gnupg-pkcs11-users — General users mailing list

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Oh, and thanks a lot for your help!

-----Original Message-----
From: Ostovary, Daniel 
Sent: Montag, 22. Juni 2020 14:36
To: 'Alon Bar-Lev' <alo...@gm...>
Cc: 'gnu...@li...' <gnu...@li...>
Subject: RE: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Hi,

using an end entity certificate did not solve the problem. However, I recently retried to setup everything with gnupg-pkcs11-scd v. 0.9.2 which worked. (Ubuntu 18.04, which I used initially came with v. 0.9.1).

Best regards,
Daniel

-----Original Message-----
From: Ostovary, Daniel
Sent: Montag, 23. Dezember 2019 11:53
To: 'Alon Bar-Lev' <alo...@gm...>
Cc: gnu...@li...
Subject: FW: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in:

gpg: key generation failed: Bad session key Key generation failed: Bad session key

-----Original Message-----
From: Ostovary, Daniel <dan...@ru...>
Sent: Montag, 23. Dezember 2019 11:06
To: Alon Bar-Lev <alo...@gm...>; gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Hi,

see attachement.

Best regards,
Daniel

-----Original Message-----
From: Alon Bar-Lev <alo...@gm...>
Sent: Samstag, 21. Dezember 2019 19:49
To: Ostovary, Daniel <dan...@ru...>
Cc: gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote:
>
> Here is the log:

<snip>

> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=(nil),
> *p_certificate_blob_size=0000000000000000
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=0x559309d9b200, 
> *p_certificate_blob_size=000000000000037e
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release 
> entry session=0x559309d6aef0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId entry
> certificate_id=0x559309d701b0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> entry certificate_id=0x559309d9a160
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate return
> gpg-agent[2367]: DBG: chan_5 <- [eof]
> gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> 
> ERR 67125247 End of file <GPG Agent>

Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate?
'/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e

Thanks!

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Hi,

using an end entity certificate did not solve the problem. However, I recently retried to setup everything with gnupg-pkcs11-scd v. 0.9.2 which worked. (Ubuntu 18.04, which I used initially came with v. 0.9.1).

Best regards, 
Daniel

-----Original Message-----
From: Ostovary, Daniel 
Sent: Montag, 23. Dezember 2019 11:53
To: 'Alon Bar-Lev' <alo...@gm...>
Cc: gnu...@li...
Subject: FW: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in:

gpg: key generation failed: Bad session key Key generation failed: Bad session key

-----Original Message-----
From: Ostovary, Daniel <dan...@ru...>
Sent: Montag, 23. Dezember 2019 11:06
To: Alon Bar-Lev <alo...@gm...>; gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Hi,

see attachement.

Best regards,
Daniel

-----Original Message-----
From: Alon Bar-Lev <alo...@gm...>
Sent: Samstag, 21. Dezember 2019 19:49
To: Ostovary, Daniel <dan...@ru...>
Cc: gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote:
>
> Here is the log:

<snip>

> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=(nil),
> *p_certificate_blob_size=0000000000000000
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=0x559309d9b200, 
> *p_certificate_blob_size=000000000000037e
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release 
> entry session=0x559309d6aef0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId entry
> certificate_id=0x559309d701b0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> entry certificate_id=0x559309d9a160
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate return
> gpg-agent[2367]: DBG: chan_5 <- [eof]
> gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> 
> ERR 67125247 End of file <GPG Agent>

Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate?
'/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e

Thanks!

Re: [Gnupg-pkcs11-users] FW: SCD LEARN leads to EOF error with SafeNet HSM

[Alon Bar-L. <alo...@gm...>]

Hi,
I do not think this is the right certificate that is being used.
Anyway, you enrolled a CA, please use end-certificate.
Thanks!

