 card reader
and a Reiner cyberJack Go. It successfully created keys on the card
and after a "factory-reset" command it also moved an existing key
to the card just fine. Signing and decryption worked, too.

Same thing with a V2.1 openpgp card.

All tests have been done on a Fedora 27 live USB stick
using gnupg 2.2.4.

May be try on a non-Mac computer to see if this is the issue?


If you want to give the Fedora 27 live CD a try, it might be good
to update the included gnupg 2.2.0 to 2.2.4 before starting:

  dnf update -y gnupg2 libassuan libgcrypt libgpg-error


Optionally: If you want "paperbackup" on the live system:

  dnf install -y git python3 python3-pillow PyX python3-qrencode enscript 
ghostscript zbar
  git clone https://github.com/intra2net/paperbackup.git

  See https://github.com/intra2net/paperbackup


With the Fedora live CD, all operations are done on a ramdisk.
Just remember to unplug the network cable once
you start the key generation process :)

HTH,
Thomas

--
Don't send emails here: jeffer...@intra2net.com




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Issuing non self-signed certificate without having the private key in gpgsm keyring

[Werner Koch]

On Fri, 23 Feb 2018 19:21, j...@netbsd.org said:

> ATM (with gpgsm (GnuPG) 2.2.4) , due to [1], gpgsm cannot sign
> certificate for which a public key has been imported but without an
> associated private key to it (disregarding the self-signing

What you here is to create CSR (Certifciate Signing Request) for a new
certificate.  This involves a signature done with the private key for
the public key in that CSR.

> gpgsm: line 1: error getting key by keygrip 'D3513A1E...48E0BDB6D35':
> No such file or directory
> gpgsm: error creating certificate request: No such file or directory

You simply don't have that key.  What you enter there is the key grip
For example:

$ gpgsm --with-keygrip -K 0x05B0DC50
   ID: 0x05B0DC50
  S/N: 2A821ECCEBFE1AFF
   Issuer: /CN=The STEED Self-Signing Nonthority
  Subject: /CN=John Steed
  aka: st...@itv.example.org.uk
 validity: 2011-12-06 20:30:46 through 2063-04-05 17:00:00
 key type: 1024 bit RSA
  fingerprint: EC:6E:9C:33:24:6A:6F:04:FC:98:89:9A:5A:25:73:9E:05:B0:DC:50
  keygrip: 254C073ED986EE4EA5F8059A753DAC1FFD245999

If you enter the value in the last line at the prompt, the very same key
would be used for a new certificate.

> Would it make sense to relax the test in [1] and allow certificate
> creation when we are not issuing a self-sign cert?

That would violate the standard for creating a CSR.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpyRg5owxJag.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Not enough information to check signature validity

[Werner Koch]

On Wed,  7 Feb 2018 23:59, marshallabr...@alumni.cmu.edu said:
> A friends had to re-install gpg4win as a result of a hard disk
> failure. Since then, all encrypted files received from her come with a
> warning "Not enough information to check signature validity." What can

You don't have her public key to to verify the signature of the data.
It is common for OpenPGP to first sign the data and then encrypt this
signed data.  If gpg can't verify the signature after decryption your
frontend (Kleopatra, I guess) shows this message.

> I or she, do to eliminate this message?

You need to import her public key - that is commonly the same key you
use to encrypt data to her.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpEk6x6eWAtp.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: entropy gathering daemon

[Werner Koch]

On Sun,  4 Feb 2018 08:44, ed...@pettijohn-web.com said:

> Is it no longer possible to use egd? Most of the info I can find seems

If Libgcrypt has been configured with EGD support this should still
work.  I have not tested it for more than a decade, though.

Why do you want to use it?  Which OS does not support /dev/random and
why don't you want to use the fallback rndunix driver in Libgcrypt.


Shalom-Salam,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpGj4C4OLA8A.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: initramfs - gpg decryption failed invalid IPC response

[Werner Koch]

On Wed, 31 Jan 2018 22:25, m...@davidlasek.eu said:

>     gpg (GnuPG) 2.2.4
>     libgcrypt 1.8.2
> And prints:
>
>gpg: encrypted with  RSA key, ID . created
> 
>
>gpg: public key decryption failed: Invalid IPC response
>
>gpg: decryption failed: No secret key

Can you please add 

  --verbose --debug=ipc

to the gpg invocation?  This will show the IPC and thus the invalid IPC
response.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpYGhQe7feLh.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

[Werner Koch]

On Wed, 21 Feb 2018 07:27, b...@adversary.org said:

>> No, there is no way to configure an extra hack to also test a passphrase
>> for an ssh key.
>
> Wanna bet?

