Card Reader on Cherry Keyboard (omnikey) with OpenPGP Smart Card

Oleksandr Shneyder oleksandr.shneyder at obviously-nice.de
Tue Aug 9 12:04:25 CEST 2011 

Hello list,

I have issues using OpenPGP smart cards from "kernel concepts" with
omnikey card reader integrated in Cherry keyboard (Cherry XX44 USB keyboard)

I can read a smart card status:

$ gpg --card-status
Application ID ...: D27600012401020000050000102E0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 0000102E
Name of cardholder: John Dow
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: alex
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 5
Signature key ....: F14E 8ED6 2459 8260 9D0B  D1F3 839F 90E1 8D22 1FF8
      created ....: 2011-08-09 09:38:42
Encryption key....: 1D98 37A5 BE5D 185F BDC0  AD1C 2D05 CC10 6206 765E
      created ....: 2011-08-09 09:38:42
Authentication key: 361B 505C DD7F 2F88 0C04  C5B1 BA91 2945 B68E 90D3
      created ....: 2011-08-09 09:38:42
General key info..: [none]




I can also change login data, PINs, etc.
But I can not generate a keys:



gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN

Please enter the PIN
What keysize do you want for the Signature key? (2048)
What keysize do you want for the Encryption key? (2048)
What keysize do you want for the Authentication key? (2048)
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh at duesseldorf.de>"

Real name: John Dow
Email address:
Comment:
You selected this USER-ID:
    "John Dow"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: apdu_send_simple(0) failed: unknown status error
gpg: generating key failed
gpg: key generation failed: general error
Key generation failed: general error

gpg/card>


Using existing key for authentication works neither:

$gpg-agent --enable-ssh-support --daemon --log-file /tmp/gpg-agent.log

$ ssh-add -L
The agent has no identities.

$ cat /tmp/gpg-agent.log
2011-08-09 11:47:02 gpg-agent[16906] listening on socket
`/tmp/gpg-3QmD1w/S.gpg-agent'
2011-08-09 11:47:02 gpg-agent[16906] listening on socket
`/tmp/gpg-YdDV3Y/S.gpg-agent.ssh'
2011-08-09 11:47:02 gpg-agent[16907] gpg-agent (GnuPG) 2.0.14 started
2011-08-09 11:47:14 gpg-agent[16907] ssh handler 0xff1d20 for fd 8 started
2011-08-09 11:47:14 gpg-agent[16907] ssh request 1 is not supported
2011-08-09 11:47:14 gpg-agent[16907] ssh request handler for
request_identities (11) started
2011-08-09 11:47:14 gpg-agent[16907] no running SCdaemon - starting it
2011-08-09 11:47:14 gpg-agent[16907] DBG: first connection to SCdaemon
established
gpg-agent[16907.10] DBG: -> GETINFO socket_name
gpg-agent[16907.10] DBG: <- D /tmp/gpg-XE8ndK/S.scdaemon
gpg-agent[16907.10] DBG: <- OK
2011-08-09 11:47:14 gpg-agent[16907] DBG: additional connections at
`/tmp/gpg-XE8ndK/S.scdaemon'
gpg-agent[16907.10] DBG: -> OPTION event-signal=12
gpg-agent[16907.10] DBG: <- OK
gpg-agent[16907.10] DBG: -> GETATTR $AUTHKEYID
gpg-agent[16907.10] DBG: <- S $AUTHKEYID OPENPGP.3
gpg-agent[16907.10] DBG: <- OK
gpg-agent[16907.10] DBG: -> GETATTR SERIALNO
2011-08-09 11:47:15 gpg-agent[16907] SIGUSR2 received - updating card
event counter
gpg-agent[16907.10] DBG: <- S SERIALNO D27600012401020000050000102E0000
gpg-agent[16907.10] DBG: <- OK
gpg-agent[16907.10] DBG: -> READKEY OPENPGP.3
gpg-agent[16907.10] DBG: <- ERR 100663305 No public key <SCD>
2011-08-09 11:47:15 gpg-agent[16907] no suitable card key found: No
public key
2011-08-09 11:47:15 gpg-agent[16907] ssh request handler for
request_identities (11) ready
gpg-agent[16907.10] DBG: -> RESTART
gpg-agent[16907.10] DBG: <- OK
2011-08-09 11:47:15 gpg-agent[16907] ssh handler 0xff1d20 for fd 8
terminated



If I using SCM card readers with this cards everything works just fine.
I have some older smart cards from "kernel concepts", they working also
perfect with both card readers (SCM and Omnikey in Cherry keyboard).

Have anybody the same problem? Is there a chance that we can use this
Open PGP cards with Cherry keyboards? (we have bought a 100 smart cards
and keyboards for our company)

System is debian squeeze
# dpkg --list | grep -i gnupg
ii  debian-archive-keyring                2010.08.28
          GnuPG archive keys of the Debian archive
ii  gnupg                                 1.4.10-4
          GNU privacy guard - a free PGP replacement
ii  gnupg-agent                           2.0.14-2
          GNU privacy guard - password agent
ii  gnupg2                                2.0.14-2
          GNU privacy guard - a free PGP replacement (new v2.x)
ii  libassuan-dev                         1.0.5-1
          IPC library for the GnuPG components
ii  libgpg-error-dev                      1.6-1
          library for common error values and messages in GnuPG components
ii  libgpg-error0                         1.6-1
          library for common error values and messages in GnuPG components
ii  libgpgme11                            1.2.0-1.2
          GPGME - GnuPG Made Easy
ii  libgpgme11-dev                        1.2.0-1.2
          GPGME - GnuPG Made Easy
ii  libkleopatra1                         4:3.5.9-5
          KDE GnuPG interface libraries
ii  pinentry-gtk                          0.7.5-2.1
          GTK+-based PIN or pass-phrase entry dialog for GnuPG
ii  pinentry-gtk2                         0.8.0-1
          GTK+-2-based PIN or pass-phrase entry dialog for GnuPG
ii  python-gnupginterface                 0.3.2-9.1
          Python interface to GnuPG (GPG)
ii  seahorse                              2.30.1-2
          GNOME front end for GnuPG

thanks,
-- 
Oleksandr Shneyder
Dipl. Informatik
X2go Core Developer Team

email:  oleksandr.shneyder at obviously-nice.de
web: www.obviously-nice.de

--> X2go - everywhere at home

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20110809/4db481a4/attachment-0001.pgp>

More information about the Gnupg-users mailing list