-
Created by
Phil Benchoff, last updated on Mar 28, 2008
4 minute read
Gnupg-pkcs11 is a (hopefully) drop-in replacement for the smart-card daemon (scdaemon) shipped with GnuPG. You will need this if you want to use an Aladdin token with the Aladdin application.
- Requirements: PCSC, OpenSC (including pkcs11-helper), libgpg-error, libassuan, libgcrypt. See
INSTALLfile. - See patch info for use as ssh-agent below.
./configure --prefix=/usr/local/depot/gnupg-pkcs11-scd-0.06 --with-libassuan-prefix=/usr/local --with-libgpg-error-prefix=/usr/local --with-libgcrypt-prefix=/usr/localPKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/gnupg-pkcs11-scd-0.04 --with-libassuan-prefix=/usr/local --with-libgpg-error-prefix=/usr/local --with-libgcrypt-prefix=/usr/local- Old:
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig ./configure --prefix=/usr/local/depot/gnupg-pkcs11-scd-0.04 --with-libassuan-prefix=/usr/local makemake install- In
~/.gnupg/gpg-agent.confscdaemon-program /usr/local/bin/gnupg-pkcs11-scdpinentry-program /usr/bin/pinentry-qt
- create
~/.gnupg/gnupg-pkcs11-scd.conf $ gpgsm --verbose --learn-card gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm[17878]: can't connect to `/tmp/gpg-jtqI3z/S.gpg-agent': No such file or directory gpgsm: can't connect to the agent - trying fall back gpgsm[17878]: can't connect to `/home/benchoff/.gnupg/S.gpg-agent': No such file or directory gpgsm: no running gpg-agent - starting one gpg-agent[17879]: card has S/N: 504B435323313120544F4B454E gpgsm: issuer certificate {DEBB6EA2C93475D8F157957910F903C0D4690A8C} (#05/O=Virginia Tech Root CA,L=Blacksburg,ST=Virginia,C=US) not found using authorityKeyIdentifier gpgsm: issuer certificate (#/CN=Virginia Tech User CA,O=Virginia Polytechnic Institute and State University,C=US,DC=vt,DC=edu) not found gpgsm: issuer certificate missing - storing as ephemeral gpg-agent[17879]: Assuan processing failed: ec=16777215 # Note: with-ephemeral-keys required for now $ gpgsm --list-keys --with-ephemeral-keys gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! /home/benchoff/.gnupg/pubring.kbx --------------------------------- Serial number: 017B Issuer: /CN=Virginia Tech User CA/O=Virginia Polytechnic Institute and State University/C=US/DC=vt/DC=edu Subject: /CN=Phillip E Benchoff/O=Virginia Polytechnic Institute and State University/C=US/SerialNumber=379/UID=817397/DC=vt/DC=edu aka: benchoff@vt.edu validity: 2006-11-16 19:46:12 through 2008-11-15 19:46:12 key type: 1024 bit RSA key usage: digitalSignature nonRepudiation keyEncipherment ext key usage: clientAuth (suggested), emailProtection (suggested), 1.3.6.1.4.1.311.20.2.2 (suggested) policies: 1.3.6.1.4.1.6760.5.2.2.1.1:N:,1.3.6.1.4.1.6760.5.2.2.2.1:N:,1.3.6.1.4.1.6760.5.2.2.3.1:N:,1.3.6.1.4.1.6760.5.2.2.4.1:N: fingerprint: B5:30:8F:90:BA:B3:B6:87:91:A2:A3:E1:85:51:CC:9B:86:39:51:5F # gpgsm --import vtroot.pem # gpgsm --import vtuca.pem # Fixes above ephemeral problem- The above also works with module opensc-pkcs11.so on a token formatted with opensc.
Use with SSH (as ssh-agent)
- Patch scdaemon.c
The GnuPG scdaemon eventually calls
*** scdaemon.c.OEM 2006-12-23 15:11:03.000000000 -0500 --- scdaemon.c 2007-05-16 18:50:46.000000000 -0400 *************** *** 104,106 **** { "PKSIGN", cmd_pksign }, ! { "PKAUTH", NULL }, { "PKDECRYPT", cmd_pkdecrypt }, --- 104,106 ---- { "PKSIGN", cmd_pksign }, ! { "PKAUTH", cmd_pksign }, { "PKDECRYPT", cmd_pkdecrypt },cmd_signforcmd_pkauthin the PKCS#15 application. The difference is some of the arguments (hash type) are not specified by the user for auth. - Get your public key's keygrip with
gpgsm --dump-keys - Add the keygrip to
.gnupg/sshcontrol. - Be sure
gpg-agentis configured to usegnupg-pkcs11-scd..gnupg/gpg-agent.conf:scdaemon-program /usr/local/bin/gnupg-pkcs11-scd.
