Some bits about SCdaemon

Werner Koch wk at gnupg.org
Thu Mar 15 18:23:11 CET 2007 

On Thu, 15 Mar 2007 14:20, simon at josefsson.org said:

> * Get a list of private keys, some information about it (e.g., RSA?
>   DSA? etc) and their related X.509 or OpenPGP cert.  Possibly the
>   user should be able to use a fingerprint or similar to indicate a
>   particular key or certificate.

This is possible for the current smart card.  Send "SCD LEARN" to the
gpg-agent. 

Listing all available private on-disk keys is not yet possible.  The
only reason for this is that an implementation of the gpg-agent
protocol might not allow to list the keys because they are stored on a
HSM which does not implement such a feature.  However, for the current
implementation it would be easy to add such a command.  For now you
need to know the public key to check whether gpg-agent has the private
part.

gpg-agent does not know anything about protocols, so you need to use a
hash of the public key (the keygrip) to identify a key.

> * Ask GnuPG 2.x to sign something using a particular key.  I suppose
>   some external component, typically gpg-agent or seahorse, would be
>   responsible for authorization the request and get the passphrase, I
>   don't think that belongs in GnuTLS.  Possibly for servers, having a
>   callback via GnuTLS to get the passphrase would be useful.

The cetral place is gpg-agent.  It will take care of signing and
decryption and may divert processing to scdaemon.

The idea is that you always try to use gpg-agent and only if it is not
available, use scdaemon directly.  Using gpg-agent has the advantage
that it will take care of the PIN.

For servers you would use gpg-preset-passphrase to tell gpg-agent in
advance about a passphrase.  A callback is not easy to implement.  The
pnly way I see is to have a special pinentry whcih loops back to the
actual application (we recently discussed this on emacs-devel).

> Talking to scdaemon only give me smart-card access, but not access to
> private keys stored under ~/.gnupg.  I think the ~/.gnupg use-case is
> important.  GnuTLS shouldn't work only with smart card keys.

Right.  However in most cases you will use gpg-agent to proxy commands
to scdaemon and then you can also use gpg-agent directly.

> Talking to gpgsm only give me X.509 certificates, and possibly also
> signing of them.  (Does gpgsm support raw signing, or only CMS?)

gpgsm is a pure CMS application.

> Using gpgme doesn't give me access to raw RSA/DSA signing, only
> OpenPGP or CMS (or?).  My knowledge of GPGME is weak, and possibly I

gpgme is designed for and encryption and signing but not for
authentication or stream signing.

> should be using it.  Is there a gpgme server?  I'm not sure GnuTLS
> should link to gpgme directly, the child processes, signal handling,
> thread issues are problematic, so I would prefer to talk to an

I once thought about that.  But I doubt that you really need it.
Check out gnupg/sm/call-agent.c on how decryption and signing can be
delegated to gpg-agent/scdaemon.



Shalom-Salam,

   Werner

More information about the Gnupg-devel mailing list