Yubikey and PIV support in 2.3 (was: Multiple readers with scdaemon)

Uri Blumenthal uri at mit.edu
Thu Sep 19 12:51:54 CEST 2019


That is interesting. But my platform is Mac, and among the apps I need working are MS Outlook and Apple Mail (and Safari). At least the Apple apps use CTK to access smart cards. I'm pretty sure that even if everything else GnuPG-related works OK the way you described, that GnuPG exclusive access would block out the native apps that do not (cannot) use scute.

Currently in using OpenSC for PKCS#11 access (Firefox, Adobe Acrobat, everything OpenSSL-based), and OpenSC.tokend or native pivtoken for those apps that don't speak PKCS#11 - which on Mac means either CDSA or CTK (tokend addresses CDSA apps such as MS Office, and pivtoken - the new CTK ones).

Frankly, I don't see how it would work on Mac, if GnuPG would lock the token for its own use only.

Which is why I keep saying that this lock should be a configurable parameter - maybe on by default, but with the ability to turn it off.

Also, OpenSC deals with multiple applets by testing whether the required applet is active, and re-asserting/selecting it if needed.


Sent from my test iPhone

> On Sep 19, 2019, at 04:10, Werner Koch <wk at gnupg.org> wrote:
> On Thu, 19 Sep 2019 00:13, uri at mit.edu said:
>> Another problem is that GnuPG insists on opening the card in an
>> exclusive mode - which is unacceptable for cards/tokens with multiple
>> applets (OpenPGP and PIV is what I've got), as different apps require
> Actually this is a another reason to have exclusive access.  It allows
> us to switch between the PIV and OpenPGP apps on a Yubikey as needed.
>> use of both applets, sometimes running in parallel - like a browser
>> session that uses PIV to authenticate to the server, an email session
>> that may use both PIV and OpenPGP applets to deal with S/MIME and
>> PGP/MIME emails, and occasional SSH operations during that time.
> That is exactly the use case we have implemented.  Needs more testing
> with several cards but a single Yubikey works well enough known in 2.3.
> To make testing easier we have Debian packages of gnupg master (to be
> 2.3) and scute (our pkcs11 provider) available:
>  deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
>  deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
>  deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta
> The version currently available do not yet include gniibe's latest
> changes.  I was able to use gpg for signing and encrypting with a card
> while also accessing PIV key protected pages with Firefox.  Earlier this
> year I also did tests with Thunderbird which also worked.  Yubikey 5 and
> 4 are supported.  You may want to have a look at the new gpg-card tool
> and its man page.  Also gpg --full-gen-key and gpgsm --gen-key now show
> a list of keys available on the current smartcard and allow to use them
> for the generation of OpenPGP/X.509 certificates.  --quick-gen-key has
> also been enhanced to act upon the special algo parameter "card" with
> the generation of a standard OpenPGP key based on the standard signing
> and decryption key of the card (for OpenPGP, Netkey, and PIV cards).
> Salam-Shalom,
>   Werner
> -- 
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2894 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20190919/d6924648/attachment-0001.bin>

More information about the Gnupg-devel mailing list