On Mon, Dec 23, 2019 at 12:53 PM Ostovary, Daniel <
dan...@ru...> wrote:

> When I delete the certificate from the HSM the SCD LEARN command works
> (though it doesn’t learn anything). However when I'm trying to generate a
> key pair on the HSM with gpg2 --card-edit, the key generation results in:
>
> gpg: key generation failed: Bad session key
> Key generation failed: Bad session key
>
> -----Original Message-----
> From: Ostovary, Daniel <dan...@ru...>
> Sent: Montag, 23. Dezember 2019 11:06
> To: Alon Bar-Lev <alo...@gm...>;
> gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with
> SafeNet HSM
>
> Hi,
>
> see attachement.
>
> Best regards,
> Daniel
>
> -----Original Message-----
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Samstag, 21. Dezember 2019 19:49
> To: Ostovary, Daniel <dan...@ru...>
> Cc: gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with
> SafeNet HSM
>
> On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <
> dan...@ru...> wrote:
> >
> > Here is the log:
>
> <snip>
>
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_getCertificateBlob entry
> > certificate=0x559309d6b070, certificate_blob=(nil),
> > *p_certificate_blob_size=0000000000000000
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_getCertificateBlob entry
> > certificate=0x559309d6b070, certificate_blob=0x559309d9b200,
> > *p_certificate_blob_size=000000000000037e
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release
> > entry session=0x559309d6aef0
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release
> return rv=0-'CKR_OK'
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_freeCertificateId entry
> > certificate_id=0x559309d701b0
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId
> > entry certificate_id=0x559309d9a160
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId
> > return
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_freeCertificateId return
> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11:
> > pkcs11h_certificate_freeCertificate return
> > gpg-agent[2367]: DBG: chan_5 <- [eof]
> > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent>
> > ERR 67125247 End of file <GPG Agent>
>
> Interesting... the certificate is extracted but probably cannot be
> converted to gnupg exp format. Can you please send me the certificate?
> '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size
> 0x37e
>
> Thanks!
>

[Gnupg-pkcs11-users] FW: SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in:

gpg: key generation failed: Bad session key
Key generation failed: Bad session key

-----Original Message-----
From: Ostovary, Daniel <dan...@ru...> 
Sent: Montag, 23. Dezember 2019 11:06
To: Alon Bar-Lev <alo...@gm...>; gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Hi,

see attachement.

Best regards,
Daniel

-----Original Message-----
From: Alon Bar-Lev <alo...@gm...>
Sent: Samstag, 21. Dezember 2019 19:49
To: Ostovary, Daniel <dan...@ru...>
Cc: gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote:
>
> Here is the log:

<snip>

> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=(nil),
> *p_certificate_blob_size=0000000000000000
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=0x559309d9b200, 
> *p_certificate_blob_size=000000000000037e
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release 
> entry session=0x559309d6aef0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId entry
> certificate_id=0x559309d701b0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> entry certificate_id=0x559309d9a160
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate return
> gpg-agent[2367]: DBG: chan_5 <- [eof]
> gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> 
> ERR 67125247 End of file <GPG Agent>

Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate?
'/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e

Thanks!

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Hi,

see attachement.

Best regards,
Daniel

-----Original Message-----
From: Alon Bar-Lev <alo...@gm...> 
Sent: Samstag, 21. Dezember 2019 19:49
To: Ostovary, Daniel <dan...@ru...>
Cc: gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote:
>
> Here is the log:

<snip>

> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=(nil), 
> *p_certificate_blob_size=0000000000000000
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_getCertificateBlob entry 
> certificate=0x559309d6b070, certificate_blob=0x559309d9b200, 
> *p_certificate_blob_size=000000000000037e
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release 
> entry session=0x559309d6aef0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId entry 
> certificate_id=0x559309d701b0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> entry certificate_id=0x559309d9a160
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId 
> return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificateId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: 
> pkcs11h_certificate_freeCertificate return
> gpg-agent[2367]: DBG: chan_5 <- [eof]
> gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> 
> ERR 67125247 End of file <GPG Agent>

Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate?
'/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e

Thanks!

