[FEATURE REQ] Keygrips in --card-status (was: gpgsm --gen-key with key on smartcard)

2018-03-01 Thread Peter Lebbing 
On 28/02/18 20:59, Werner Koch wrote:
> But that is about gpg and not about gpgsm.

Currently, it's not that easy to get the keygrip for an OpenPGP
smartcard key.

For keys for which the public part is available, it's:
$ gpg --card-status
Note desired KEYID
$ gpg --with-keygrip -k $KEYID
Find the KEYID in the certificate listed and see the keygrip below it.

I have smartcards with Auth keys that are not part of an OpenPGP
certificate. For these and other cases where the public part is not in
the keyring, it's more difficult to get the keygrip. Probably something
like:
$ gpg-connect-agent 'keyinfo --list' /bye|grep 87061340
for my GnuK with serial FFFE 87061340.

So if --card-status would actually use the --with-keygrip option, it
would be much easier to look up the keygrip for an OpenPGP smartcard,
*especially* when the smartcard is not currently in use by gpg. Even
though the query is done by "gpg --card-status", it is more a feature
for OpenPGP smartcards regardless of whether they are used for OpenPGP keys.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

2018-02-28 Thread Werner Koch 
On Wed, 28 Feb 2018 16:30, thomas.jaro...@intra2net.com said:

> what do you think about Peter's idea:
>
> $ gpg --with-keygrip --card-status

If you use that with --with-colons you can also script this.

But that is about gpg and not about gpgsm.  gpgsm has no external card
interface because the expected use case is that pre-presonalized cards
are used for X.509.


Shalom-Salam,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpPti8yjxDWD.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

2018-02-28 Thread Thomas Jarosch 
On Wednesday, 28 February 2018 14:50:39 CET Werner Koch wrote:
> If you need this information a small tool to present an enhanced menu
> could be written.  That tool would then utilize gpgsm and gpg.  GPA
> might be a candidate to implement this.

what do you think about Peter's idea:

$ gpg --with-keygrip --card-status


to show key ID -> keygrip mapping?

Or is that not easily possible protocol wise?
(I have zero knowledge about the keygrip stuff)

Cheers,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

2018-02-28 Thread Werner Koch 
On Wed, 28 Feb 2018 10:56, thomas.jaro...@intra2net.com said:

> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

gpgsm does and shall not know anything about OpenPGP.  Thus it can't
display OpenPGP information.  In theory we could display the fingerprint
of the OpenPGP card because they are stored along with the key on the
OpenPGP card - however, that would only work for the OpenPGP card and
not for any other card which is supported by gpgsm.

If you need this information a small tool to present an enhanced menu
could be written.  That tool would then utilize gpgsm and gpg.  GPA
might be a candidate to implement this.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpgp6gCtilrW.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

2018-02-28 Thread Peter Lebbing 
On 28/02/18 10:56, Thomas Jarosch wrote:
> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I don't think that's possible: keygrips are "protocol" agnostic, but key
IDs are not. So while the keygrip is the same for S/MIME and OpenPGP,
key ID's are inherently an OpenPGP thing. It doesn't make sense to
select a "key ID" for an S/MIME key. That's what I mean by protocol here.

My suggestion would be that

$ gpg --with-keygrip --card-status

would include keygrips in the output (it doesn't do that currently).

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gpgsm --gen-key with key on smartcard

2018-02-28 Thread Dirk Gottschalk via Gnupg-users 
Hi.

Am Mittwoch, den 28.02.2018, 10:56 +0100 schrieb Thomas Jarosch:
> To me it seems it shows the 'keygrip' instead of the smartcard key
> IDs?

Yes, that's correct.


> When using a smartcard, what about showing the openpgp key IDs
> in the "Available keys" menu?

I think this is not neccessary, since you can see the keygrip using
"gpg2 -K --with-Keygrip".

Regards,
Dirk

-- 
Dirk Gottschalk
Paulusstrasse 6-8
52064 Aachen
Tel.: +49 1573 1152350

signature.asc
Description: This is a digitally signed message part
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gpgsm --gen-key with key on smartcard

2018-02-28 Thread Thomas Jarosch 
Hello together,

gpgsm can be used to create X.509 certificates
for existing secret keys on a openpgp smartcard.


"gpg2 --card-status" looks like this:
*
..
Signature key : E642 8DAC 275A 3247 5B59  A16F A3E9 1268 663A 9918
  created : 2018-02-27 23:04:28
Encryption key: 7BD4 D616 869A DABA 40EE  92CE 0B7C A078 D0C4 D69E
  created : 2018-02-27 23:04:28
Authentication key: 7DA6 B4FD 7E63 CA74 4BDC  CE17 A006 6D00 9AD9 3260
  created : 2018-02-27 23:04:28
sec>  rsa2048/A3E91268663A9918  created: 2018-02-27  expires: never
card-no: 0005 3E6D
ssb>  rsa2048/A0066D009AD93260  created: 2018-02-27  expires: never
card-no: 0005 3E6D
ssb>  rsa2048/0B7CA078D0C4D69E  created: 2018-02-27  expires: never
card-no: 0005 3E6
*


When invoking

gpgsm --armor --output public.pem --gen-key

one can choose (3) to use an existing key on a smartcard.

The next menu present is this:

*
Available keys:
   (1) C9CD95DDF9B6430274F55168DE39877474DA66EE OPENPGP.1
   (2) 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 OPENPGP.2
   (3) 24983DADCC9C49692D6BB30675967DD4B003957D OPENPGP.3
*

To me it seems it shows the 'keygrip' instead of the smartcard key IDs?


Debug output from gpgsm before the "available keys" prompt:
*
gpgsm: DBG: chan_5 <- S KEY-FPR 1 E6428DAC275A32475B59A16FA3E91268663A9918
gpgsm: DBG: chan_5 <- S KEY-FPR 2 7BD4D616869ADABA40EE92CE0B7CA078D0C4D69E
gpgsm: DBG: chan_5 <- S KEY-FPR 3 7DA6B4FD7E63CA744BDCCE17A0066D009AD93260
gpgsm: DBG: chan_5 <- S KEY-TIME 1 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 2 1519772668
gpgsm: DBG: chan_5 <- S KEY-TIME 3 1519772668
gpgsm: DBG: chan_5 <- S CHV-STATUS +0+32+32+32+3+0+3
gpgsm: DBG: chan_5 <- S SIG-COUNTER 4
gpgsm: DBG: chan_5 <- S KEYPAIRINFO C9CD95DDF9B6430274F55168DE39877474DA66EE 
OPENPGP.1
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 9D81DD6BD19C9C13F9B03915344BCC6BBDFB8428 
OPENPGP.2
gpgsm: DBG: chan_5 <- S KEYPAIRINFO 24983DADCC9C49692D6BB30675967DD4B003957D 
OPENPGP.3
gpgsm: DBG: chan_5 <- OK
*

I guessed which key is the correct one from the gnupg 2.2.4 debug output.


When using a smartcard, what about showing the openpgp key IDs
in the "Available keys" menu?

Cheers,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users