Re: scute / firefox: cannot connect to GPG agent
> You may also try the patch below. > [...] > * src/agent.c (scute_agent_get_cert): Reject card certificate if > it does not start with an ASN.1 sequence tag. The batch works for me using Yubikey 4. Thanks, Fabian signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
> I'll try to find a way to erase the certificate from the Yubikey.
You may also try the patch below. It should allow Scute to ignore the
data read from the token if it does not look like a proper DER-encoded
certificate. It's not a fool-proof check, but it should already catch
a lot of cases (including yours).
-- >8 --
Subject: Add safety check against bad card certificate.
* src/agent.c (scute_agent_get_cert): Reject card certificate if
it does not start with an ASN.1 sequence tag.
Signed-off-by: Damien Goutte-Gattat
---
src/agent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/agent.c b/src/agent.c
index 75d4933..d6615af 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -1284,7 +1284,7 @@ scute_agent_get_cert (int no, struct cert *cert)
err = assuan_transact (agent_ctx, cmd, get_cert_data_cb, &cert_s,
NULL, NULL, NULL, NULL);
/* Just to be safe... */
- if (!err && cert_s.cert_der_len <= 16)
+ if (!err && (cert_s.cert_der_len <= 16 || cert_s.cert_der[0] != 0x30))
{
DEBUG (DBG_INFO, "bad card certificate rejected");
err = gpg_error (GPG_ERR_BAD_CERT);
--
2.9.0
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
> Can you check that after starting Firefox, you still have > only one GPG-Agent and one Scdaemon running? Before launching Firefox: $ ps aux | grep -P '(scdaemon|gpg-agent)' > fabianp+ 3242 [...] gpg-agent --homedir /home/fabianpeter/.gnupg > --use-standard-socket --daemon > fabianp+ 3518 [...] grep -P (scdaemon|gpg-agent) > fabianp+ 26815 [...] scdaemon --multi-server $ gpg-connect-agent "SCD GETINFO pid" /bye > D 26815 > OK Strangely enough Firefox does no longer write anything to stdout or stderr. Unfortunately, I don't know what changed since I received the error message last time. $ export GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 $ echo $GPG_AGENT_INFO > /run/user/1000/gnupg/S.gpg-agent:0:1 $ firefox & > [1] 3616 While Firefox was running no other instances of gpg-agent or scdaemon were launched: $ ps aux | grep -P '(scdaemon|gpg-agent)' > fabianp+ 3242 [...] gpg-agent --homedir /home/fabianpeter/.gnupg > --use-standard-socket --daemon > fabianp+ 3746 [...] grep -P (scdaemon|gpg-agent) > fabianp+ 26815 [...] scdaemon --multi-server With the Yubikey unplugged Firefox' Device Manager now shows a menu item 'GnuPG Smart Card Daemon': Status: Not Present Description: GnuPG Smart Card Daemon Manufacturer: g10 Code GmbH HW Version: 2.1 FW Version: 1.5 When I plug in my Yubikey and re-open the Device Manager most values are empty: change to: Status: Not Present Description: [empty] Manufacturer: [empty] HW Version: [empty] FW Version: [empty] (Screenshots attached) While Firefox is running I am not able to access my smartcard with gpg: $ date | gpg -e | gpg # gpg test > gpg: encrypted with 4096-bit RSA key, ID CD90DBE8B7C5FE43, created 2016-10-16 > "Fabian Peter Hammerle " > gpg: public key decryption failed: No SmartCard daemon > gpg: decryption failed: No secret key $ gpg-connect-agent "SCD GETINFO pid" /bye > ERR 67108983 No SmartCard daemon Before I loaded Scute in Firefox the very first time, I used gpgsm the create a x509 cert for the auth subkey (pos. 3) on the Yubikey. I signed the certificate with another key in gpgsm (also on smartcard). $ gpgsm --list-secret-keys --with-validation 0x33C90BD1 > [...] >Issuer: /CN=Fabian Peter Hammerle/C=AT > Subject: /CN=Fabian Peter Hammerle/C=AT > validity: 2017-06-02 21:59:08 through 2017-07-02 21:59:08 > key type: 4096 bit RSA > key usage: digitalSignature nonRepudiation > ext key usage: clientAuth (suggested) > fingerprint: 94:F5:1F:46:07:5D:28:68:8A:F3:A6:39:DB:BD:E4:4E:33:C9:0B:D1 > card s/n: D276000[...] > [certificate is good] Thank you very much for your support! Fabian signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
> The maximal size for the certificate to be stored on the token is indicated
> by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded
> certificate should not be bigger than that.
$ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye | grep -Po 'mcl3=\d+'
mcl3=1216
My certificate is slightly larger:
$ gpgsm --export '&22BD35[...]6F89B' | wc --bytes
1432
> As far as I know there is no command in the gpg card editor to erase the
> certificate, but I *think* using the writecert command with /dev/null as
> input should do the trick (I have not tested).
Unfortunately I was not successful using /dev/null:
gpg/card> writecert 3 < /dev/null
gpg: error writing certificate to card: Invalid argument
> Scute can fetch the certificate both from the
> token itself, or from the gpgsm store. But it will try first to fetch it
> from the token.
To test my configuration I temporarily disabled the call to
scute_agent_get_cert():
diff --git a/src/gpgsm.c b/src/gpgsm.c
index 2a2906f..5c2674a 100644
--- a/src/gpgsm.c
+++ b/src/gpgsm.c
@@ -124,7 +124,7 @@ scute_gpgsm_get_cert (char *grip, int no, cert_get_cb_t
cert_get_cb, void *hook)
/* If the key is from the card, we might get the certificate from
the card as well. */
- if (no >= 0)
+ if (false && no >= 0)
{
struct cert cert;
The Certificate Manager now shows an entry under 'Your Certificates'.
I was able to login via Client Auth using my Yubikey.
Amazing :-)
Thank you very much for your continuous help!
I'll try to find a way to erase the certificate from the Yubikey.
Fabian
signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
On 06/05/2017 07:54 PM, Fabian Peter Hammerle wrote: Ah, I didn't know I had to write the certificate onto the Yubikey. You do not *have* to; Scute can fetch the certificate both from the token itself, or from the gpgsm store. But it will try first to fetch it from the token. Storing the certificate on the token itself instead on relying on the gpgsm store allows you to use your token on a machine that is not your usual machine. Could you extract the certificate from the smartcard and have a look at it? $ gpg --card-edit gpg/card> readcert 3 > file.der gpg/card> quit $ od -x file.der 000 217f 0082 020 * 400 00ff 403 I don't pretend to be a X.509 or ASN1 expert (far from it!), but this does not look like a X.509 certificate at all. gpg: error writing certificate to card: Provided object is too large Do I have to choose a smaller key size? Check the maximal size supported by the Yubikey: $ gpg-connect-agent 'SCD GETATTR EXTCAP' /bye The output should be a line like the following: S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0 The maximal size for the certificate to be stored on the token is indicated by the "mcl3" value (so, 2048 bytes in this example). Your DER-encoded certificate should not be bigger than that. But if it happens that your Yubikey does not support 4096-bit certificates, and you still want such a certificate, then you could simply erase the (corrupted) certificate on the Yubikey. As I said above, Scute will fetch the certificate from the gpgsm store if it cannot find it on the token. As far as I know there is no command in the gpg card editor to erase the certificate, but I *think* using the writecert command with /dev/null as input should do the trick (I have not tested). signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
> Did you import your new certificate onto the Yubikey? Because independently > of what your gpgsm store may contain, Scute will always try to fetch the > certificate from the token itself. Ah, I didn't know I had to write the certificate onto the Yubikey. I only imported it into gpgsm following this guide: http://scute.org/scute.html/Certificate-Preparation.html > Could you extract the certificate from the smartcard and have a look at it? > $ gpg --card-edit > gpg/card> readcert 3 > file.der > gpg/card> quit $ od -x file.der > 000 217f 0082 > 020 > * > 400 00ff > 403 I just tried to write the certificate onto the Yubiykey: $ gpg --edit-card Reader ...: Yubico Yubikey 4 OTP U2F CCID 00 00 [...] ssb> rsa4096/3AA08B6113EC625C created: 2016-12-25 expires: never [...] gpg/card> admin Admin commands are allowed gpg/card> writecert 3 signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
On 06/05/2017 07:04 PM, Fabian Peter Hammerle wrote: scute: scute_agent_get_cert: got certificate from card with length 259 OK, this is weird. 259 bytes seems too short for a X.509 certificate, especially one based on 4096-bit public key (for comparison, my own 2048-bit certificate is 1587 bytes). Maybe an error occured when the certificate was stored on the Yubikey, and the certificate there is actually truncated? Could you extract the certificate from the smartcard and have a look at it? Run gpg in card-edit mode, and at the prompt, use the (undocumented) readcert command to save the certificate to a file $ gpg --card-edit gpg/card> readcert 3 > file.der gpg/card> quit Then inspect the contents of file.der, using e.g. openssl: $ openssl x509 -inform DER -in file.der -text Due to scute 'rejecting certificate' I just removed my current certificate for the auth subkey from gpgsm and created / imported a new self-signed certificate: > [...] Anyway, Scute still logs the same error message: Did you import your new certificate onto the Yubikey? Because independently of what your gpgsm store may contain, Scute will always try to fetch the certificate from the token itself. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