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Alon Bar-L. <alo...@gm...>]

On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel
<dan...@ru...> wrote:
>
> Here is the log:

<snip>

> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=0x559309d9b200, *p_certificate_blob_size=000000000000037e
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return
> gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate return
> gpg-agent[2367]: DBG: chan_5 <- [eof]
> gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent>
> ERR 67125247 End of file <GPG Agent>

Interesting... the certificate is extracted but probably cannot be
converted to gnupg exp format. Can you please send me the certificate?
'/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e

Thanks!

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Here is the log:

gpg-agent --server
gpg-agent[2367]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent[2367]: DBG: chan_3 -> OK Pleased to meet you
OK Pleased to meet you
SCD LEARN
gpg-agent[2367]: DBG: chan_3 <- SCD LEARN
gpg-agent[2367]: no running SCdaemon - starting it
gnupg-pkcs11-scd[2368.718124864]: version: 0.9.1
gnupg-pkcs11-scd[2368.718124864]: config: debug=1, verbose=1
gnupg-pkcs11-scd[2368.718124864]: config: pin_cache=-1
gnupg-pkcs11-scd[2368.718124864]: config: provider: name=libCryptoki2_64, library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=0, cert_is_private=0, private_mask=00000000
gnupg-pkcs11-scd[2368.718124864]: run_mode: 2
gnupg-pkcs11-scd[2368.718124864]: crypto: openssl
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=2368, reference='libCryptoki2_64', provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Adding provider 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider Provider 'libCryptoki2_64' manufacturerID 'SafeNet, Inc.                  '
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_slotevent_notify entry
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Provider 'libCryptoki2_64' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: Listening to socket '/tmp/gnupg-pkcs11-scd.1nTpQG/agent.S'
gnupg-pkcs11-scd[2368.718124864]: accepting connection
gnupg-pkcs11-scd[2368]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[2368.718124864]: processing connection
gpg-agent[2367]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[2367]: DBG: first connection to SCdaemon established
gpg-agent[2367]: DBG: chan_5 -> GETINFO socket_name
gnupg-pkcs11-scd[2368]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[2368]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1nTpQG/agent.S
gnupg-pkcs11-scd[2368]: chan_0 -> OK
gpg-agent[2367]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.1nTpQG/agent.S
gpg-agent[2367]: DBG: chan_5 <- OK
gpg-agent[2367]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.1nTpQG/agent.S'
gpg-agent[2367]: DBG: chan_5 -> LEARN
gnupg-pkcs11-scd[2368]: chan_0 <- LEARN
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffd4f25d2c0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25d188, pulCount=0x7ffd4f25d190
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x559309d67d28
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25d120
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffd4f25d2c0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x559309d56630, *max=000000000000003f, token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x559309d67d20
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[2368]: chan_0 -> S SERIALNO D276000124011150313152552EE11111
gnupg-pkcs11-scd[2368]: chan_0 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffd4f25d2f8, p_cert_id_end_list=0x7ffd4f25d2f0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25d1b0, pulCount=0x7ffd4f25d1b8
gpg-agent[2367]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1gpg-agent[2367]: DBG: 
chan_3 -> S SERIALNO D276000124011150313152552EE11111
S SERIALNO D276000124011150313152552EE11111
gpg-agent[2367]: DBG: chan_5 <- S APPTYPE PKCS11
gpg-agent[2367]: DBG: chan_3 -> S APPTYPE PKCS11
S APPTYPE PKCS11
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffd4f25d1c8
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25d120
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x559309d701b0, p_session=0x7ffd4f25d1c0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Creating a new session
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x559309d6af08 form=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x559309d5a110
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x559309d6aef0, user_data=0x559309d66e50, mask_prompt=00000003
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate entry session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_login entry session=0x559309d6aef0, is_publicOnly=1, readonly=1, user_data=0x559309d66e50, mask_prompt=00000001
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_logout entry session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_logout return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset entry session=0x559309d6aef0, user_data=0x559309d66e50, mask_prompt=00000001, p_slot=0x7ffd4f25cc08
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25cab8, pulCount=0x7ffd4f25cac0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffd4f25cac8
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25ca30
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d5a580
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d5a580
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d5a580
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate entry session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1576579809
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_findObjects entry session=0x559309d6aef0, filter=0x7ffd4f25d0c0, filter_attrs=1, p_objects=0x7ffd4f25d0a0, p_objects_found=0x7ffd4f25d0a8
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x559309d6aef0, object=40, attrs=0x7ffd4f25d0e0, count=2
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffd4f25d0b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x559309d5acc0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x559309d5acc0 form=0x559309d5a110
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x559309d5b0f0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x559309d5acc0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x559309d99d30, ptr=(nil), ad=0x559309d99d98, idx=1, argl=0, argp=0x7f9129a9c842
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffd4f25d0e0, count=2
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d67fd8 form=0x559309d5acc0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x559309d67fd0, p_cert_id_issuers_list=0x7ffd4f25d2f8, p_cert_id_end_list=0x7ffd4f25d2f0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d5b858 form=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d9a5d0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x559309d67fd0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x559309d9a5d0, user_data=0x559309d66e50, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffd4f25d1b8
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d6b070 form=0x559309d9a5d0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x559309d9a160, p_session=0x559309d6b080
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Using cached session
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x559309d6b070
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=0x559309d9b200, *p_certificate_blob_size=000000000000037e
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate return
gpg-agent[2367]: DBG: chan_5 <- [eof]
gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent>
ERR 67125247 End of file <GPG Agent>

