subject:"gnupg SmartCard V3.3"

Re: gnupg SmartCard V3.3

2018-03-01 Thread Werner Koch

On Thu,  1 Mar 2018 10:08, k...@glsys.de said:

> i found this ct 2017-10 (german computer magazine) Article,
> where they claim the reader to be working with the openpgp smartcard Version 
> 2.1 
> by transfering precreated 4096-Bit keys. This is exactly what i am

Well most drivers work on Windows because they fix them using their
Windows drivers.  This does not work on Linux because tehre is no
generic (and proprietary) driver for them.

> So either i am doing something stupid or the V3.3 card incorporated changes 
> which broke this.
> I ordered another reader and asked if it would be possible do buy some
> 2.1 cards for cross-tersting, but it seems they would have to be

The interface part of the 3.3 cards is not different from the 2.1 cards;
the chnages are just in the OpenPGP card application which counterpart
is in GnuPG.

> Can anybody suggest how i could further debug the --card-edit and 
> --card-status to find out why the stubs are not being generated?

Now, are you on 2.1.11 or 2.2.3?


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpftlrIq01UK.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

2018-03-01 Thread Klaus Römer

Thank you all for the support!
The mail about needing support for the V3.3 cards in opensc pointed me in the 
right direction.
I relied on the information that the V3.3 is backwards compatible to the V2.1
but this does not seem to be the case.
Compiling a fresh gpg 2.2.5  with --enable-ccid-driver from source did the 
trick for the linux machines.

Kind Regards,
 Klaus Römer


signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

2018-03-01 Thread Thomas Jarosch

Hello Klaus,

On Thursday, 01 March 2018 10:08:14 CET Klaus Römer wrote:
> This is my target device because it is build-in in our Laptops,
> i found this ct 2017-10 (german computer magazine) Article,
> where they claim the reader to be working with the openpgp smartcard Version
> 2.1 by transfering precreated 4096-Bit keys. This is exactly what i am
> tring to do - and it seems to work, only the stub keys are not being
> generated…
> 
> So either i am doing something stupid or the V3.3 card incorporated changes
> which broke this. I ordered another reader and asked if it would be
> possible do buy some 2.1 cards for cross-tersting, but it seems they would
> have to be manufactured as they are out of stock.

Today I'm also setting up a bunch of V3.3 cards.

There is indeed a problem: OpenSC added support for the new cards just
in the current git HEAD version. See:
https://github.com/OpenSC/OpenSC/issues/1215

-> we compiled opensc from git on Fedora now are able to talk to the card.

You might be affected by this if gnupg talks to the card
via opensc instead of the builtin libusb based CCID driver.
(that's what NIIBE Yutaka suspected in his reply)

HTH,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

2018-03-01 Thread Klaus Römer


> Am 28.02.2018 um 15:56 schrieb Werner Koch :
> 
> On Tue, 27 Feb 2018 01:04, k...@glsys.de said:
> 
>> gpg2 --version is 2.1.11
> 
> That is a pretty old an somewhat buggy version which will likely have
> problems with newer smartcards.
> 
>> Tried gpg (GnuPG/MacGPG2) 2.2.3
>> on a completely different machine (mac)
> 
> That version is recent enough and as long as macOS is properly
> configured for the card it will work.  You maywant to ask over at
> gpgtools.org, though.
> 
>> Tried three different card-reader:
>> - Cherry GmbH SmartBoard XX44
> 
> IIRC that is the old Omnikey reader based keyboard.  I have one myself.
> It does not work with 2048 bit keys unless you use their Windows driver.
> 
>> -  KOBIL EMV CAP - SecOVID Reader III
> 
> I am not sure which reader this is, I had to dump my Kobil reader a logn
> time ago wehn I moved to 2048 bit keys.  The problem is slightly
> different than with Omnicard keys but I can't remember the details.
> 
>> - Alcor Micro AU9540 00 00
> 
> I am not sure about them.  Quite some time ago they simply did not worked.
This is my target device because it is build-in in our Laptops,
i found this ct 2017-10 (german computer magazine) Article,
where they claim the reader to be working with the openpgp smartcard Version 
2.1 
by transfering precreated 4096-Bit keys. This is exactly what i am tring to do 
- and it seems to work, only the stub keys are not being generated…

So either i am doing something stupid or the V3.3 card incorporated changes 
which broke this.
I ordered another reader and asked if it would be possible do buy some 2.1 
cards for cross-tersting, but it seems they would have to be manufactured as 
they are out of stock.

Can anybody suggest how i could further debug the --card-edit and --card-status 
to find out why the stubs are not being generated?

