pinpad cardreader; imported smart-card keys

Alex Mauer hawke at hawkesnest.net
Mon Jun 27 23:30:15 CEST 2005


I'll ask the quick question first:

I purchased an SCM SPR332 card reader, based on the Smartcard Howto's
statement (about the SPR532) "The pinpad may be used to securely enter
the PIN".  I have found that I cannot use the pinpad, at least not with
gnupg.  Is this due to a misinterpretation of that statement?  If so,
perhaps changing the howto to indicate that while it may be used to
securely enter a pin, Gnupg doesn't support this functionality. Or is it
simply that the SPR532 works and the SPR 332 does not?  Since the 332 is
just a usb-only version of the 532, I'm figuring gnupg doesn't support
this feature at all.  I'd be happy to help test/debug if anyone's
willing to add it.

Secondly, the longer and more involved question:
I recently acquired an OpenPGP smart card, and while starting to use it,
I noticed some strangeness:

First, my current arrangement is as follows: I have a DSA master signing
key, an ElGamal encryption subkey, and a DSA signing subkey.  To use the
smart card, I need to add an RSA signing key, and an RSA encryption key
as well.

Well, I did so, and this went reasonably smoothly.  But, I then tried to
make these keys usable on another system.

>From what I can google, I should be able to (re)generate the stub keys
by using 'gpg --card-status'.  But, this seems not to work.

If I then copy the pubring.gpg from the first machine and import it on
the second, then when I run 'gpg --card-status' it fills in the field
"General key info", and then it can apparently generate the stub RSA
keys.  But the secret parts of the subkeys are not available (indicated
with a #, which I'm used to seeing for the master key).  So I figure
I'll import those secret parts, but it tells me "secret keys unchanged:
1" and nothing changes.

So, I delete the secret keyring from the new machine, and import the old
subkeys' secret parts first, then the new RSA subkeys' public parts. Now
everything seems to work.

BUT, when i run gpg --list-secret-keys I get the following output
(removing some extra uids):

sec#  1024D/51192FF2 2002-03-22
uid                  Alex L. Mauer (Home) <hawke at hawkesnest.net>
ssb   2048g/9150664F 2004-07-01
ssb   1024D/3F52F59F 2004-12-13

sec#  1024D/51192FF2 2002-03-22
uid                  Alex L. Mauer (Home) <hawke at hawkesnest.net>
ssb#  2048g/1DA6A1C7 2003-06-27
ssb#  2048g/9150664F 2004-07-01
ssb#  1024D/3F52F59F 2004-12-13
ssb#  2048g/96FAE64B 2002-03-22
ssb#  2048g/0193A5EB 2003-04-15
ssb>  1024R/4A1C1224 2005-06-27
ssb>  1024R/F40CACBA 2005-06-27

Shouldn't gnupg only produce one entry for that, like:

sec#  1024D/51192FF2 2002-03-22
uid                  Alex L. Mauer (Home) <hawke at hawkesnest.net>
ssb#  2048g/1DA6A1C7 2003-06-27
ssb   2048g/9150664F 2004-07-01
ssb   1024D/3F52F59F 2004-12-13
ssb#  2048g/96FAE64B 2002-03-22
ssb#  2048g/0193A5EB 2003-04-15
ssb>  1024R/4A1C1224 2005-06-27
ssb>  1024R/F40CACBA 2005-06-27

Shouldn't I be able to import the secret parts of subkeys 9150664f and
3f52f59f after the stub keys have been created??

Oh, this is with gnupg 1.4.1 and 1.4.2rc2

-- 
Bad - You get pulled over for doing 90 in a school zone and you're drunk
off your ass again at three in the afternoon.
Worse - The cop is drunk too, and he's a mean drunk.
FUCK! - A mean drunk that's actually a swarm of semi-sentient
flesh-eating beetles.
OpenPGP key id: 0x51192FF2 @ subkeys.pgp.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 264 bytes
Desc: OpenPGP digital signature
Url : /pipermail/attachments/20050627/24055e57/signature.pgp


More information about the Gnupg-users mailing list