Best regards,
Daniel

-----Original Message-----
From: Alon Bar-Lev <alo...@gm...> 
Sent: Dienstag, 17. Dezember 2019 21:22
To: Ostovary, Daniel <dan...@ru...>
Cc: gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Please use only these statements:
---
verbose
debug-all
providers libCryptoki2_64
provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
---

And send me the log of learn command.

Thanks!

On Tue, Dec 17, 2019 at 12:03 PM Ostovary, Daniel <dan...@ru...> wrote:
>
> Hi,
>
>
>
> I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways.
>
>
>
> My config file for gnupg-pkcs11-scd is:
>
> verbose
>
> debug-all
>
> providers libCryptoki2_64
>
> provider-libCryptoki2_64-library 
> /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>
> provider-libCryptoki2_64-allow-protected-auth
>
> provider-libCryptoki2_64-cert-private
>
> provider-libCryptoki2_64-private-mask 0
>
>
>
> With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is:
>
> scdaemon-program /usr/bin/gnupg-pkcs11-scd
>
> pinentry-program /usr/bin/pinentry-tty
>
> debug-level guru
>
> debug-all
>
>
>
> For the gpg version, I am using 2.2.4.
>
>
>
> Best regards,
>
> Daniel

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Alon Bar-L. <alo...@gm...>]

Please use only these statements:
---
verbose
debug-all
providers libCryptoki2_64
provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
---

And send me the log of learn command.

Thanks!

On Tue, Dec 17, 2019 at 12:03 PM Ostovary, Daniel
<dan...@ru...> wrote:
>
> Hi,
>
>
>
> I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways.
>
>
>
> My config file for gnupg-pkcs11-scd is:
>
> verbose
>
> debug-all
>
> providers libCryptoki2_64
>
> provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
>
> provider-libCryptoki2_64-allow-protected-auth
>
> provider-libCryptoki2_64-cert-private
>
> provider-libCryptoki2_64-private-mask 0
>
>
>
> With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is:
>
> scdaemon-program /usr/bin/gnupg-pkcs11-scd
>
> pinentry-program /usr/bin/pinentry-tty
>
> debug-level guru
>
> debug-all
>
>
>
> For the gpg version, I am using 2.2.4.
>
>
>
> Best regards,
>
> Daniel
>
>
>
>
>
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Montag, 16. Dezember 2019 20:10
> To: Ostovary, Daniel <dan...@ru...>
> Cc: gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM
>
>
>
> Hi,
>
> Why do you use cert-private? What is the exact configuration of gpg-agent and pkcs11-scd?
>
> Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man page?
>
> Alon
>
>

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Hi,

I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways.

