signatures using S-Trust smart card

Ullrich Martini mailbox at ullrich.martini.name
Thu Jan 4 11:43:30 CET 2007 

> 
> > the german ZKA specification which is an evolved version of the "DIN
> > signature card", which finally should be supported by gpgsm through
> > dinsig.c
> 
> Basically it works.  But: Quite some time ago I received a test card
> and tried to make it work.  The problem at that time was that there
> was no way to get the root certificate for this test card.  I had some
> mail exchange with S-Trust and they send me an NDA to sign.  This NDA
> had terms which would have inhibit me to do any work on qualified
> signatures for any other issuer.  Obviously I didn'd signed it.  This
> was before S-trust went into production.
I got the root certificate from their web site and an intermediate
certificate by email. It seems that they changed their policy there.
However, one has to sign a pretty strange agreement to get the ZKA spec.

> I still hesitate to do any development with real cards as there is the
> chance that I might accidently sign a document.
I would be willing to take this risk. Furthermore, it seems that the key
in question is the non-qualified one so it's not a legal signature
anyway.
> 
> All other CAs issue test cards under reasonable terms - only S-trust
> does not.  Thus I see no way to support/test them.
> 
> > Now I'm at loss. Of course, there is no secret key, because it is still
> > on the card. Looks to ma as if gpgsm is missing the fact that this key
> > must be used through the card reader.
> 
> Add 
> 
> debug 2048
> debug 1024
> 
> to ~/.gnupg/scdaemon.conf and 
> 
> debug 1024 
> 
> to ~/.gnupg/gpg-agent.conf as well as an appropriate log file[1] and
> restart gpg-agent[2]
> 

This is what happens there:

[client at fd 7 connected]
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK Pleased to meet
you
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- RESET
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION display=:0.0
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION
ttyname=/dev/pts/0
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION ttytype=xterm
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION
lc-ctype=de_DE at euro
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- OPTION
lc-messages=de_DE at euro
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> OK
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- HAVEKEY
864314699D78AB3F134A009BDD3FF4F7F2F86779
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: -> ERR 67108881 Kein
geheimer Schlüssel <GPG Agent>
  7 - 2007-01-04 10:58:57 gpg-agent[4575.0] DBG: <- [EOF]
[client at fd 7 disconnected]

The correct fingerprint of the key to be used is
3D:21:BC:85:ED:A7:4D:98:F1:AC:5A:71:F4:26:77:1A:15:0F:47:BD
I do not know how the value 864314... is calculated. It seems that there
is no communication with scdaemon.

best regards,
Ullrich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : /pipermail/attachments/20070104/cd93e336/attachment.pgp

More information about the Gnupg-users mailing list