Links and Overview

Software

Scdaemon

Note: See also GnuPG-PKCS11-scd for a scdaemon replacement that uses PKCS#11 modules.

$ gpgsm --learn-card
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: can't connect to `/tmp/gpg-C0x9MY/S.gpg-agent': No such file or directory
gpgsm: can't connect to the agent - trying fall back
gpgsm: can't connect to `/home/benchoff/.gnupg/S.gpg-agent': No such file or directory
scdaemon[18273]: NOTE: this is a development version!
*** glibc detected *** free(): invalid pointer: 0xbfebda64 ***
scdaemon[18273]: reader slot 0: active protocol:
scdaemon[18273]: slot 0: ATR=3B E2 00 FF C1 10 31 FE 55 C8 02 9C
scdaemon[18273.0x8081a78] DBG: -> OK GNU Privacy Guard's Smartcard server ready
scdaemon[18273.0x8081a78] DBG: <- SERIALNO
scdaemon[18273]: DBG: send apdu: c=00 i=A4 p0=00 p1=0C lc=2 le=-1
scdaemon[18273]: DBG:   PCSC_data: 00 A4 00 0C 02 3F 00
scdaemon[18273]: error receiving PC/SC TRANSMIT response: premature EOF
scdaemon[18273]: apdu_send_simple(0) failed: card I/O error
scdaemon[18273]: no supported card application found: General error
scdaemon[18273.0x8081a78] DBG: -> ERR 100663356 Not supported <SCD>
gpg-agent[18272]: command learn failed: Not supported
gpgsm: error learning card: Not supported
scdaemon[18273.0x8081a78] DBG: <- RESET
scdaemon[18273.0x8081a78] DBG: -> OK
scdaemon[18273.0x8081a78] DBG: <- [EOF]

GpgAgent

  • gpg-agent --verbose --daemon --enable-ssh-support

DirMngr

DirMngr is a server for managing and downloading certificate revocation lists (CRLs) for X.509 certificates and for downloading the certificates themselves. DirMngr also handles OCSP requests as an alternative to CRLs. DirMngr is either invoked internally by gpgsm or when running as a system daemon through the dirmngr-client tool.

  • dirmngr.1
  • dirmngr-client.1
  • Config: $HOME/gnupg/dirmngr.conf, $HOME/gnupg/dirmngr_ldapservers.conf
  • $HOME/gnupg/trusted-cirts $HOME/gnupg/extra-certs
  • Note: while testing, mutt would hang verifing a S/MIME signature if there was no dirmngr.conf. Create an empty one.
\# mkdir /etc/dirmngr
\# mkdir /var/run/dirmngr
\# mkdir -p /var/lib/cache/dirmngr/crls.d
\# # be sure certs are in /etc/dirmngr/trusted-certs as DER files named with .crt.
\# dirmngr --daemon --verbose --allow-ocsp
dirmngr[8988]: listening on socket `/var/run/dirmngr/socket'
dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtc1sca.crt' loaded
dirmngr[8989]: SHA1 fingerprint = E4:6F:B9:58:B7:85:CB:DB:93:B6:86:5B:F8:A9:83:7A:B0:B7:D0:27
dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtrootca.crt' loaded
dirmngr[8989]: SHA1 fingerprint = AF:6F:EB:42:FA:2F:E4:A2:6E:9F:7F:B5:B5:FF:3A:BC:13:C6:0D:81
dirmngr[8989]: certificate `/etc/dirmngr/trusted-certs/vtuserca.crt' loaded
dirmngr[8989]: SHA1 fingerprint = AC:01:D0:4E:23:08:93:BC:BA:F4:50:CA:15:58:2C:3A:88:40:B7:B7
dirmngr[8989]: can't access directory `/var/lib/lib/dirmngr/extra-certs': No such file or directory
dirmngr[8989]: permanently loaded certificates: 3
dirmngr[8989]:     runtime cached certificates: 0
DIRMNGR_INFO=/var/run/dirmngr/socket:8989:1; export DIRMNGR_INFO;
\# chmod og+w /var/run/dirmngr/socket

$ dirmngr-client --ping
dirmngr-client: a dirmngr daemon is up and running

$ dirmngr-client --verbose --pem --ocsp ~/vtc1sca.pem
dirmngr-client: certificate check failed: Configuration error

irmngr[8989]: handler for fd 0 started
dirmngr[8989]: no default OCSP responder defined
dirmngr[8989]: command CHECKOCSP failed: Configuration error
dirmngr[8989]: handler for fd 0 terminated