My config file for gnupg-pkcs11-scd is:
verbose
debug-all
providers libCryptoki2_64
provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so
provider-libCryptoki2_64-allow-protected-auth
provider-libCryptoki2_64-cert-private
provider-libCryptoki2_64-private-mask 0

With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is:
scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-tty
debug-level guru
debug-all

For the gpg version, I am using 2.2.4.

Best regards,
Daniel


From: Alon Bar-Lev <alo...@gm...<mailto:alo...@gm...>>
Sent: Montag, 16. Dezember 2019 20:10
To: Ostovary, Daniel <dan...@ru...<mailto:dan...@ru...>>
Cc: gnu...@li...<mailto:gnu...@li...>
Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

Hi,
Why do you use cert-private? What is the exact configuration of gpg-agent and pkcs11-scd?
Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man page?
Alon

Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Alon Bar-L. <alo...@gm...>]

Hi,
Why do you use cert-private? What is the exact configuration of gpg-agent
and pkcs11-scd?
Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man
page?
Alon

On Mon, Dec 16, 2019 at 9:01 PM Ostovary, Daniel <dan...@ru...>
wrote:

> Hi,
>
>
>
> am trying to connect GPG with the gnupg-pkcs11-scd to my SafeNet HSM (over
> the network). Using tools like pkcs11-tool I can access the HSM and list
> keys/certificates. However when I execute SCD LEARN I get the following
> error message:
>
>
>
> gpg-agent --server
>
> gpg-agent[2177]: enabled debug flags: mpi crypto memory cache memstat
> hashing ipc
>
> gpg-agent[2177]: DBG: chan_3 -> OK Pleased to meet you
>
> OK Pleased to meet you
>
> SCD LEARN
>
> gpg-agent[2177]: DBG: chan_3 <- SCD LEARN
>
> gpg-agent[2177]: no running SCdaemon - starting it
>
> gnupg-pkcs11-scd[2180.3687888704]: version: 0.9.1
>
> gnupg-pkcs11-scd[2180.3687888704]: config: debug=1, verbose=1
>
> gnupg-pkcs11-scd[2180.3687888704]: config: pin_cache=-1
>
> gnupg-pkcs11-scd[2180.3687888704]: config: provider: name=libCryptoki2_64,
> library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=1,
> cert_is_private=1, private_mask=00000000
>
> gnupg-pkcs11-scd[2180.3687888704]: run_mode: 2
>
> gnupg-pkcs11-scd[2180.3687888704]: crypto: openssl
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider entry
> version='1.22', pid=2180, reference='libCryptoki2_64',
> provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so',
> allow_protected_auth=1, mask_private_mode=00000000, cert_is_private=1
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Adding provider
> 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider Provider
> 'libCryptoki2_64' manufacturerID 'SafeNet, Inc.                  '
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify entry
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Provider 'libCryptoki2_64'
> added rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider return
> rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: Listening to socket
> '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S'
>
> gnupg-pkcs11-scd[2180.3687888704]: accepting connection
>
> gnupg-pkcs11-scd[2180]: chan_0 -> OK PKCS#11 smart-card server for GnuPG
> ready
>
> gnupg-pkcs11-scd[2180.3687888704]: processing connection
>
> gpg-agent[2177]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG
> ready
>
> gpg-agent[2177]: DBG: first connection to SCdaemon established
>
> gpg-agent[2177]: DBG: chan_5 -> GETINFO socket_name
>
> gnupg-pkcs11-scd[2180]: chan_0 <- GETINFO socket_name
>
> gnupg-pkcs11-scd[2180]: chan_0 -> D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S
>
> gnupg-pkcs11-scd[2180]: chan_0 -> OK
>
> gpg-agent[2177]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S
>
> gpg-agent[2177]: DBG: chan_5 <- OK
>
> gpg-agent[2177]: DBG: additional connections at
> '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S'
>
> gpg-agent[2177]: DBG: chan_5 -> LEARN
>
> gnupg-pkcs11-scd[2180]: chan_0 <- LEARN
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds
> entry method=1, p_token_id_list=0x7ffdbfa44310
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa441d8,
> pulCount=0x7ffdbfa441e0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> return rv=0-'CKR_OK' *pulCount=1
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> entry p_token_id=0x5571427e8c58
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> entry p_token_id=0x7ffdbfa44170
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds
> return rv=0-'CKR_OK', *p_token_id_list=0x7ffdbfa44310
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId
> entry sz=(nil), *max=0000000000000000, token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId
> return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId
> entry sz=0x5571427d7630, *max=000000000000003f, token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId
