Automatic PINpad support for the Cherry KC 1000 SC

Thu Nov 10 03:17:42 CET 2016

Hello,

Thank you for your information.  Let me ask some.

On 11/09/2016 09:56 AM, David Strauss wrote:
> The current PINpad detection [1] automatically uses secure PIN entry on
> the older Cherry ST2000 keyboards. The KC 1000 SC is the successor
> product, and it also supports direct, variable-length PIN entry. I have
> tested the support by setting "enable-pinpad-varlen" in scdaemon.conf,
> and it works reliably. If would be good if GnuPG automatically detected
> the new model.

Are you using scdaemon with PC/SC?  I think that it can work well
somehow with the internal ccid driver with no setting of
"enable-pinpad-varlen" in scdaemon.conf (You need permission setting
of the USB device).

Please try with no PC/SC service.

> Here is the dmesg output from plugging the device in, which I think
> contains the necessary vendor IDs:
> 
> [  862.822190] usb 1-3: new full-speed USB device number 6 using xhci_hcd
> [  862.999508] usb 1-3: New USB device found, idVendor=046a, idProduct=00a1
> [  862.999517] usb 1-3: New USB device strings: Mfr=1, Product=2,
> SerialNumber=0
> [  862.999522] usb 1-3: Product: KC 1000 SC
> [  862.999526] usb 1-3: Manufacturer: Cherry
> [  863.008566] input: Cherry KC 1000 SC as
> /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:046A:00A1.0003/input/input19
> [  863.061868] hid-generic 0003:046A:00A1.0003: input,hidraw0: USB HID
> v1.11 Keyboard [Cherry KC 1000 SC] on usb-0000:00:14.0-3/input0
> [  863.066893] input: Cherry KC 1000 SC as
> /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.1/0003:046A:00A1.0004/input/input20
> [  863.119355] hid-generic 0003:046A:00A1.0004: input,hidraw1: USB HID
> v1.11 Device [Cherry KC 1000 SC] on usb-0000:00:14.0-3/input1
> 
> I attempted to create a patch, but it wasn't clear to me that the KC
> 1000 SC should have the exact same configuration as the ST2000. I would
> be happy to send a KC 1000 SC to an established GnuPG contributor to
> help get this support added. I would also be happy to test any patches.

I'm afraid if this reader works well with OpenPGP card for RSA-2048 or
larger keys.

I'm looking at the information here:

    http://pcsclite.alioth.debian.org/ccid/readers/Cherry_KC_1000_SC.txt

If it is correct (no extended APDU support), this reader can't be used
for OpenPGP card with RSA-2048 or larger keys for following operations:

    * key registration
    * decryption

while degital signing and authentication would work.

Note that ST-2000 only support TPDU level exchange (lower level than
APDU), thus, it works well (the larger message handling is done by
host side).


Well, some people still has old key and want to keep using with
OpenPGP card, and want to use PC/SC service for some reasons.  For
those people, possible fix may be something like this:

=====================================================

diff --git a/scd/apdu.c b/scd/apdu.c
index 3e2b609..54f3b30 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -1896,8 +1896,12 @@ pcsc_vendor_specific_init (int slot)
       reader_table[slot].is_spr532 = 1;
       reader_table[slot].pinpad_varlen_supported = 1;
     }
-  else if (vendor == 0x046a && product == 0x003e) /* Cherry ST-2xxx */
+  else if (vendor == 0x046a)
     {
+      /* Cherry ST-2xxx (product == 0x003e) supports TPDU level
+       * exchange.  Other products which only support short APDU level
+       * exchange only work with shorter keys like RSA 1024.
+       */
       reader_table[slot].pcsc.pinmax = 15;
       reader_table[slot].pinpad_varlen_supported = 1;
     }
-- 