$ dirmngr-client --verbose --pem ~/vtc1sca.pem
dirmngr-client: certificate is valid

dirmngr[8989]: handler for fd 0 started
dirmngr[8989]: no CRL available for issuer id 4BDB4546CDBC3DC883FD037FBE3E14C2E174147C
dirmngr[8989]: update times of this CRL: this=20060920T163032 next=20160917T163032
dirmngr[8989]: note: non-critical certificate policy not allowed
dirmngr[8989]: creating cache file `/var/lib/cache/dirmngr/crls.d/crl-4BDB4546CDBC3DC883FD037FBE3E14C2E174147C.db'
dirmngr[8989]: opening cache file `/var/lib/cache/dirmngr/crls.d/crl-4BDB4546CDBC3DC883FD037FBE3E14C2E174147C.db'
dirmngr[8989]: S/N 03 is valid, it is not listed in the CRL
dirmngr[8989]: handler for fd 0 terminated

\# # With CRL in cache
dirmngr[8989]: handler for fd 0 started
dirmngr[8989]: S/N 03 is valid, it is not listed in the CRL
dirmngr[8989]: handler for fd 0 terminated

GpgSM

  • gpgsm.1
  • gpgsm --dump-options
  • gpgsm --dump-keys will provide the keygrip.
  • ssh-add -s0
    noformat
    gpg-agent10954: handler 0x8082e80 for fd 0 terminated

m-6:~/.gnupg (2)
$ gpg-agent10954: ssh handler 0x8082e80 for fd 0 started
gpg-agent10954: ssh request 20 is not supported
gpg-agent10954: ssh handler 0x8082e80 for fd 0 terminated
gpg-agent10954: ssh handler 0x8082e80 for fd 0 started
gpg-agent10954: ssh request 20 is not supported
gpg-agent10954: ssh handler 0x8082e80 for fd 0 terminated
noformat

  • gpgsm --base64 --disable-crl-checks --dirmngr-program /usr/bin/dirmngr --disable-ocsp --detach-sign --recipient benchoff@bev.net sshcontrol > signature
  • $ gpgsm --disable-crl-checks --dirmngr-program /usr/bin/dirmngr --sign --local-user benchoff@vt.edu sshcontrol > signed.asc
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: DBG: adding certificates at level 1
gpgsm: signature created


# gpg-agent log
gpg-agent[15632]: handler 0x8084e70 for fd 7 started
gpg-agent[15632.7] DBG: -> OK Pleased to meet you
gpg-agent[15632.7] DBG: <- RESET
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION display=:0.0
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION ttyname=/dev/pts/10
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION ttytype=xterm
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION lc-ctype=en_US
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- OPTION lc-messages=en_US
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- HAVEKEY 519EEA5B2BC8F0F63757DD3DF82A35D60CF1372C
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- ISTRUSTED AF6FEB42FA2FE4A26E9F7FB5B5FF3ABC13C60D81
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- RESET
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SIGKEY 519EEA5B2BC8F0F63757DD3DF82A35D60CF1372C
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+secret+key+for:%0A"/CN=Phillip+E+Benchoff/O=Virginia+Polytechnic+Institute+and+State+University/C=US/SerialNumber=379/UID=817397/DC=vt/DC=edu"%0AS/N+017B,+ID+8639515F,+created+2006-11-16
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- SETHASH 2 29672DC132FB742B0A20A3BF5F93A09D38EC365A
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- PKSIGN
gpg-agent[15632]: new connection to SCdaemon established (reusing)
gpg-agent[15632]: DBG: detected card with S/N 504B435323313120544F4B454E
gpg-agent[15632]: DBG: encoded hash: 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 29 67 2D C1 32 FB 74 2B 0A 20 A3 BF 5F 93 A0 9D 38 EC 36 5A
gpg-agent[15632]: starting a new PIN Entry
gpg-agent[15632]: DBG: connection to PIN entry established
gpg-agent[15632.7] DBG: -> [ 44 20 28 37 3a 73 69 67 2d 76 61 6c ...(147 bytes skipped) ]
gpg-agent[15632.7] DBG: -> OK
gpg-agent[15632.7] DBG: <- [EOF]
gpg-agent[15632]: handler 0x8084e70 for fd 7 terminated
                                                                                                                   

$ gpgsm --disable-crl-checks --verify signed.asc
gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION!
gpgsm: It is only intended for test purposes and should NOT be
gpgsm: used in a production environment or with production keys!
gpgsm: Signature made 2007-04-02 13:47:06 using certificate ID 8639515F
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: note: non-critical certificate policy not allowed
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Phillip E Benchoff/O=Virginia Polytechnic Institute and State University/C=US/SerialNumber=379/UID=817397/DC=vt/DC=edu"
gpgsm:                 aka "benchoff@vt.edu"

GpgConf

Gnupg

  • Out of the box, gpg on a Mandriva 2006 system can see the reader:
    >$ gpg --card-status
    >gpg: detected reader `AKS ifdh 00 00'
    >Please insert the card and hit return or enter 'c' to cancel:
  • It appears gpgsm can use PKCS#15, gnupg can not.
  • No labels