Kind Regards,
 Klaus


> 
> @gniibe: Do you have any more up to date information on macOS and
> smartcard readers?
> 
> 
> Shalom-Salam,
> 
>   Werner
> 
> -- 
> #  Please read:  Daniel Ellsberg - The Doomsday Machine  #
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: gnupg SmartCard V3.3

2018-03-01 Thread Matthias Apitz

El día Thursday, March 01, 2018 a las 09:14:15AM +0900, NIIBE Yutaka escribió:

> Hello,
> 
> Werner Koch  wrote:
> > @gniibe: Do you have any more up to date information on macOS and
> > smartcard readers?
> 
> If possible, I recommend to use GnuPG's in-stock driver to access
> smartcard.  It is direct access by libusb, not using PC/SC service.
> 
> For GNU/Linux, if you don't have any other use of PC/SC service, please
> uninstall it, or disable the service, and try again with GnuPG's
> in-stock driver.
> 
> For the driver, I maintain this list:
> 
> https://wiki.debian.org/GnuPG/CCID_Driver
> 
> For macOS, I think that it still uses old PC/SC and libccid library.
> I'm afraid that new readers (with new features like pinpad support)
> don't work well, or don't work at all.
> 

Hello,

I do yous the following USB token ond FreeBSD-12 CURRENT and the 'pcscd'
is configured to be started by devd on device attach:

Mar  1 08:00:56 r314251-amd64 kernel: ugen0.2:  at usbus0
Mar  1 08:00:56 r314251-amd64 root: CCID uTrust, type: ATTACH, system: USB, 
subsystem: INTERFACE
Mar  1 08:00:56 r314251-amd64 root: /usr/local/sbin/pcscd
Mar  1 08:00:56 r314251-amd64 root: Unknown USB device: vendor 0x04e6 product 
0x5816 bus uhub0

The OpenPGP card works fine as:

$ gpg2 --card-status

Reader ...: Identiv uTrust 3512 SAM slot Token (55511514602745)
00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
...

Do I have any chance to use the USB token and the card directly without
'pcscd'?

Thanks

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/   
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: gnupg SmartCard V3.3

2018-02-28 Thread NIIBE Yutaka

Hello,

Werner Koch  wrote:
> @gniibe: Do you have any more up to date information on macOS and
> smartcard readers?

If possible, I recommend to use GnuPG's in-stock driver to access
smartcard.  It is direct access by libusb, not using PC/SC service.

For GNU/Linux, if you don't have any other use of PC/SC service, please
uninstall it, or disable the service, and try again with GnuPG's
in-stock driver.

For the driver, I maintain this list:

https://wiki.debian.org/GnuPG/CCID_Driver

For macOS, I think that it still uses old PC/SC and libccid library.
I'm afraid that new readers (with new features like pinpad support)
don't work well, or don't work at all.

I need macOS developers who build GnuPG with libusb.  Currently, GnuPG
scdaemon uses PC/SC service on macOS and Windows.  On GNU/Linux, people
can use both ways (in-stock driver or PC/SC).

> - Cherry GmbH SmartBoard XX44

  02 Short APDU level exchange

Because of this limitation, this reader cannot handle larger APDU (~=
packet), which is needed for recent RSA key size.  You can still use it
with RSA-1024.

> -  KOBIL EMV CAP - SecOVID Reader III

  bPINSupport: 0x03
 PIN Verification supported
 PIN Modification supported

I'm afraid it doesn't work on macOS.

> - Alcor Micro AU9540 00 00

I had a bug report with this reader: 

https://dev.gnupg.org/T1947

I think it now works fine by GnuPG's in-stock driver on GNU/Linux.
Please test.

It seems that this reader has a problem in PC/SC service, and it's not
supported by PC/SC-lite + libccid.

   https://pcsclite.alioth.debian.org/ccid/unsupported.html#0x058F0x9540

*   *   *

Supporting users' freedom on computing (for their privacy in digital
world), I need have/collect/maintain knowledge of those hardware.

But... when there is a problem, it tends to be because of bad firmware
implementation, which is proprietary.  In the proprietary world, the
practice is... to be "fixed" in the proprietary driver (than the
firmware).  But that "fix" has tendency not to be published to users or
developers of free software.

For me, it's a pity that I somehow need to have knowledge around those
proprietary firmware.

Perhaps, someday, in free software, I will write CCID reader
implementation which accesses smartcard, by free software (I mean,
development environment), for free software (= GnuPG maintenance); Then,
we can proceed to free firmware of smartcard itself.

# About ten years ago, I didn't take that approach but a short cut, that
# was Gnuk.  The reason was that it was difficult to find hardware
# vendors which allowed developing free firmware implementation of
# smartcard.

Having free CCID reader implementation still makes sense, to encourage
free firmware implementation of smartcard.  I'd like to work for some
part this year.
-- 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: gnupg SmartCard V3.3

2018-02-28 Thread Werner Koch

On Tue, 27 Feb 2018 01:04, k...@glsys.de said:

> gpg2 --version is 2.1.11

That is a pretty old an somewhat buggy version which will likely have
problems with newer smartcards.

