NAME
gnupg-pkcs11-scd - GnuPG-compatible smart-card daemon with PKCS#11
support
SYNOPSIS
gnupg-pkcs11-scd [--server] [--multi-server] [--daemon] [--verbose]
[--quiet] [--sh] [--csh] [--options file] [--no-detach]
[--log-file file] [--help]
DESCRIPTION
gnupg-pkcs11-scd is a drop-in replacement for the smart-card daemon (scd)
shipped with the next-generation GnuPG (gnupg-2). The daemon interfaces
to smart-cards by using RSA Security Inc. PKCS#11 Cryptographic Token
Interface (Cryptoki). The following options are available:
--server
Run in server mode (foreground). If not redirected, input and output
are over stdin/stdout.
--multi-server
Run in multi-server mode (foreground). In addition to communicating
over stdin/stdout, the server also opens an additional listening UNIX
socket.
--daemon
Detach and run in background.
--verbose
Be verbose while running.
--quiet
Be as quiet as possible.
--sh
Output sh-style environment variable definition.
--csh
Output csh-style environment variable definition.
--options file
Read options from file. Some of the configuration options can only
be set in the configuration file (see the CONFIGURATION section).
--no-detach
Do not detach from console (useful for debugging purposes).
--log-file file
Output log to file.
--help
Print help information.
When the daemon receives any of the SIGHUP, SIGTERM and SIGINT signals,
it cleans up and exits.
gnupg-pkcs11-scd works only with already personalized cards, and supports
(for the time being) only RSA keypairs. The following constraints must
be satisfied:
1. For each private key object, a certificate object must exist on the
card. The existence of the corresponding public key object is not
important (since the certificate includes public key).
2. The certificate and the corresponding private key must have
identical CKA_ID attribute.
The PKCS#11 implementation is not obliged to enforce any of the above
rules. However, practice has shown that popular PKCS#11 implementations
found "in the wild" seem to respect them.
NOTES
Unlike gpg-agent, gnupg-pkcs11-scd supports more than one token available
at the same time. In order to make gpg-agent happy, gnupg-pkcs11-scd
always returns the same card serial number to gpg-agent. When
unavailable token is requested, gnupg-pkcs11-scd will use NEEDPIN
callback in order to ask for the requested token. When and if gpg-agent
will support more than one serial number or NEEDTOKEN callback, this
behavior will be modified.
ENVIRONMENT
HOME Used to locate the home directory.
GNUPGHOME Used instead of ~/.gnupg.
USERPROFILE Used only on Win32 to locate the home directory.
Additionally, the \\Software\\GNU\\GnuPG\\HomeDir registry key is used on
Win32 to locate the default GNUPGHOME.
FILES
Files affecting the operation of gnupg-pkcs11-scd:
~/.gnupg/gnupg-pkcs11-scd.conf gnupg-pkcs11-scd uses this as a default
configuration file.
/etc/gnupg-pkcs11-scd.conf gnupg-pkcs11-scd uses this as a default
system wide configuration file.
~/.gnupg/gpg-agent.conf Default configuration file for gpg-
agent.
CONFIGURATION
To tell gpg-agent to use another smart-card daemon, the following needs
to be put in ~/.gnupg/gpg-agent.conf:
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-qt
The first line is mandatory in order to use gnupg-pkcs11-scd. With the
second line you can set your preferred pinentry program (it has to be one
compatible with GnuPG). Of course, you need to adjust the paths according
to your system setup.
