Scdaemon READCERT
Werner Koch
wk at gnupg.org
Fri Apr 20 15:17:08 CEST 2007
On Fri, 20 Apr 2007 14:14, simon at josefsson.org said:
> Does this command work? I see that Scute does not use gpg-agent or
> scdaemon to get the certificates, but it invokes 'gpgsm --server' and
> uses DUMPKEYS. That works, but I'd rather talk to only gpg-agent and
> not also gpgsm in GnuTLS.
gpg-agent does not know about any protocol so there is no way to tell it
to read an X.509 cetificate. However, most X.509 smartcards store a
certificate and thus there is a need to allow reading it from a card.
This is the reasons why Scdaemon features the
> SCD READCERT 26D864C468935011B59E4F297E4B82FA34355BCC
> ERR 100663420 Unsupported operation <SCD>
command. The OpenPGP card does not store certificates and thus this
operation is not supported for this card. Although it is named OpenPGP
it is not exactly an OpenPGP card but designed to allow easy working
with OpenPGP by storing an OpenPGP fingerprint and the creation time of
the key.
If you use a X.509 card you might get this
$ gpg-connect-agent --hex
scd learn --force
S SERIALNO D2760000000000000000000000 0
S APPTYPE DINSIG
S CERTINFO 101 DINSIG.C000
S KEYPAIRINFO 6F673AD2374E2F427634EF2BB4798092B751981E DINSIG.C000
scd readcert DINSIG.C000
D[0000] 30 82 05 01 30 82 03 E9 A0 03 02 01 02 02 03 00 0...0...........
D[0010] 99 AD 30 25 30 44 06 09 2A 86 48 86 F7 25 30 44 ..0%0D..*.H..%0D
D[0020] 01 01 05 05 00 30 6C 31 0B 30 09 06 03 55 04 06 .....0l1.0...U..
D[0030] 13 02 44 45 31 15 30 13 06 03 55 04 25 30 41 0C ..DE1.0...U.%0A.
D[0040] 0C 44 2D 54 72 75 73 74 20 47 6D 62 48 31 22 30 .D-Trust GmbH1"0
D[0050] 20 06 03 55 04 03 0C 19 44 2D 54 52 55 53 54 20 ..U....D-TRUST
[...]
D[0150] 77 71 7A D0 97 wqz..
OK
I now that this is a bit annoying but required to keep the design clean.
Shalom-Salam,
Werner
More information about the Gnupg-users
mailing list