> Tried gpg (GnuPG/MacGPG2) 2.2.3
> on a completely different machine (mac)

That version is recent enough and as long as macOS is properly
configured for the card it will work.  You maywant to ask over at
gpgtools.org, though.

> Tried three different card-reader:
> - Cherry GmbH SmartBoard XX44

IIRC that is the old Omnikey reader based keyboard.  I have one myself.
It does not work with 2048 bit keys unless you use their Windows driver.

> -  KOBIL EMV CAP - SecOVID Reader III

I am not sure which reader this is, I had to dump my Kobil reader a logn
time ago wehn I moved to 2048 bit keys.  The problem is slightly
different than with Omnicard keys but I can't remember the details.

> - Alcor Micro AU9540 00 00

I am not sure about them.  Quite some time ago they simply did not worked.

@gniibe: Do you have any more up to date information on macOS and
smartcard readers?


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpw4K8cDI0C4.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

2018-02-28 Thread Thomas Jarosch

Hello Klaus,

On Tuesday, 27 February 2018 01:04:27 CET Klaus Römer wrote:
> i bought two V3.3 cards, but can`t get them to work …
> the keytocard command does not move the key but copy it and further on the
> gpg2 --card-status -> fetch followed by gpg2 --card-status does not create
> the stub keys, so gpg2 --list-secret-keys does not show any keys ... I have
> the same (rsa4096) sub-key loaded to each slot 1,2,3 eg SEA and card-status
> does show them … gpg2 --version is 2.1.11
> 
> 
> I did further tests by calling gpg2 —card-edit -> generate with keylength
> 2048 and 4096 which fail with „card-error“
> 
> Tried gpg (GnuPG/MacGPG2) 2.2.3
> on a completely different machine (mac)
> 
> Tried the other card (i bought two with consecutive serial numbers)
> 
> Tried three different card-reader:
> - Cherry GmbH SmartBoard XX44
> -  KOBIL EMV CAP - SecOVID Reader III
> - Alcor Micro AU9540 00 00
> 
> Can anybody help?

I just tested an openpgp card V3.3 with a Cherry ST-2000 card reader
and a Reiner cyberJack Go. It successfully created keys on the card
and after a "factory-reset" command it also moved an existing key
to the card just fine. Signing and decryption worked, too.

Same thing with a V2.1 openpgp card.

All tests have been done on a Fedora 27 live USB stick
using gnupg 2.2.4.

May be try on a non-Mac computer to see if this is the issue?

If you want to give the Fedora 27 live CD a try, it might be good
to update the included gnupg 2.2.0 to 2.2.4 before starting:

  dnf update -y gnupg2 libassuan libgcrypt libgpg-error

Optionally: If you want "paperbackup" on the live system:

  dnf install -y git python3 python3-pillow PyX python3-qrencode enscript 
ghostscript zbar
  git clone https://github.com/intra2net/paperbackup.git

  See https://github.com/intra2net/paperbackup

With the Fedora live CD, all operations are done on a ramdisk.
Just remember to unplug the network cable once
you start the key generation process :)

HTH,
Thomas

--
Don't send emails here: jeffer...@intra2net.com

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Fwd: gnupg SmartCard V3.3

2018-02-26 Thread Klaus Römer


Hello,
i bought two V3.3 cards, but can`t get them to work …
the keytocard command does not move the key but copy it and further on the gpg2 
--card-status -> fetch 
followed by gpg2 --card-status does not create the stub keys, so gpg2 
--list-secret-keys does not show any keys ...
I have the same (rsa4096) sub-key loaded to each slot 1,2,3 eg SEA and 
card-status does show them … 
gpg2 --version is 2.1.11


I did further tests by calling gpg2 —card-edit -> generate with keylength 2048 
and 4096 which fail with „card-error“ 

Tried gpg (GnuPG/MacGPG2) 2.2.3
on a completely different machine (mac)

Tried the other card (i bought two with consecutive serial numbers)

Tried three different card-reader:
- Cherry GmbH SmartBoard XX44
-  KOBIL EMV CAP - SecOVID Reader III
- Alcor Micro AU9540 00 00

Can anybody help?

Kind Regards,
Klaus

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

Re: gnupg SmartCard V3.3

Re: gnupg SmartCard V3.3

Re: gnupg SmartCard V3.3

Re: Fwd: gnupg SmartCard V3.3

Re: Fwd: gnupg SmartCard V3.3

Re: Fwd: gnupg SmartCard V3.3

Re: gnupg SmartCard V3.3

Fwd: gnupg SmartCard V3.3

9 matches

Site Navigation

Mail list logo

Footer information