> return rv=0-'CKR_OK', *max=000000000000003f,
> sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList
> entry token_id_list=0x5571427e8c50
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> entry certificate_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList
> return
>
> gnupg-pkcs11-scd[2180]: chan_0 -> S SERIALNO
> D276000124011150313152552EE11111
>
> gnupg-pkcs11-scd[2180]: chan_0 -> S APPTYPE PKCS11
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_enumCertificateIds entry method=1,
> mask_prompt=00000003, p_cert_id_issuers_list=0x7ffdbfa44348,
> p_cert_id_end_list=0x7ffdbfa44340
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa44200,
> pulCount=0x7ffdbfa44208
>
> gpg-agent[2177]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> return rv=0-'CKR_OK' *pulCount=1
>
> gpg-agent[2177]: DBG: chan_3 -> S SERIALNO D276000124011150313152552EE11111
>
> S SERIALNO D276000124011150313152552EE11111
>
> gpg-agent[2177]: DBG: chan_5 <- S APPTYPE PKCS11
>
> gpg-agent[2177]: DBG: chan_3 -> S APPTYPE PKCS11
>
> S APPTYPE PKCS11
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> entry p_token_id=0x7ffdbfa44218
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> entry p_token_id=0x7ffdbfa44170
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getSessionByTokenId entry token_id=0x5571427dbfe0,
> p_session=0x7ffdbfa44210
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Creating a new session
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId
> entry to=0x5571427ec018 form=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId
> return rv=0-'CKR_OK', *to=0x5571427dc450
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
> *p_session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_certificate_enumSessionCertificates entry session=0x5571427ec000,
> user_data=0x5571427db110, mask_prompt=00000003
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate
> entry session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate
> return rv=179-'CKR_SESSION_HANDLE_INVALID'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Get certificate attributes
> failed: 179:'CKR_SESSION_HANDLE_INVALID'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login entry
> session=0x5571427ec000, is_publicOnly=1, readonly=1,
> user_data=0x5571427db110, mask_prompt=00000001
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout entry
> session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset entry
> session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000001,
> p_slot=0x7ffdbfa43c58
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset
> Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0',
> serialNumber='1066520144508', label='dev'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa43b08,
> pulCount=0x7ffdbfa43b10
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList
> return rv=0-'CKR_OK' *pulCount=1
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> entry p_token_id=0x7ffdbfa43b18
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> entry p_token_id=0x7ffdbfa43a80
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId
> return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Found
> token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0',
> serialNumber='1066520144508', label='dev'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> entry certificate_id=0x5571427dc8c0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset return
> rv=0-'CKR_OK', *p_slot=0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Calling pin_prompt hook for
> 'dev'
>
> gnupg-pkcs11-scd[2180]: chan_0 -> INQUIRE NEEDPIN PIN required for token
> 'dev' (try 0)
>
> gpg-agent[2177]: DBG: chan_5 <- INQUIRE NEEDPIN PIN required for token
> 'dev' (try 0)
>
> gpg-agent[2177]: starting a new PIN Entry
>
> gpg-agent[2177]: DBG: connection to PIN entry established
>
> Please enter the PIN (PIN required for token 'dev' (try 0)) to unlock the
> card
>
> PIN:
>
> gpg-agent[2177]: DBG: chan_5 -> [ REDACTED ...(76 byte(s) skipped) ]
>
> gpg-agent[2177]: DBG: chan_5 -> END
>
> gnupg-pkcs11-scd[2180]: chan_0 <- [ REDACTED ...(76 byte(s) skipped) ]
>
> gnupg-pkcs11-scd[2180]: chan_0 <- END
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pin_prompt hook return rv=0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login C_Login
> rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login return
> rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate
> entry session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate
> session->pin_expire_time=0, time=1576502751
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate
> return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects
> entry session=0x5571427ec000, filter=0x7ffdbfa44110, filter_attrs=1,
> p_objects=0x7ffdbfa440f0, p_objects_found=0x7ffdbfa440f8
