GnuPG and smartcards

Werner Koch wk at gnupg.org
Thu Oct 21 18:11:51 CEST 2004 

On Thu, 21 Oct 2004 17:51:47 +0200, Peter Palfrader said:

> It didn't say it for me:

I have seen it just yesterday but will check again.

> I created an RSA key (1024 bits primary, 1024 encryptiong subkey), and
> moved the private keys to the card.

> Signing works perfectly, however when I try to decrypt something, I get
> the following:

Might be related to  ...

> I also get errors, when I try to generate keys on card:

> | gpg: please wait while key is being generated ...
> | gpg: pcsc_transmit failed: not transacted (0x80100016)

this or there is a real problem.

The "not transacted" comes from pcsc and seems to be a catch-all
error.  I am looking into this with Ludovico (pcsclite) and Carlos
(libtowitoko).  I don't have these problem with the internal CCID
driver.  You should try it: make sure that libusb is available at
build time and stop pcscd - the internal ccid driver will then be
used.  You need proper permissions for USB though; see below.

I thought it is a problem with libtowitoko but may be the PC/SC CCID
driver has the same problem - I didn't tested it due to USB stack
problems on the other machine running linux 2.6.8.

> [If you feel this should be moved to the gnupg-devel list, please do.
>  Please CC me in that case]

Yep, it might be of interest to others too.


Salam-Shalom,

   Werner


=====  Preparing for the inetranl CCID driver ====

  The USB stack is here accessed by means of libUSB through the 
  special usbfd.  Thus make sure that this file system has been
  mounted; the suggested way of doing so is by using the following
  line in /etc/fstab:

    none  /proc/bus/usb  usbfs   default  0  0

  To get the permission right you may use the lazy way of mounting
  the USB filesystem under your uid.  For example if your userID is
  1000, you may use this line in /etc/fstab

    none  /proc/bus/usb  usbfs   default,devuid=1000  0  0
  
  After mounting this file system (using "mount /proc/bus/usb") all
  files below /proc/bus/usb are owned by you.  You may instead use
  devgid to allow access by a group.  There is however a major
  security problem with this approach: The owner of the files has full
  permissions to all connected USB devices not matter what type of
  device.  Thus it is strongly suggested to use the follwoing method
  instead.

  If your system comes with hotplug support you may assign permissions
  on a per devices base. Here we want to give permissions to all CCID
  devises to the user in the group "scard".  You need to create the
  following 2 files.

  A mapping file to select what script to run for which device:

  === /etc/hotplug/usb/gnupg-ccid.usermap ===
  # The entries below are used to detect CCID devices and run a script
  #
  # USB_MATCH_VENDOR		0x0001
  # USB_MATCH_PRODUCT		0x0002
  # USB_MATCH_DEV_LO		0x0004
  # USB_MATCH_DEV_HI		0x0008
  # USB_MATCH_DEV_CLASS		0x0010
  # USB_MATCH_DEV_SUBCLASS	0x0020
  # USB_MATCH_DEV_PROTOCOL	0x0040
  # USB_MATCH_INT_CLASS		0x0080
  # USB_MATCH_INT_SUBCLASS	0x0100
  # USB_MATCH_INT_PROTOCOL	0x0200
  #
  # script   match_flags idVendor idProduct bcdDevice_lo bcdDevice_hi 
  #          bDeviceClass bDeviceSubClass bDeviceProtocol
  #          bInterfaceClass bInterfaceSubClass bInterfaceProtocol driver_info
  #
  #           flags   V       P     Bcd C S Prot Clas Sub  Prot Info
  #
  # Generic CCID device
  gnupg-ccid  0x0080  0x0    0x0    0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000
  # SPR532 is CCID but without the proper CCID class
  gnupg-ccid  0x0003  0x04e6 0xe003 0 0 0 0 0x00 0x0B 0x00 0x00 0x00000000
  =======

  This file states that the script "gnupg-ccid" should be run if a
  devices matching the parameters comes available by plugging it into
  the USB.  The script to actually assign the permissions is:

  === /etc/hotplug/usb/gnupg-ccid ===
  #!/bin/sh
  # This script changes the permissions and ownership of a USB device
  # under /proc/bus/usb to grant access to this device to users in the
  # "scard" group.
  #
  # Arguments :
  # -----------
  # ACTION=[add|remove]
  # DEVICE=/proc/bus/usb/BBB/DDD
  # TYPE=usb
  #
  # latest hotplug doesn't set DEVICE on 2.6.x kernels
  if [ -z "$DEVICE" ] ; then
    IF=`echo $DEVPATH | sed 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\2/'`
    DEV=`echo $DEVPATH | sed 's/\(bus\/usb\/devices\/\)\(.*\)-\(.*\)/\3/'`
    DEV=`expr $DEV + 1`
    DEVICE=`printf '/proc/bus/usb/%.03d/%.03d' $IF $DEV`
  fi
  
  if [ "$ACTION" = "add" -a "$TYPE" = "usb" ]; then
    chgrp scard "$DEVICE"
    chmod g=rw "$DEVICE"
  fi
  ======

  Don't forget to "chmod +x" this script.

More information about the Gnupg-devel mailing list