support for non-openpgp cards
zvrba at zax.CARNET
Mon Nov 15 19:30:15 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hi to everybody..
I have made a patch to GNUPG 1.3.92 which makes possible to use general PKCS#11
tokens with GPG. You can retrieve the patch and signature at:
(the patch also includes p11howto.txt - the deisgn document).
Now there are several issues to address with this patch in combination with the
MUSCLE project (http://www.linuxnet.com):
- - I use libmusclepkcs11.so with Cryptoflex 8k card. The library is, IMHO,
incorrect in several respects with regards to PKCS#11:
- it requires to specify CKA_TOKEN when generating keys
- it expects the data to be PKCS#11 padded before encryption (although it
explicitly knows that the card supports only raw rsa); and this is the
- supports only 2 keypairs on Cryptoflex cards (32k and 8k; the code is
The alternative is to use the MUSCLE API (also described on the above site)
which limits the library usage to JAVA cards with MUSCLE applet installed only
(MUSCLE works on many UNICES and Win32).
Given this input, here are some questions (both for users and developers; thus
this mail goes to both lists):
1. Is there enough interest from GPG users to pursue further development of
non-OpenPGP smart-cards? (either with PKCS#11 which I'd prefer, or with
MUSCLE API; if there is enough interest I'll contact the developers of
MUSCLE to resolve PKCS#11 issues).
2. Does GPG do PKCS#1 padding before signing or encryption?
3. Is it possible to make GPG generate only 1, or 2 keys on the card?
(AFAIK, the generate command always tries to generate 3 keys and this
command is the only way to make gpg learn about the card..)
Even better, is it possible to make GPG use pre-generated keys on the card?
I have already talked to Werner about this, and he didn't like the idea
because of GPL license (the result of linking proprietary PKCS#11 lib with
GPG is undefined). So please, no arguments about that. I'll leave to
each user's conscience whether to run legally-undefined program, or not.
MUSCLE itself is released under BSD license.
The corresponding public key is located at:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Gnupg-devel