How to use a PKCS#15 with GnuPG?
NdK
ndk.clanbo at gmail.com
Thu Jun 15 14:13:38 CEST 2017
Hello all.
I'm trying to use an ePass2003 token (and possibly some Aventra MyID
cards) to have my keys around when I need 'em (especially for
authentication and signing). Both ePass2003 and MyID implement PKCS#15,
so IIUC they should be usable.
Too bad I can't find the needed infos...
I generated some test keys on the token (ssh one is imported, for
another test):
$ pkcs15-tool -D
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [NdK-test]:
Version : 0
Serial number : 0843420916091101
Manufacturer ID: EnterSafe
Last update : 20170615092227Z
Flags : EID compliant
PIN [User PIN]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1 (0x01)
Type : ascii-numeric
Path : 3f005015
Private RSA Key [SSH key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0xD], sensitive, alwaysSensitive, neverExtract
ModLength : 1024
Key ref : 0 (0x0)
Native : yes
Path : 3f0050152900
Auth ID : 01
ID : f3dcf75d07c02fd15ae7b7a335f84d46eda6049d
MD:guid : {323ba8f2-2b93-1900-fa3b-e1b4d2024011}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
Private RSA Key [Signature key]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : 3f0050152901
Auth ID : 01
ID : 9e67a012e0e45f3ae9b1398b912bbf2ba1aef2d4
MD:guid : {6c1033ed-c1df-5baa-4e87-5be41c0a8b03}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
Private RSA Key [Decryption key]
Object Flags : [0x3], private, modifiable
Usage : [0x22], decrypt, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 2 (0x2)
Native : yes
Path : 3f0050152902
Auth ID : 01
ID : 7db41d5b2c07355dd361e0bffd543c0cfc51953b
MD:guid : {08884d6f-15a7-1ade-7183-04d4a4e6bc6f}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
Public RSA Key [SSH key]
Object Flags : [0x2], modifiable
Usage : [0x40], verify
Access Flags : [0x0]
ModLength : 1024
Key ref : 0 (0x0)
Native : no
Path : 3f0050153000
ID : f3dcf75d07c02fd15ae7b7a335f84d46eda6049d
Public RSA Key [Signature key]
Object Flags : [0x2], modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x0]
ModLength : 2048
Key ref : 0 (0x0)
Native : no
Path : 3f0050153001
ID : 9e67a012e0e45f3ae9b1398b912bbf2ba1aef2d4
Public RSA Key [Decryption key]
Object Flags : [0x2], modifiable
Usage : [0x11], encrypt, wrap
Access Flags : [0x0]
ModLength : 2048
Key ref : 0 (0x0)
Native : no
Path : 3f0050153002
ID : 7db41d5b2c07355dd361e0bffd543c0cfc51953b
$ gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
But:
$ gpg2 --card-edit
gpg: OpenPGP card not available: Not supported
gpg/card>
Well, actually it's not completely unexpected, but then I don't
understand why scdaemon is now locking my token, if it doesn't know how
to handle it:
$ pkcs15-tool -D
Using reader with a card: Feitian ePass2003 00 00
Failed to connect to card: Reader in use by another application
What am I missing?
Tks,
Diego
More information about the Gnupg-users
mailing list