On Mon, 08 Nov 2010, David Coppa wrote: > Wonderful news! This is exactly the same card reader I've ordered to > replace my unusable Gemalto USB Shell Token.
My new reader has just arrived yesterday and, most important, it works like a charm: $ gpg2 --card-status gpg: directory `/home/dcoppa/.gnupg' created gpg: new configuration file `/home/dcoppa/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/dcoppa/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/dcoppa/.gnupg/secring.gpg' created gpg: keyring `/home/dcoppa/.gnupg/pubring.gpg' created Application ID ...: D2760001240102000005000007DB0000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 000007DB Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] $ gpg2 --card-edit Application ID ...: D2760001240102000005000007DB0000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 000007DB Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> help quit quit this menu admin show admin commands help show this help list list all available data fetch fetch the key specified in the card URL passwd menu to change or unblock the PIN verify verify the PIN and list all data unblock unblock the PIN using a Reset Code gpg/card> admin Admin commands are allowed gpg/card> help quit quit this menu admin show admin commands help show this help list list all available data name change card holder's name url change URL to retrieve key fetch fetch the key specified in the card URL login change the login name lang change the language preferences sex change card holder's sex cafpr change a CA fingerprint forcesig toggle the signature force PIN flag generate generate new keys passwd menu to change or unblock the PIN verify verify the PIN and list all data unblock unblock the PIN using a Reset Code gpg/card> name Cardholder's surname: Coppa Cardholder's given name: David gpg/card> sex Sex ((M)ale, (F)emale or space): M gpg/card> lang Language preferences: it gpg/card> login Login data (account name): dcoppa gpg/card> list Application ID ...: D2760001240102000005000007DB0000 Version ..........: 2.0 Manufacturer .....: ZeitControl Serial number ....: 000007DB Name of cardholder: David Coppa Language prefs ...: it Sex ..............: male URL of public key : [not set] Login data .......: dcoppa Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: [none] General key info..: [none] gpg/card> quit $ I'm using the following gpg-agent wrapper: --- cut here --- # Copyright (c) 2010 Diego E. Petteno <[email protected]> # Available under CC-BY license (Attribution) if ! [ -f "${HOME}/.gpg-agent-info" ] || ! pgrep -u ${USER} gpg-agent >/dev/null; then gpg-agent --daemon --log-file ~/.gnupg/gpg-agent.log --write-env-file --enable-ssh-support fi # for ssh-agent forwarding, override gnome-keyring though! if [ -n ${SSH_AUTH_SOCK} ] && \ [ ${SSH_AUTH_SOCK#/tmp/keyring-} = ${SSH_AUTH_SOCK} ]; then fwd_SSH_AUTH_SOCK=${SSH_AUTH_SOCK} fi . ${HOME}/.gpg-agent-info export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID if [ "${fwd_SSH_AUTH_SOCK}" != "" ]; then SSH_AUTH_SOCK=${fwd_SSH_AUTH_SOCK} export SSH_AUTH_SOCK fi GPG_TTY=$(tty) export GPG_TTY --- cut here --- Invoked from ~/.profile with: if [ -f ${HOME}/.gnupg/gpg-agent-wrapper ]; then . ${HOME}/.gnupg/gpg-agent-wrapper fi Having the new toy in my hands has led to a revised patch for security/gnupg2: Index: Makefile =================================================================== RCS file: /cvs/ports/security/gnupg2/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- Makefile 18 Oct 2010 21:41:45 -0000 1.5 +++ Makefile 12 Nov 2010 07:38:39 -0000 @@ -3,6 +3,7 @@ COMMENT = gnu privacy guard - a free PGP replacement DISTNAME = gnupg-2.0.16 +REVISION = 0 CATEGORIES = security MASTER_SITES = ftp://ftp.gnupg.org/gcrypt/gnupg/ \ @@ -19,41 +20,43 @@ HOMEPAGE = http://www.gnupg.org/ MAINTAINER = Pierre-Emmanuel Andre <[email protected]> -# GPLv3 +# GPLv3+ PERMIT_PACKAGE_CDROM = Yes PERMIT_PACKAGE_FTP = Yes -PERMIT_DISTFILES_CDROM= Yes +PERMIT_DISTFILES_CDROM =Yes PERMIT_DISTFILES_FTP = Yes EXTRACT_SUFX = .tar.bz2 MODULES = devel/gettext -WANTLIB = c crypto z readline ssl termcap gpg-error idn +WANTLIB += assuan bz2 c crypto curl gcrypt gpg-error +WANTLIB += idn ksba pth readline ssl termcap usb z FLAVORS = ldap FLAVOR ?