Oh no, I don't want to promote create solutions of our complex API ;-)


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpVkKk4I36Jd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Werner Koch]

On Wed, 28 Feb 2018 10:56, thomas.jaro...@intra2net.com said:

> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

gpgsm does and shall not know anything about OpenPGP.  Thus it can't
display OpenPGP information.  In theory we could display the fingerprint
of the OpenPGP card because they are stored along with the key on the
OpenPGP card - however, that would only work for the OpenPGP card and
not for any other card which is supported by gpgsm.

If you need this information a small tool to present an enhanced menu
could be written.  That tool would then utilize gpgsm and gpg.  GPA
might be a candidate to implement this.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpgp6gCtilrW.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Peter Lebbing]

On 28/02/18 10:56, Thomas Jarosch wrote:
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I don't think that's possible: keygrips are "protocol" agnostic, but key
IDs are not. So while the keygrip is the same for S/MIME and OpenPGP,
key ID's are inherently an OpenPGP thing. It doesn't make sense to
select a "key ID" for an S/MIME key. That's what I mean by protocol here.

My suggestion would be that

$ gpg --with-keygrip --card-status

would include keygrips in the output (it doesn't do that currently).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

[Dirk Gottschalk via Gnupg-users]

Hi.

Am Mittwoch, den 28.02.2018, 10:56 +0100 schrieb Thomas Jarosch:
> To me it seems it shows the 'keygrip' instead of the smartcard key
> IDs?

Yes, that's correct.


> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I think this is not neccessary, since you can see the keygrip using
"gpg2 -K --with-Keygrip".

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpgsm --gen-key with key on smartcard

[Thomas Jarosch]

Hello together,

gpgsm can be used to create X.509 certificates
for existing secret keys on a openpgp smartcard.


"gpg2 --card-status" looks like this:
*
..
Signature key : E642 8DAC 275A 3247 5B59  A16F A3E9 1268 663A 9918
  created : 2018-02-27 23:04:28
Encryption key: 7BD4 D616 869A DABA 40EE  92CE 0B7C A078 D0C4 D69E
  created : 2018-02-27 23:04:28
Authentication key: 7DA6 B4FD 7E63 CA74 4BDC  CE17 A006 6D00 9AD9 3260
  created : 2018-02-27 23:04:28
sec>  rsa2048/A3E91268663A9918  created: 2018-02-27  expires: never
card-no: 0005 3E6D
ssb>  rsa2048/A0066D009AD93260  created: 2018-02-27  expires: never
card-no: 0005 3E6D
ssb>  rsa2048/0B7CA078D0C4D69E  created: 2018-02-27  expires: never
card-no: 0005 3E6
*


When invoking

gpgsm --armor --output public.pem --gen-key

one can choose (3) to use an existing key on a smartcard.

The next menu present is this:

*
Available keys:
   (1) C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
   (2) 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
   (3) 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
*

To me it seems it shows the 'keygrip' instead of the smartcard key IDs?


Debug output from gpgsm before the "available keys" prompt:
*
gpgsm: DBG: chan_5 <- S KEY-FPR 1 E6428DAC275A32475B59A16FA3E91268663A9918
gpgsm: DBG: chan_5 <- S KEY-FPR 2 7BD4D616869ADABA40EE92CE0B7CA078D0C4D69E
gpgsm: DBG: chan_5 <- S KEY-FPR 3 7DA6B4FD7E63CA744BDCCE17A0066D009AD93260
gpgsm: DBG: chan_5 <- S KEY-TIME 1 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 2 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 3 1519772668
gpgsm: DBG: chan_5 <- S CHV-STATUS +0+32+32+32+3+0+3
gpgsm: DBG: chan_5 <- S SIG-COUNTER 4
gpgsm: DBG: chan_5 <- S KEYPAIRINFO C9CD95DDF9B6430274F55168DE39877474DA66EE 
OPENPGP.1
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 
OPENPGP.2
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 24983DADCC9C49692D6BB30675967DD4B003957D 
OPENPGP.3
gpgsm: DBG: chan_5 <- OK
*

I guessed which key is the correct one from the gnupg 2.2.4 debug output.


When using a smartcard, what about showing the openpgp key IDs
in the "Available keys" menu?

Cheers,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users