An example ~/.gnupg/gnupg-pkcs11-scd.conf file (lines beginning with #
are comments):
# Log file.
#log-file log1
# Default is not verbose.
#verbose
# Default is no debugging.
#debug-all
# Pin cache period in seconds; default is infinite.
#pin-cache 20
# Comma-separated list of available provider names. Then set
# attributes for each provider using the provider-[name]-attribute
# syntax.
providers p1
# Provider attributes (see below for detailed description)
provider-p1-library /usr/lib/pkcs11/p1.so
#provider-p1-allow-protected-auth
#provider-p1-cert-private
#provider-p1-private-mask 0
#emulate-openpgpg
#openpgp-sign 5C661B8C07CFD957F7D98D5B9A0F31D236BFAC2A
#openpgp-encr D2DC0BD1EDD185969748B6025B452816F97CBA57
#openpgp-auth A7B8C1A3A8F71FCEC018886F8767927B9C8D871F
The following attributes can be set for each provider:
library
Full path to the PKCS#11 shared library (= provider).
allow-protected-auth
Allow protected authentication for provider. This needs to be
supported by the provider and you should have appropriate reader
hardware.
cert-private
Authentication is required before certificates can be accessed. Most
configurations store certificates as public, so there is no need to
use this option.
private-mask
Private key mask mode. Use this only when you have problem using
private key operations. The value is hex encoded mask number.
0 Determine automatically.
1 Force sign.
2 Force sign with recovery.
4 Force decrypt.
8 Force decrypt with unwrap.
emulate-openpgp
Emulate OpenPGP card. Unfortunately, gnupg cannot handle the OpenPGP
card with certificates. So you need to turn this on in order to
learn card keys.
In OpenPGP card emulation we cannot guess which key should match a
type, so you have to specify the SHA1 of the key explicitly.
In order to determine which key is which, use the following command:
gpg-agent --server gpg-connect-agent
Enter "SCD LEARN" and look for "KEY-FRIEDNLY" responses, the first
field is the hash, the second is the subject name.
You still have to store a certificate (may be self-signed) that
corresponds to the keypair.
openpgp-sign
Hex string (Upper letter, no space) SHA1 of signing public key.
openpgp-encr
Hex string (Upper letter, no space) SHA1 of encryption public key.
openpgp-auth
Hex string (Upper letter, no space) SHA1 of authentication public
key.
GNUPG INTEGRATION
Typical steps to set up a card for gpgsm usage:
1. Import the CA certificate of your issuer:
gpgsm --import < ca-certificate
You should also manually import all self-signed certificates.
2. Instruct GnuPG to discover all useful certificates on the card:
gpgsm --learn-card
Signing, verification, etc. work as usual with gpgsm.
Typical steps to set up a card for gpg usage:
1. Configure gnupg-pkcs11-scd for opengpg emulation, specify the public
key hashes to be used for signature, encryption and authentication.
2. Instruct GnuPG to discover all useful information of card:
gpg --card-status
You should see valid card status.
3. Now, you should virtual generate keys, the keys are not actually
generated, but returned to gpg to be registered.
gpg --card-edit
admin
generate (DO NOT BACKUP KEYS)
4. Disable the opengpg emulation.
Now you can use the same card with your gpg and gpgsm keys. We don’t know
if this is a bug or feature in gnupg, but we glad that it works.
Signing, verification, etc. work as usual with gpg.
SECURITY CONSIDERATIONS
All communication between components is currently unprotected and in
plain text (that’s how the Assuan protocol operates). It is trivial to
trace (using e.g. the strace(1) program) individual components (e.g.
pinentry) and steal sensitive data (such as the smart-card PIN) or even
change it (e.g. the hash to be signed).
When using the software in production scenario, be sure to turn off
debugging/verbose options in configuration of all components. Otherwise,
some sensitive data might be displayed on the screen (most notably, the
PIN).
SEE ALSO
strace(1) truss(1) gnupg(7)
GnuPG Home Page, http://www.gnupg.org.
gnupg-pkcs11 Home Page, http://gnupg-pkcs11.sourceforge.net.
AUTHORS AND COPYRIGHT
Copyright (c) 2006-2007 Zeljko Vrba <zvrba@globalnet.hr>
Copyright (c) 2006-2007 Alon Bar-Lev <alon.barlev@gmail.com>
All rights reserved.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT
OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
THE USE OR OTHER DEALINGS IN THE SOFTWARE.