GnuPG and smartcards

Peter Palfrader peter at palfrader.org
Thu Oct 21 17:51:47 CEST 2004 

On Thu, 21 Oct 2004, Werner Koch wrote:

> On Thu, 21 Oct 2004 09:25:24 +0200, Peter Palfrader said:
> 
> > Thanks, that did it.  Is this documented somewhere?  I couldn't find it
> > on the web and gpg didn't print it for me.
> 
> It should print it if the Displayed Name and no fingerprint has been
> stored on the card.  When I sent out cards I also document the PINs.

It didn't say it for me:

| weasel at galaxy:~/local/gnupg-1.3/bin$ ./gpg --card-edit
| gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
| gpg: It is only intended for test purposes and should NOT be
| gpg: used in a production environment or with production keys!
| gpg: WARNING: using insecure memory!
| gpg: please see http://www.gnupg.org/faq.html for more information
| 
| gpg: detected reader `SCR 335 00 00'
| Application ID ...: D27600012401000700000000000B0000
| Version ..........: 0.7
| Manufacturer .....: test card
| Serial number ....: 0000000B
| Name of cardholder: [not set]
| Language prefs ...: de
| Sex ..............: unspecified
| URL of public key : [not set]
| Login data .......: [not set]
| Signature PIN ....: forced
| Max. PIN lengths .: 254 254 254
| PIN retry counter : 3 3 3
| Signature counter : 0
| Signature key ....: [none]
| Encryption key....: [none]
| Authentication key: [none]
| General key info..: [none]
| 
| Command> admin
| 
| Command> name
| Cardholder's surname: Palfrader
| Cardholder's given name: Peter
| gpg: DBG: setting Name to `Palfrader<<Peter'
| gpg: 3 Admin PIN attempts remaining before card is permanently locked
| gpg: DBG: asking for PIN 'Admin PIN'
| 
| Admin PIN
[I just hit enter]
| gpg: prassphrase (CHV3) is too short; minimum length is 6
| gpg: error setting Name: bad passphrase


> And yes, I am writing on a short HOWTO.

That'ld be great.


I created an RSA key (1024 bits primary, 1024 encryptiong subkey), and
moved the private keys to the card.

Signing works perfectly, however when I try to decrypt something, I get
the following:

| weasel at galaxy:~/local/gnupg-1.3/bin$ ./gpg msg.asc
[..]
| gpg: detected reader `SCR 335 00 00'
| gpg: DBG: asking for PIN 'PIN'
| 
| PIN
| gpg: encrypted with 1024-bit RSA key, ID 0AA7A3EB, created 2004-10-21
|       "test key #2"
| gpg: public key decryption failed: general error
| gpg: decryption failed: secret key not available

However, the key is shown to be on the card:

| weasel at galaxy:~/local/gnupg-1.3/bin$ ./gpg --card-edit
[..]
| gpg: detected reader `SCR 335 00 00'
| Application ID ...: D27600012401000700000000000B0000
| Version ..........: 0.7
| Manufacturer .....: test card
| Serial number ....: 0000000B
| Name of cardholder: Peter Palfrader
| Language prefs ...: de
| Sex ..............: unspecified
| URL of public key : [not set]
| Login data .......: [not set]
| Signature PIN ....: not forced
| Max. PIN lengths .: 254 254 254
| PIN retry counter : 3 3 3
| Signature counter : 2
| Signature key ....: C6D5 0824 A809 7BE4 A361  C32F 093F F6DC C866 6A7F
| Encryption key....: 507C 70C6 8356 7B18 7129  BDF0 DCD9 30F3 0AA7 A3EB
| Authentication key: [none]
| General key info..: 
| pub  1024R/C8666A7F 2004-10-21 test key #2
| 



I also get errors, when I try to generate keys on card:

| weasel at galaxy:~/local/gnupg-1.3/bin$ ./gpg --card-edit
| gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
| gpg: It is only intended for test purposes and should NOT be
| gpg: used in a production environment or with production keys!
| gpg: WARNING: using insecure memory!
| gpg: please see http://www.gnupg.org/faq.html for more information
| 
| gpg: detected reader `SCR 335 00 00'
| Application ID ...: D27600012401000700000000000B0000
| Version ..........: 0.7
| Manufacturer .....: test card
| Serial number ....: 0000000B
| Name of cardholder: Peter Palfrader
| Language prefs ...: de
| Sex ..............: unspecified
| URL of public key : [not set]
| Login data .......: [not set]
| Signature PIN ....: not forced
| Max. PIN lengths .: 254 254 254
| PIN retry counter : 3 3 3
| Signature counter : 0
| Signature key ....: 5F4B 8822 9505 F0AB FCF9  B42E A539 7028 2348 6CE9
| Encryption key....: 971F 6CF0 3EA3 2224 A16B  07E6 197A 596B C16B 0A8A
| Authentication key: [none]
| General key info..: [none]
| 
| Command> generate
| 
| Admin-only command
| 
| Command> admin
| 
| Command> generate
| Make off-card backup of encryption key? (Y/n) n
| 
| gpg: NOTE: keys are already stored on the card!
| 
| Replace existing keys? (y/N) y
| gpg: DBG: asking for PIN 'PIN'
| 
| PIN
| Please specify how long the key should be valid.
|          0 = key does not expire
|       <n>  = key expires in n days
|       <n>w = key expires in n weeks
|       <n>m = key expires in n months
|       <n>y = key expires in n years
| Key is valid for? (0) 2w
| Key expires at Thu Nov  4 08:40:39 2004 CET
| Is this correct? (y/N) y
| 
| You need a user ID to identify your key; the software constructs the user ID
| from the Real Name, Comment and Email Address in this form:
|     "Heinrich Heine (Der Dichter) <heinrichh at duesseldorf.de>"
| 
| Real name: test key
| Email address: 
| Comment: 
| You selected this USER-ID:
|     "test key"
| 
| Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
| gpg: existing key will be replaced
| gpg: 3 Admin PIN attempts remaining before card is permanently locked
| gpg: DBG: asking for PIN 'Admin PIN'
| 
| Admin PIN
| gpg: please wait while key is being generated ...
| gpg: pcsc_transmit failed: not transacted (0x80100016)
| gpg: apdu_send_simple(0) failed: card I/O error
| gpg: generating key failed
| gpg: key generation failed: general error
| gpg: pcsc_transmit failed: not transacted (0x80100016)
| gpg: apdu_send_simple(0) failed: card I/O error
| gpg: error reading application data
| gpg: key generation failed: general error
| gpg: pcsc_transmit failed: not transacted (0x80100016)
| gpg: apdu_send_simple(0) failed: card I/O error
| gpg: error reading application data
| gpg: key generation failed: general error
| Key generation failed: general error
| 
| weasel at galaxy:~/local/gnupg-1.3/bin$ 


Is my card broken, or is there some other problem?


Thanks for your great help.

[If you feel this should be moved to the gnupg-devel list, please do.
 Please CC me in that case]
-- 
Peter

More information about the Gnupg-devel mailing list