- Start the agent
eval `gpg-agent --verbose --daemon --enable-ssh-support` - Verify that the key is registered:
ssh-add -l. - Get your public key in ssh format:
ssh-add -L- You can also convert your key with x509toOpenSSH
- Add your ssh key to
~/.ssh/authorized_keyson the hosts you wish to login to. - Verbose
gpg-agentoutput for a login with pin entry:$ ssh analon gpg-agent[23821]: ssh handler 0x8084ed8 for fd 7 started gpg-agent[23821]: ssh request handler for request_identities (11) started gpg-agent[23821]: new connection to SCdaemon established (reusing) gpg-agent[23821]: error getting default authentication keyID of card: Unspecific Assuan server fault gpg-agent[23821]: ssh request handler for request_identities (11) ready gpg-agent[23821]: ssh request handler for sign_request (13) started gpg-agent[23821]: DBG: detected card with S/N 504B435323313120544F4B454E gpg-agent[23821]: DBG: encoded hash: ..... gpg-agent[23821]: starting a new PIN Entry gpg-agent[23821]: DBG: connection to PIN entry established gpg-agent[23821]: ssh request handler for sign_request (13) ready gpg-agent[23821]: ssh handler 0x8084ed8 for fd 7 terminated
- Notes
ssh-addcan not be used to add keys to the agent.
- SSH agent commands (from openssh authfd.h)
/* Messages for the authentication agent connection. */ #define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1 #define SSH_AGENT_RSA_IDENTITIES_ANSWER 2 #define SSH_AGENTC_RSA_CHALLENGE 3 #define SSH_AGENT_RSA_RESPONSE 4 #define SSH_AGENT_FAILURE 5 #define SSH_AGENT_SUCCESS 6 #define SSH_AGENTC_ADD_RSA_IDENTITY 7 #define SSH_AGENTC_REMOVE_RSA_IDENTITY 8 #define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES 9 /* private OpenSSH extensions for SSH2 */ #define SSH2_AGENTC_REQUEST_IDENTITIES 11 #define SSH2_AGENT_IDENTITIES_ANSWER 12 #define SSH2_AGENTC_SIGN_REQUEST 13 #define SSH2_AGENT_SIGN_RESPONSE 14 #define SSH2_AGENTC_ADD_IDENTITY 17 #define SSH2_AGENTC_REMOVE_IDENTITY 18 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 /* smartcard */ #define SSH_AGENTC_ADD_SMARTCARD_KEY 20 #define SSH_AGENTC_REMOVE_SMARTCARD_KEY 21 /* lock/unlock the agent */ #define SSH_AGENTC_LOCK 22 #define SSH_AGENTC_UNLOCK 23 /* add key with constraints */ #define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED 24 #define SSH2_AGENTC_ADD_ID_CONSTRAINED 25 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 #define SSH_AGENT_CONSTRAIN_LIFETIME 1 #define SSH_AGENT_CONSTRAIN_CONFIRM 2 /* extended failure messages */ #define SSH2_AGENT_FAILURE 30 /* additional error code for ssh.com's ssh-agent2 */ #define SSH_COM_AGENT2_FAILURE 102 #define SSH_AGENT_OLD_SIGNATURE 0x01
Scdaemon
$ gpgsm --learn-card gpgsm: NOTE: THIS IS A DEVELOPMENT VERSION! gpgsm: It is only intended for test purposes and should NOT be gpgsm: used in a production environment or with production keys! gpgsm: can't connect to `/tmp/gpg-C0x9MY/S.gpg-agent': No such file or directory gpgsm: can't connect to the agent - trying fall back gpgsm: can't connect to `/home/benchoff/.gnupg/S.gpg-agent': No such file or directory scdaemon[18273]: NOTE: this is a development version! *** glibc detected *** free(): invalid pointer: 0xbfebda64 *** scdaemon[18273]: reader slot 0: active protocol: scdaemon[18273]: slot 0: ATR=3B E2 00 FF C1 10 31 FE 55 C8 02 9C scdaemon[18273.0x8081a78] DBG: -> OK GNU Privacy Guard's Smartcard server ready scdaemon[18273.0x8081a78] DBG: <- SERIALNO scdaemon[18273]: DBG: send apdu: c=00 i=A4 p0=00 p1=0C lc=2 le=-1 scdaemon[18273]: DBG: PCSC_data: 00 A4 00 0C 02 3F 00 scdaemon[18273]: error receiving PC/SC TRANSMIT response: premature EOF scdaemon[18273]: apdu_send_simple(0) failed: card I/O error scdaemon[18273]: no supported card application found: General error scdaemon[18273.0x8081a78] DBG: -> ERR 100663356 Not supported <SCD> gpg-agent[18272]: command learn failed: Not supported gpgsm: error learning card: Not supported scdaemon[18273.0x8081a78] DBG: <- RESET scdaemon[18273.0x8081a78] DBG: -> OK scdaemon[18273.0x8081a78] DBG: <- [EOF]
1 Comment
Phil Benchoff
Dec 23, 2009--learn-card will create a file in private-keys-v1.d which contains a reference to the card. This has to be removed to learn the card again.