> Could you perform your tests again with Scute debugging turned on? Scute log when launching Firefox with Yubikey unplugged: > scute debug init: flags=0xff > scute: scute_agent_initialize: Establishing connection to gpg-agent After plugging in the Yubikey: > scute: scute_agent_get_cert: got certificate from card with length 259 > scute: asn1_get_element: wrong element in lookup path > scute: scute_attr_prv: rejecting certificate: could not get subject: General > error > scute: scute_agent_get_cert: got certificate from card with length 259 > scute: asn1_get_element: wrong element in lookup path > scute: scute_attr_prv: rejecting certificate: could not get subject: General > error [repeating rapidly] Due to scute 'rejecting certificate' I just removed my current certificate for the auth subkey from gpgsm and created / imported a new self-signed certificate: $ gpgsm --gen-key > [...] > Please select what kind of key you want: >(1) RSA >(2) Existing key >(3) Existing key from card > Your selection? 3 > Serial number of the card: D27600[...] > Available keys: >(1) C2E04B00B3F087DB143B4BB6411813BA220ED4BA OPENPGP.1 >(2) FDB0E6A955AA1194D369A942B8EF10E6C66E0BB4 OPENPGP.2 >(3) 22BD35D43F4D748110C935CC6B8D13575306F89B OPENPGP.3 > Your selection? 3 > [...] > Create self-signed certificate? (y/N) y > These parameters are used: > Key-Type: card:OPENPGP.3 > Key-Length: 1024 > Key-Usage: sign > Serial: random > Name-DN: CN=scute test,C=AT > > Proceed with creation? (y/N) y > Now creating self-signed certificate. This may take a while ... > gpgsm: about to sign the certificate for key: > &22BD35D43F4D748110C935CC6B8D13575306F89B > gpgsm: certificate created > Ready. > -BEGIN CERTIFICATE- > [...] I am not sure why gpgsm wrote > Key-Length: 1024 although the actual key length is 4096: $ gpg --list-secret-keys --with-keygrip | grep -B 1 22BD35D43F4D748110C935CC6B8D13575306F89B > ssb> rsa4096 2016-12-25 [A] > Keygrip = 22BD35D43F4D748110C935CC6B8D13575306F89B However, the newly created certificate seams to be valid: $ gpgsm --list-secret-keys --with-keygrip --with-validation 'scute test' > [...] >Issuer: /CN=scute test/C=AT > Subject: /CN=scute test/C=AT > validity: 2017-06-05 16:40:48 through 2063-04-05 17:00:00 > key type: 4096 bit RSA > key usage: digitalSignature nonRepudiation > chain length: unlimited > fingerprint: 0E:1F:DC:B0:43:FD:1B:93:70:76:C0:2A:B1:22:8E:3A:B0:8B:D4:52 > keygrip: 22BD35D43F4D748110C935CC6B8D13575306F89B > card s/n: D276000[...] > [certificate is good] Anyway, Scute still logs the same error message: > scute: scute_agent_get_cert: got certificate from card with length 259 > scute: asn1_get_element: wrong element in lookup path > scute: scute_attr_prv: rejecting certificate: could not get subject: General > error signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
On 06/05/2017 10:20 AM, Fabian Peter Hammerle wrote: Does anyone know what might cause the 'sharing violation' error? I am not sure. Can you check that after starting Firefox, you still have only one GPG-Agent and one Scdaemon running? If you run the following command: $ gpg-connect-agent "SCD GETINFO pid" /bye (which returns the PID of the running Scdaemon), do you get the same PID than the one displayed in your error messages? Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
I just cloned Scute from git://git.gnupg.org/scute.git (commit 10a19467bc2a95b4aa91176924a91be427d3157a) The error messages changed (compared to my initial mail): $ GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox > scdaemon[2999]: detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' > gpg-agent[2998]: card has S/N: D276000[...] > scdaemon[2999]: detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' > scdaemon[2999]: pcsc_connect failed: sharing violation (0x801b) > gpg-agent[2998]: card has S/N: D276000[...] > scdaemon[2999]: detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' > scdaemon[2999]: detected reader '' > scdaemon[2999]: pcsc_connect failed: sharing violation (0x801b) > gpg-agent[2998]: card has S/N: D276000[...] > scdaemon[2999]: detected reader 'Yubico Yubikey 4 OTP+U2F+CCID 00 00' > scdaemon[2999]: detected reader '' > scdaemon[2999]: pcsc_connect failed: sharing violation (0x801b) [repeating rapidly] pcscd reports: > pcscd[3001]: 01000753 winscard.c:284:SCardConnect() Error Reader Exclusive As far as I know, only gnupg accesses my smartcard. Decryption, signing, and ssh authentication work as usual. Restarting gpg-agent, scdaemon, pcscd and rebooting did not change anything. Does anyone know what might cause the 'sharing violation' error? Fabian signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
