support for non-openpgp cards

Zeljko Vrba zvrba at zax.CARNET
Mon Nov 15 19:30:15 CET 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi to everybody..

I have made a patch to GNUPG 1.3.92 which makes possible to use general PKCS#11
tokens with GPG. You can retrieve the patch and signature at:

http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch
http://www.core-dump.com.hr/software/gnupg-1.3.92-pkcs11.patch.asc

(the patch also includes p11howto.txt - the deisgn document).

Now there are several issues to address with this patch in combination with the
MUSCLE project (http://www.linuxnet.com):
- - I use libmusclepkcs11.so with Cryptoflex 8k card. The library is, IMHO,
  incorrect in several respects with regards to PKCS#11:
    - it requires to specify CKA_TOKEN when generating keys
    - it expects the data to be PKCS#11 padded before encryption (although it
      explicitly knows that the card supports only raw rsa); and this is the
      main problem
  - supports only 2 keypairs on Cryptoflex cards (32k and 8k; the code is
    common).

The alternative is to use the MUSCLE API (also described on the above site)
which limits the library usage to JAVA cards with MUSCLE applet installed only
(MUSCLE works on many UNICES and Win32).

Given this input, here are some questions (both for users and developers; thus
this mail goes to both lists):

1. Is there enough interest from GPG users to pursue further development of
   non-OpenPGP smart-cards? (either with PKCS#11 which I'd prefer, or with
   MUSCLE API; if there is enough interest I'll contact the developers of
   MUSCLE to resolve PKCS#11 issues).

2. Does GPG do PKCS#1 padding before signing or encryption?

3. Is it possible to make GPG generate only 1, or 2 keys on the card?
   (AFAIK, the generate command always tries to generate 3 keys and this
    command is the only way to make gpg learn about the card..)
   Even better, is it possible to make GPG use pre-generated keys on the card?

I have already talked to Werner about this, and he didn't like the idea
because of GPL license (the result of linking proprietary PKCS#11 lib with
GPG is undefined). So please, no arguments about that. I'll leave to
each user's conscience whether to run legally-undefined program, or not.
MUSCLE itself is released under BSD license.

- --
The corresponding public key is located at:
http://ds.carnet.hr:11371/pks/lookup?op=get&search=0x5081D08A1DC7E994
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBmPWRUIHQih3H6ZQRA7J+AJ9gJp5bUEfAB9GQuaXP+kACFHtC0QCeOBZ9
tKk/pliIkJlE045G/bTEaGQ=
=+/x9
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list