Re: Again: Writing DER certificates to ZeitControl Cards

[Werner Koch]

On Tue,  3 Apr 2018 00:47, gnupg-users@gnupg.org said:

> By the way, I am using a ReinerSCT CyberJack RFID Standard via PCSCd.
> Perhaps this is the source of my problems. Unfortunately I didn't get

Reiner readers are a problem.  That company does not provide any
documentation for their readers, uses lots of proprietary extensions and
relies on their own proprietary drivers.  Further some of their readers
have way to much functionality to act as a simple interface a card to a
computer and thus offers much more attack surfaces than other "dumper"
readers.  Save your time and get another reader.


Salam-Shalom,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp87KnHfTfQt.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Again: Writing DER certificates to ZeitControl Cards

[Dirk Gottschalk via Gnupg-users]

HI.

Am Montag, den 02.04.2018, 13:43 +0100 schrieb Damien Goutte-Gattat via
Gnupg-users:

> $ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP'
> S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0

> The value you are interested in is "mcl3". In this example, it says
> that 
> the Yubikey NEO allows for a 1216-bytes certificate.

Thanks for your advice. The Output of the command for my card tells
that a cert can have up to 2048 bytes which is 2kB. The file I want to
store is about 1.8kB so this seems not to be the problem.

By the way, I am using a ReinerSCT CyberJack RFID Standard via PCSCd.
Perhaps this is the source of my problems. Unfortunately I didn't get
the internal CCID driver to work with this reader. I have to check if
it is compiled in in my distributions package and if it even would work
with my reader.

Regards,
Dirk


-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Again: Writing DER certificates to ZeitControl Cards

[Damien Goutte-Gattat via Gnupg-users]

On 04/02/2018 01:10 AM, NIIBE Yutaka wrote:

Most likely, the length of certificate matters.  If you can minimize
your certificate, please try.  I don't know the limitation for the card.


I don't know for the v3.3 card, but v2.1 cards allow for a 2048 bytes 
certificate (at least mine does, but maybe this has changed between 
different production runs?).


One way of finding the max allowed size is the following command (here 
tested with a Yubikey NEO):


$ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP'
S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0

The value you are interested in is "mcl3". In this example, it says that 
the Yubikey NEO allows for a 1216-bytes certificate.



Damien



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Again: Writing DER certificates to ZeitControl Cards

[NIIBE Yutaka]

Dirk Gottschalk via Gnupg-users  wrote:
> I asked this Question a while ago, but unfortunately didn't get any
> response. So, I ask again and I'm in hope that somebody here knows any
> Answer to this. I just want to know if the cards do not support it, or
> is somebething wrong with my setup?

Most likely, the length of certificate matters.  If you can minimize
your certificate, please try.  I don't know the limitation for the card.
In case of my own implementation, I can only support data less than
2048-byte.

> Are these cards not capable of getting certs written on, or am I
> missing something?

FWIW, let me explain my opinion.  This might be irrelevant to the
implementation on ZeitControl Card, though.

The feature is one of the most difficult parts for an implementer of
OpenPGP card.  For my own implementation, I cannot implement it fully,
because of the possibility of larger size.  So, users of Gnuk Token have
to use special tool to write certificate, while reading is OK.

Since the feature is questionable for me (no real good use case), I even
put a compile time option for Gnuk to disable it, and that's the
default now.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Again: Writing DER certificates to ZeitControl Cards

[Dirk Gottschalk via Gnupg-users]

Hello.

I asked this Question a while ago, but unfortunately didn't get any
response. So, I ask again and I'm in hope that somebody here knows any
Answer to this. I just want to know if the cards do not support it, or
is somebething wrong with my setup?

I'm trying to import certificates in DER format to Zeitcontrol OpenPGP-
Cards (v2.1 and v3.3) and get this error message:

gpg/card> writecert 3 < cert.der
gpg: error writing certificate to card: Kartenfehler

The last word says "card error".

Are these cards not capable of getting certs written on, or am I
missing something?

The Admin-Pin is correct, so this could not be the problem.

By the way, I'm using a ReinerSCT CyberJack RFID standard via PCSCd.
Anything works well, except of writing x509 certificates in DER format
to the card.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Writing DER certificates to Zeitcontrol Cards

[Dirk Gottschalk via Gnupg-users]

Hello.

Yes, it's me again with another question.

I'm trying to import certificates in DER format to Zeitcontrol OpenPGP-
Cards (v2.1 and v3.3) and get this error message:

gpg/card> writecert 3 < cert.der
gpg: error writing certificate to card: Kartenfehler

The last word says "card error".

Are these cards not capable of getting certs written on, or am I missing 
something?

The Admin-Pin is correct, so this could not be the problem.

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users