On 03/04/14 14:42, Florian Wolters wrote:
> Has anyone this combination up and running and could point me into the
> right direction to get this working?
It works for me. I have an SPR 532 with firmware v5.10, and I'm running Debian
testing x86_64. I'm using GnuPG's internal CCID driver.
I couldn't generate a 4096-bit key on the card, but I could transfer one with
"keytocard". At that point, the key length mentioned in --card-status was
already set to 4096 bit by the failed generation attempt; that might have made a
difference.
It went along these lines:
------------------8<-------------->8------------------
peter@tweek:~$ gpg2 --expert --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
[...]
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 42048
[...]
peter@tweek:~$ gpg2 --expert --edit-key 40AF7983
[...]
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
[...]
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
[...]
[...irrelevant part skipped...]
peter@tweek:~$ gpg2 --expert --edit-key 40AF7983
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 2048R/40AF7983 created: 2014-04-05 expires: 2014-04-12 usage: SC
trust: never validity: unknown
sub 4096R/80369970 created: 2014-04-05 expires: 2014-04-12 usage: A
[ unknown] (1). Test 4k
gpg> toggle
sec 2048R/40AF7983 created: 2014-04-05 expires: 2014-04-12
ssb 4096R/80369970 created: 2014-04-05 expires: never
(1) Test 4k
gpg> key 1
sec 2048R/40AF7983 created: 2014-04-05 expires: 2014-04-12
ssb* 4096R/80369970 created: 2014-04-05 expires: never
(1) Test 4k
gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
Please select where to store the key:
(3) Authentication key
Your selection? 3
sec 2048R/40AF7983 created: 2014-04-05 expires: 2014-04-12
ssb* 4096R/80369970 created: 2014-04-05 expires: never
card-no: 0005 0000106E
(1) Test 4k
gpg> Save changes? (y/N) y
peter@tweek:~$ gpg2 --card-status
[...]
Key attributes ...: 4096R 4096R 4096R
[...]
Signature key ....: [none]
Encryption key....: [none]
Authentication key: D39E 61C2 8678 7B4B A1CD 84A2 4529 4317 8036 9970
created ....: 2014-04-05 09:35:02
General key info..: pub 4096R/80369970 2014-04-05 Test 4k
sec 2048R/40AF7983 created: 2014-04-05 expires: 2014-04-12
ssb> 4096R/80369970 created: 2014-04-05 expires: 2014-04-12
card-no: 0005 0000106E
peter@tweek:~$ ssh-add -l
4096 88:a5:ad:f8:a9:33:75:2f:08:7d:c0:ad:7e:97:cd:c3 cardno:00050000106E (RSA)
2048 bc:8d:69:cf:45:aa:ea:c3:df:8d:e4:f4:a4:9e:c6:08 /home/peter/.ssh/id_rsa
(RSA)
peter@tweek:~$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2[...]ao3lYk5DHJk0EkW6Q== cardno:00050000106E
ssh-rsa AAAAB3NzaC1yc[...]PRw/seKuoX2PANuDWQ== /home/peter/.ssh/id_rsa
------------------8<-------------->8------------------
I added the card public key to an authorized_keys file and could log in with
that key without any problems.
I have updated the firmware to v5.10 a long time ago. I think I used Windows XP
for that.
So it can work. I hope that bit of information helps in your quest for 4k
authentication :). Or you could create a shorter key. Auth keys can be changed
relatively easily, though not as easily as signature keys. More importantly,
they don't protect any secret data (just a random challenge), so I don't think
there's any reason to go beyond, say, 2048 bits.
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