= USE_GROFF = Yes +LIB_DEPENDS = ::devel/libusb \ + ::archivers/bzip2 \ + ::security/libassuan \ + ::security/libgcrypt \ + ::security/libksba \ + ::net/curl \ + ::devel/pth + .if ${FLAVOR:L:Mldap} -CONFIGURE_ARGS+= --enable-ldap -LIB_DEPENDS+= ldap.>=8::databases/openldap +CONFIGURE_ARGS += --enable-ldap +WANTLIB += ldap +LIB_DEPENDS += ::databases/openldap .else -CONFIGURE_ARGS+= --disable-ldap +CONFIGURE_ARGS += --disable-ldap .endif -LIB_DEPENDS = usb::devel/libusb \ - bz2::archivers/bzip2 \ - assuan::security/libassuan \ - gcrypt::security/libgcrypt \ - ksba.::security/libksba \ - curl.>=6::net/curl \ - pth.::devel/pth - RUN_DEPENDS = ::security/pinentry # gpg-agent must be installed to run the regress tests -REGRESS_DEPENDS = ${PKGNAME}::${BUILD_PKGPATH} +REGRESS_DEPENDS = :${PKGNAME}:${BUILD_PKGPATH} USE_GMAKE = Yes Index: patches/patch-g10_call-agent_c =================================================================== RCS file: patches/patch-g10_call-agent_c diff -N patches/patch-g10_call-agent_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-g10_call-agent_c 12 Nov 2010 07:38:39 -0000 @@ -0,0 +1,42 @@ +$OpenBSD$ + +Patch from upstream: allow more hash algorithms when using scdaemon. +Needed to use SHA2-family of functions with OpenPGPv2 cards, that do +support them. + +--- g10/call-agent.c.orig Wed Feb 17 09:55:45 2010 ++++ g10/call-agent.c Wed Nov 3 14:59:39 2010 +@@ -892,6 +892,23 @@ membuf_data_cb (void *opaque, const void *buffer, size + return 0; + } + ++ ++static const char * ++hash_algo_option (int algo) ++{ ++ switch (algo) ++ { ++ case GCRY_MD_RMD160: return "--hash=rmd160 "; ++ case GCRY_MD_SHA1 : return "--hash=sha1 "; ++ case GCRY_MD_SHA224: return "--hash=sha224 "; ++ case GCRY_MD_SHA256: return "--hash=sha256 "; ++ case GCRY_MD_SHA384: return "--hash=sha384 "; ++ case GCRY_MD_SHA512: return "--hash=sha512 "; ++ case GCRY_MD_MD5 : return "--hash=md5 "; ++ default: return ""; ++ } ++} ++ + /* Send a sign command to the scdaemon via gpg-agent's pass thru + mechanism. */ + int +@@ -938,8 +955,7 @@ agent_scd_pksign (const char *serialno, int hashalgo, + else + #endif + snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s", +- hashalgo == GCRY_MD_RMD160? "--hash=rmd160 " : "", +- serialno); ++ hash_algo_option (hashalgo), serialno); + line[DIM(line)-1] = 0; + rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data, + default_inq_cb, NULL, NULL, NULL); Index: patches/patch-scd_apdu_c =================================================================== RCS file: patches/patch-scd_apdu_c diff -N patches/patch-scd_apdu_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-scd_apdu_c 12 Nov 2010 07:38:39 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ + +The pcsc backend does not work due to problems with our current +threading implementation: one has to use a card reader supported +by GnuPG's internal CCID driver. + +--- scd/apdu.c.orig Wed Mar 17 13:11:30 2010 ++++ scd/apdu.c Fri Nov 12 08:30:02 2010 +@@ -66,7 +66,8 @@ + /* Due to conflicting use of threading libraries we usually can't link + against libpcsclite. Instead we use a wrapper program. */ + #ifdef USE_GNU_PTH +-#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) ++/* XXX */ ++#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) && !defined(__OpenBSD__) + #define NEED_PCSC_WRAPPER 1 + #endif + #endif +@@ -2388,6 +2389,10 @@ apdu_open_reader (const char *portstr, int *r_no_servi + /* No ctAPI configured, so lets try the PC/SC API */ + if (!pcsc_api_loaded) + { ++ /* XXX */ ++#ifdef __OpenBSD__ ++ return -1; ++#endif + #ifndef NEED_PCSC_WRAPPER + void *handle; + Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/gnupg2/pkg/PLIST,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 PLIST --- pkg/PLIST 8 Jul 2010 16:57:54 -0000 1.1.1.1 +++ pkg/PLIST 12 Nov 2010 07:38:39 -0000 @@ -13,7 +13,7 @@ bin/gpgsm-gencert.sh @bin bin/scdaemon @bin bin/watchgnupg @info info/gnupg.info -...@bin libexec/gnupg-pcsc-wrapper +...@comment libexec/gnupg-pcsc-wrapper @bin libexec/gpg-check-pattern @bin libexec/gpg-preset-passphrase @bin libexec/gpg-protect-tool
