Re: private data objects on smartcard
> (...) > If no PIN has been verified, the --card-status command will only ever > print out the contents of private DOs #1 and #2. > > While we are at it, *writing* to the private DOs #1 and #3 requires the > user PIN, and writing to the private DOs #2 and #4 requires the admin PIN. > > You can find the details about those DOs and all the other features of > the OpenPGP smart card in the specifications for the different versions, > which are all available on GnuPG's site [1]. > Thanks a lot for the support! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard
On Fri, Jan 31, 2020 at 12:55:05AM +0100, mailing list wrote: I hoped these objects may have been (read) protected by the PIN, but they´re world readable if you have the card, a bit sad... Only Private DOs #1 and #2 are readable without any PIN. Reading the private DO #3 requires the user PIN, and reading the private DO #4 requires the admin PIN. If no PIN has been verified, the --card-status command will only ever print out the contents of private DOs #1 and #2. While we are at it, *writing* to the private DOs #1 and #3 requires the user PIN, and writing to the private DOs #2 and #4 requires the admin PIN. You can find the details about those DOs and all the other features of the OpenPGP smart card in the specifications for the different versions, which are all available on GnuPG's site [1]. Cheers, - Damien [1] https://gnupg.org/ftp/specs/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard
On Fri, Jan 31, 2020 at 12:39:11AM +0100, mailing list wrote: By the way, is mcl3 the length of the key currently living on the smartcard or the maximum key length supported by this card? Neither of those. It's the maximum length of the "Cardholder certificate DO". This is another data object available on a OpenPGP smart card, intended to store a X.509 certificate. You can write to that DO using the (undocumented) writecert command. For example, assumimg the cert.der file contains a DER-encoded X.509 certificate: $ gpg --card-edit gpg/card> writecert 3 < cert.der GnuPG allows to write into that DO but does not actually use it. As far as I know the only component that makes use of the Cardholder certificate DO is Scute [1], for TLS client authentication (and even for that the DO is actually dispensable: if Scute does not find the desired certificate in that DO, it will obtain it from GpgSM.) I just play with a card version 1.1 and mcl3 is 0 there. The Cardholder certificate DO was added in version 2.0 of the specification, so nothing surprising here. Cheers, - Damien [1] http://scute.org/ signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard
> (...) > You can use the (undocumented) command "privatedo" from GnuPG's > --card-edit menu. For example, to write into the private DO #1: > (...) >> And can GnuPG read these objects? > > Yes. If a private DO contains a value, it will be listed in the output > from the --card-status command. I hoped these objects may have been (read) protected by the PIN, but they´re world readable if you have the card, a bit sad... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard
On 31.01.20 at 00:14 it was said by Damien Goutte-Gattat: > On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users > wrote: >> How do you write to these objects? Can GnuPG do this? I didn´t found >> any way with --card-edit or --card-status. > > You can use the (undocumented) command "privatedo" from GnuPG's > --card-edit menu. For example, to write into the private DO #1: Great, thanks! > S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1 By the way, is mcl3 the length of the key currently living on the smartcard or the maximum key length supported by this card? I just play with a card version 1.1 and mcl3 is 0 there. Version 1.1 support 1024 RSA AFAIK. Thanks! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard
Hi, On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users wrote: How do you write to these objects? Can GnuPG do this? I didn´t found any way with --card-edit or --card-status. You can use the (undocumented) command "privatedo" from GnuPG's --card-edit menu. For example, to write into the private DO #1: $ gpg --card-edit gpg/card> privatedo 1 Private DO data: [enter whatever value you want to store into the DO] Or, to write the contents of a file into the private DO #2: $ gpg --card-edit gpg/card> privatedo 2 < [filename] And can GnuPG read these objects? Yes. If a private DO contains a value, it will be listed in the output from the --card-status command. I read somewhere, the size of these objects is 2048 bytes each. How many of these objects do exist on a smartcard? First, note that private DOs are an optional feature of the OpenPGP smart card; not all implementations support them. You can use the following command to check if an OpenPGP smart card supports private DOs: $ gpg-connect-agent 'SCD LEARN --force' /bye | grep EXTCAP S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1 Here, "pd=1" means the card does have private DOs. "pd=0" would indicate that private DOs are not supported. When private DOs are supported, there are four of them. For cards compatible with versions 1.x or 2.x of the specification, they have a size of 254 bytes. For 3.x cards, the size of the private DOs is defined by the implementation (the OpenPGP smart card from FLOSS Shop [1] has indeed 2048-bytes private DOs). Cheers, - Damien [1] https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=40 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
private data objects on smartcard
Hi there, The opnPGP smartcards seem to have private data objects to store arbitrary data, right? It seems even the old 1.1 version cards feature these objects. How do you write to these objects? Can GnuPG do this? I didn´t found any way with --card-edit or --card-status. And can GnuPG read these objects? I read somewhere, the size of these objects is 2048 bytes each. How many of these objects do exist on a smartcard? Thanks! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
