smart card under linux

Philip Jackson philip.jackson at nordnet.fr
Wed Oct 22 21:07:03 CEST 2014 

Peter, I've had time to read and try to get to grips with the contents of your
email.  They've helped me make some progress :

On 22/10/14 11:19, Peter Lebbing wrote:
> On 21/10/14 00:36, Philip Jackson wrote:
>> I've followed, I believe, all the instructions in the gnupg.com smartcard howto.
>>  In para 2.3.1 CCID : I've tried both the instructions under 'with udev
>> (preferred installation)' and further down 'with hotplug (deprecated in modern
>> systems)'
> 
> These steps were superfluous for me for Debian jessie/testing because the
> necessary udev rules are included in the gnupg package already. However, I use
> an SPR532 here. The SCM3512 is not mentioned in the rules file, so you might
> need to add an entry.
> 
> Here's how it looks for me:
> 
> ----------------------8<------------------->8----------------------
> $ lsusb
> [...]
> Bus 005 Device 005: ID 04e6:e003 SCM Microsystems, Inc. SPR532 PinPad SmartCard
> Reader
> [...]
> 
I got (and get) for the SCT3512 :

Bus 002 Device 009: ID 04e6:5410 SCM Microsystems, Inc. SCR35xx Smart Card Reader

The SCT3512 is seen as an SCR35xx reader and I took the value 5410 for the
idProduct.

> $ cd /dev/bus/usb/005
> $ ls -l
> total 0
> crw-rw-r--  1 root root 189, 512 Oct 22  2014 001
> crw-rw-r--  1 root root 189, 513 Oct 22  2014 002
> crw-rw-r--  1 root root 189, 514 Oct 22  2014 003
> crw-rw-r--  1 root root 189, 515 Oct 22  2014 004
> crw-rw-r--+ 1 root root 189, 516 Oct 22 10:53 005
> ----------------------8<------------------->8----------------------
> 
> Notice the +. There's an ACL active here.
> 
> ----------------------8<------------------->8----------------------
> $ getfacl 005
> # file: 005
> # owner: root
> # group: root
> user::rw-
> user:peter:rw-
> group::rw-
> mask::rw-
> other::r--
> ----------------------8<------------------->8----------------------
> 
> Ah, I have write access! You will definitely need write access, although maybe
> not for this specific character device. An USB device might create several
> "nodes" in /dev, I'm not sure which one you need write access to.
> 

I get similar indications but don't see myself listed as a user - not to worry
for the moment.

> And here is the file that gives me the access:
> 
> ----------------------8<------------------->8----------------------
> $ cat /lib/udev/rules.d/60-gnupg.rules
> # do not edit this file, it will be overwritten on update
> 
> SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
> ACTION!="add", GOTO="gnupg_rules_end"
> 
> # USB SmartCard Readers
> [...]
> ## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
> [...]
> ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1",
> ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
> [...]
> ----------------------8<------------------->8----------------------

I found two such files :

/lib/udev/rules.d/40-gnupg.rules
/lib/udev/rules.d/40-gnupg2.rules


> The ID_SMARTCARD_READER environment variable is used in
> /lib/udev/rules.d/70-uaccess.rules and /lib/udev/rules.d/99-systemd.rules.
> Somewhere there the write access is actually set up. These files are from the
> systemd package. Note that I actually use sysvinit as init system, not systemd,
> but this is still where it is set up for Debian. It allows access to smartcard
> readers for people who are logged in to a "head" of the system (I presume).

I found the 70-uaccess.rules file but nothing for systemd

> 
> So let's suppose your device is not 04e6:e003 but 04e6:1234. If I were to have
> that device, I would need to add the following file:
> 
> ----------------------8<------------------->8----------------------
> $ cat >/etc/udev/rules.d/60-gnupg-extra.rules <<EOF
> SUBSYSTEM!="usb", GOTO="gnupg_extra_rules_end"
> ACTION!="add", GOTO="gnupg_extra_rules_end"
> 
> # The venerable SCM 1234 reader (it can count!)
> ATTR{idVendor}=="04e6", ATTR{idProduct}=="1234", ENV{ID_SMARTCARD_READER}="1",
> ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
> 
> LABEL="gnupg_extra_rules_end"
> EOF
> ----------------------8<------------------->8----------------------

based on your code above, I prepared a couple of files for /etc/udev/rules.d/

40-gnupg-extra.rules
40-gnupg2-extra.rules    with appropriate modifications and using the idProduct
value = 5410


> That last line is not part of the file, it signals end-of-file to the cat
> command. Also, there's a long line that's split but shouldn't be.
> 
> And that would be all I need to add to udev! And it would work for anyone
> logging into X on your monitor and keyboard (the "head").

The result was definitely showing some progress has been achieved :

gpg2 --card-status
scdaemon[5697]: PC/SC OPEN failed: no service (0x8010001d)
scdaemon[5697]: PC/SC OPEN failed: no service (0x8010001d)
gpg: selecting openpgp failed: Card error
gpg: OpenPGP card not available: Card error
:~$ scdaemon[5697]: scdaemon (GnuPG) 2.0.26 stopped

Although not success, it was different. scdaemon tried to use PC/SC and failed.
 Up until present, all I got from gpg2 --card-status was the 2 gpg lines.  the
scdaemon process that was stopped [5697] was not the process I have seen open
prior to this attempt and which is still open [2997].

So why would this attempt at gpg2 --card-status open another process rather than
use the one already open ?


Using gpg was more successful :

gpg --card-status
Application ID ...: D2760001240102000005000028700000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00002870
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

This is very similar but not identical to what I got under Windows7 with Gpg4win
2.2.2 ( language prefs has changed from 'not set' to de and some other
parameters appear which were not shown, and others have some different values)
but the essential is that the reader was recognised and the card was clearly
read.  So under gnupg 1.4.16 (the standard Ubuntu distro install) I now have
access to the card.

But I still have a bit more work to do for gnupg2 2.0.26

Thanks for your help,

Philip



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20141022/d2014718/attachment.sig>

More information about the Gnupg-users mailing list