Re: Again: Writing DER certificates to ZeitControl Cards
On Tue, 3 Apr 2018 00:47, gnupg-users@gnupg.org said: > By the way, I am using a ReinerSCT CyberJack RFID Standard via PCSCd. > Perhaps this is the source of my problems. Unfortunately I didn't get Reiner readers are a problem. That company does not provide any documentation for their readers, uses lots of proprietary extensions and relies on their own proprietary drivers. Further some of their readers have way to much functionality to act as a simple interface a card to a computer and thus offers much more attack surfaces than other "dumper" readers. Save your time and get another reader. Salam-Shalom, Werner -- # Please read: Daniel Ellsberg - The Doomsday Machine # Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. pgp87KnHfTfQt.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Again: Writing DER certificates to ZeitControl Cards
HI. Am Montag, den 02.04.2018, 13:43 +0100 schrieb Damien Goutte-Gattat via Gnupg-users: > $ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP' > S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0 > The value you are interested in is "mcl3". In this example, it says > that > the Yubikey NEO allows for a 1216-bytes certificate. Thanks for your advice. The Output of the command for my card tells that a cert can have up to 2048 bytes which is 2kB. The file I want to store is about 1.8kB so this seems not to be the problem. By the way, I am using a ReinerSCT CyberJack RFID Standard via PCSCd. Perhaps this is the source of my problems. Unfortunately I didn't get the internal CCID driver to work with this reader. I have to check if it is compiled in in my distributions package and if it even would work with my reader. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Again: Writing DER certificates to ZeitControl Cards
On 04/02/2018 01:10 AM, NIIBE Yutaka wrote: Most likely, the length of certificate matters. If you can minimize your certificate, please try. I don't know the limitation for the card. I don't know for the v3.3 card, but v2.1 cards allow for a 2048 bytes certificate (at least mine does, but maybe this has changed between different production runs?). One way of finding the max allowed size is the following command (here tested with a Yubikey NEO): $ gpg-connect-agent 'SCD LEARN --force' /bye | grep '^S EXTCAP' S EXTCAP gc=1+ki=1+fc=1+pd=0+mcl3=1216+aac=0+sm=2+si=0+dec=0+bt=0 The value you are interested in is "mcl3". In this example, it says that the Yubikey NEO allows for a 1216-bytes certificate. Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Again: Writing DER certificates to ZeitControl Cards
Dirk Gottschalk via Gnupg-userswrote: > I asked this Question a while ago, but unfortunately didn't get any > response. So, I ask again and I'm in hope that somebody here knows any > Answer to this. I just want to know if the cards do not support it, or > is somebething wrong with my setup? Most likely, the length of certificate matters. If you can minimize your certificate, please try. I don't know the limitation for the card. In case of my own implementation, I can only support data less than 2048-byte. > Are these cards not capable of getting certs written on, or am I > missing something? FWIW, let me explain my opinion. This might be irrelevant to the implementation on ZeitControl Card, though. The feature is one of the most difficult parts for an implementer of OpenPGP card. For my own implementation, I cannot implement it fully, because of the possibility of larger size. So, users of Gnuk Token have to use special tool to write certificate, while reading is OK. Since the feature is questionable for me (no real good use case), I even put a compile time option for Gnuk to disable it, and that's the default now. -- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Again: Writing DER certificates to ZeitControl Cards
Hello. I asked this Question a while ago, but unfortunately didn't get any response. So, I ask again and I'm in hope that somebody here knows any Answer to this. I just want to know if the cards do not support it, or is somebething wrong with my setup? I'm trying to import certificates in DER format to Zeitcontrol OpenPGP- Cards (v2.1 and v3.3) and get this error message: gpg/card> writecert 3 < cert.der gpg: error writing certificate to card: Kartenfehler The last word says "card error". Are these cards not capable of getting certs written on, or am I missing something? The Admin-Pin is correct, so this could not be the problem. By the way, I'm using a ReinerSCT CyberJack RFID standard via PCSCd. Anything works well, except of writing x509 certificates in DER format to the card. Regards, Dirk -- Dirk Gottschalk Paulusstrasse 6-8 52064 Aachen Tel.: +49 1573 1152350 signature.asc Description: This is a digitally signed message part ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users