Hi, Thanks for your reply! > The GPG_AGENT_INFO variable must have the following form: > "PATH_TO_SOCKET:PID:VERSION", where PID is the running agent's process ID > and VERSION is the version of the agent protocol (which must be 1). > Otherwise Scute will ignore the variable. > > So try instead: > > GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox Unfortunately I still get the 'IPC connect call failed' warning: $ gpg-connect-agent /bye $ ps -p $(pidof gpg-agent) > PID TTY TIME CMD > 25379 ?00:00:09 gpg-agent $ ls -la $(gpgconf --list-dir agent-socket) > srwx-- 1 fabianpeter fabianpeter 0 Jun 4 14:09 > /run/user/1000/gnupg/S.gpg-agent $ GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox > scute: agent_connect: cannot connect to GPG agent: IPC connect call failed > scute: scute_gpg_err_to_ck: Error occurred: No agent running (Unspecified > source) > > scute: agent_connect: cannot connect to GPG agent: IPC connect call failed > scute: scute_gpg_err_to_ck: Error occurred: No agent running (Unspecified > source) > $ firefox --version > Mozilla Firefox 53.0.3 Fabian signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: scute / firefox: cannot connect to GPG agent
Hi, On 06/03/2017 12:48 AM, Fabian Peter Hammerle wrote: As far as I understand gpg-agent is running. Can you please check whether it is really the case? E.g., check that the socket indicated by "gpgconf --list-dir agent-socket" does exist? After reading http://scute.org/scute.html/Troubleshooting.html I noticed that $GPG_AGENT_INFO was not set. Yes, GnuPG 2.1 does not use (nor set) that variable anymore. But Scute still needs it in order to locate the socket, especially now that the socket is no longer always located in $GNUPGHOME. If I remember correctly, the problem goes like this: 1) Scute looks for GPG_AGENT_INFO 2) The variable does not exist, so Scute looks for the socket in $GNUPGHOME 3) The socket is not there (because it is now somewhere under [/var]/run), so Scute assume there's no running agent 4) Scute spawns a new agent with the --use-standard-socket option (which used to instruct the agent to create its listening socket in $GNUPGHOME, but which has no effect with GnuPG 2.1) 5) Scute still does not find the socket in $GNUPGHOME, and thus fails with "Cannot connect to GPG Agent" To avoid this, you need both to set the GPG_AGENT_INFO variable and make sure that the agent is running before you start Firefox (simply calling "gpg-connect-agent /bye" is enough). However, setting the path manually did not solve the problem: $ gpgconf --list-dir agent-socket /run/user/1000/gnupg/S.gpg-agent $ GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent firefox The GPG_AGENT_INFO variable must have the following form: "PATH_TO_SOCKET:PID:VERSION", where PID is the running agent's process ID and VERSION is the version of the agent protocol (which must be 1). Otherwise Scute will ignore the variable. So try instead: GPG_AGENT_INFO=$(gpgconf --list-dir agent-socket):0:1 firefox (The PID can be set to zero because as far as I know Scute does not actually use that information.) Hope that helps, Damien signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
scute / firefox: cannot connect to GPG agent
Hi, I am trying to setup Scute (http://scute.org/) so I can use my authentication subkey for client authentication in Firefox. I followed the steps in Scute's manual to setup Firefox. http://scute.org/scute.html/Application-Configuration.html My problem is that I keep getting these warnings whenever I launch Firefox: > scute: agent_connect: cannot connect to GPG agent: IPC connect call failed > scute: scute_gpg_err_to_ck: Error occurred: No agent running (Unspecified > source) As far as I understand gpg-agent is running. After reading http://scute.org/scute.html/Troubleshooting.html I noticed that $GPG_AGENT_INFO was not set. However, setting the path manually did not solve the problem: $ gpgconf --list-dir agent-socket > /run/user/1000/gnupg/S.gpg-agent $ GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent firefox > scute: agent_connect: cannot connect to GPG agent: IPC connect call failed > scute: scute_gpg_err_to_ck: Error occurred: No agent running (Unspecified > source > [...] Any ideas? $ apt-cache policy scute | grep -i installed > Installed: 1.5.0+git20151221.dc22111-2 $ gpg-agent --version | head -n 2 > gpg-agent (GnuPG) 2.1.18 > libgcrypt 1.7.6 Fabian signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