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects
> return rv=0-'CKR_OK', *p_objects_found=1
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getObjectAttributes entry session=0x5571427ec000,
> object=40, attrs=0x7ffdbfa44130, count=2
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdbfa44100
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK',
> *p_certificate_id=0x5571427dd080
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId
> entry to=0x5571427dd080 form=0x5571427dc450
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId
> return rv=0-'CKR_OK', *to=0x5571427dd4b0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> __pkcs11h_certificate_updateCertificateIdDescription entry
> certificate_id=0x5571427dd080
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_openssl_ex_data_free
> entered - parent=0x55714281adf0, ptr=(nil), ad=0x55714281ae58, idx=1,
> argl=0, argp=0x7f16daacc842
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> __pkcs11h_certificate_updateCertificateIdDescription return
> displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffdbfa44130, count=2
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_freeObjectAttributes return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry
> session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release
> return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> entry certificate_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId entry to=0x5571427dc928
> form=0x5571427dd080
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
> *to=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> __pkcs11h_certificate_splitCertificateIdList entry
> cert_id_all=0x5571427dc920, p_cert_id_issuers_list=0x7ffdbfa44348,
> p_cert_id_end_list=0x7ffdbfa44340
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ddc18
> form=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
> *to=0x55714281b690
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x5571427dc920
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> entry certificate_id=0x55714281b220
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateId return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateIdList return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create
> entry certificate_id=0x55714281b690, user_data=0x5571427db110,
> mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdbfa44208
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ec320
> form=0x55714281b690
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
> *to=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getSessionByTokenId entry token_id=0x55714281b220,
> p_session=0x5571427ec330
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Using cached session
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
> *p_session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create
> return rv=0-'CKR_OK' *p_certificate=0x5571427ec320
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320,
> certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320,
> certificate_blob=0x55714281c2c0, *p_certificate_blob_size=000000000000037e
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificate entry certificate=0x5571427ec320
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry
> session=0x5571427ec000
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release
> return rv=0-'CKR_OK'
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> entry certificate_id=0x55714281b220
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId
> return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificateId return
>
> gnupg-pkcs11-scd[2180.3687888704]: PKCS#11:
> pkcs11h_certificate_freeCertificate return
>
> gpg-agent[2177]: DBG: chan_5 <- [eof]
>
> gpg-agent[2177]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent>
>
> ERR 67125247 End of file <GPG Agent>
>
>
>
> As the code quality from SafeNet is not great I could imagine that the HSM
> might respond to SCD LEARN in an unexpected way. However when I execute
> ‘gpg2 --card-edit’ I get this error:
>
>
>
> gpg: WARNING: server 'scdaemon' is older than us (0.9.1 < 2.2.4)
>
> gpg: Note: Outdated servers may lack important security fixes.
>
> gpg: Note: Use the command "gpgconf --kill all" to restart them.
>
> gpg: OpenPGP card not available: No inquire callback in IPC
>
>
>
> It appears that another user already had a similar problem:
> https://sourceforge.net/p/gnupg-pkcs11/mailman/message/35846920/.
>
>
>
> Does anybody know what the problem is and how to fix it? Thanks for your
> help!
>
>
>
> Kind regards,
>
> Daniel Ostovary
> IT Security Engineer
>
> *RUBICON IT GmbH*
>
>
> _______________________________________________
> Gnupg-pkcs11-users mailing list
> Gnu...@li...
> https://lists.sourceforge.net/lists/listinfo/gnupg-pkcs11-users
>

[Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM

[Ostovary, D. <dan...@ru...>]

Hi,

am trying to connect GPG with the gnupg-pkcs11-scd to my SafeNet HSM (over the network). Using tools like pkcs11-tool I can access the HSM and list keys/certificates. However when I execute SCD LEARN I get the following error message:

gpg-agent --server
gpg-agent[2177]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent[2177]: DBG: chan_3 -> OK Pleased to meet you
OK Pleased to meet you
SCD LEARN
gpg-agent[2177]: DBG: chan_3 <- SCD LEARN
gpg-agent[2177]: no running SCdaemon - starting it
gnupg-pkcs11-scd[2180.3687888704]: version: 0.9.1
gnupg-pkcs11-scd[2180.3687888704]: config: debug=1, verbose=1
gnupg-pkcs11-scd[2180.3687888704]: config: pin_cache=-1
gnupg-pkcs11-scd[2180.3687888704]: config: provider: name=libCryptoki2_64, library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=1, cert_is_private=1, private_mask=00000000
gnupg-pkcs11-scd[2180.3687888704]: run_mode: 2
gnupg-pkcs11-scd[2180.3687888704]: crypto: openssl
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=2180, reference='libCryptoki2_64', provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so', allow_protected_auth=1, mask_private_mode=00000000, cert_is_private=1
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Adding provider 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider Provider 'libCryptoki2_64' manufacturerID 'SafeNet, Inc.                  '
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify entry
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Provider 'libCryptoki2_64' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: Listening to socket '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S'
gnupg-pkcs11-scd[2180.3687888704]: accepting connection
gnupg-pkcs11-scd[2180]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[2180.3687888704]: processing connection
gpg-agent[2177]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[2177]: DBG: first connection to SCdaemon established
gpg-agent[2177]: DBG: chan_5 -> GETINFO socket_name
gnupg-pkcs11-scd[2180]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[2180]: chan_0 -> D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S
gnupg-pkcs11-scd[2180]: chan_0 -> OK
gpg-agent[2177]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S
gpg-agent[2177]: DBG: chan_5 <- OK
gpg-agent[2177]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S'
gpg-agent[2177]: DBG: chan_5 -> LEARN
gnupg-pkcs11-scd[2180]: chan_0 <- LEARN
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffdbfa44310
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa441d8, pulCount=0x7ffdbfa441e0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x5571427e8c58
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa44170
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffdbfa44310
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x5571427d7630, *max=000000000000003f, token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x5571427e8c50
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[2180]: chan_0 -> S SERIALNO D276000124011150313152552EE11111
gnupg-pkcs11-scd[2180]: chan_0 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffdbfa44348, p_cert_id_end_list=0x7ffdbfa44340
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa44200, pulCount=0x7ffdbfa44208
gpg-agent[2177]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gpg-agent[2177]: DBG: chan_3 -> S SERIALNO D276000124011150313152552EE11111
S SERIALNO D276000124011150313152552EE11111
gpg-agent[2177]: DBG: chan_5 <- S APPTYPE PKCS11
gpg-agent[2177]: DBG: chan_3 -> S APPTYPE PKCS11
S APPTYPE PKCS11
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdbfa44218
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa44170
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x5571427dbfe0, p_session=0x7ffdbfa44210
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Creating a new session
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5571427ec018 form=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5571427dc450
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000003
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate entry session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login entry session=0x5571427ec000, is_publicOnly=1, readonly=1, user_data=0x5571427db110, mask_prompt=00000001
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout entry session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset entry session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000001, p_slot=0x7ffdbfa43c58
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa43b08, pulCount=0x7ffdbfa43b10
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdbfa43b18
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa43a80
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dc8c0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Calling pin_prompt hook for 'dev'
gnupg-pkcs11-scd[2180]: chan_0 -> INQUIRE NEEDPIN PIN required for token 'dev' (try 0)
gpg-agent[2177]: DBG: chan_5 <- INQUIRE NEEDPIN PIN required for token 'dev' (try 0)
gpg-agent[2177]: starting a new PIN Entry
gpg-agent[2177]: DBG: connection to PIN entry established
Please enter the PIN (PIN required for token 'dev' (try 0)) to unlock the card
PIN:
gpg-agent[2177]: DBG: chan_5 -> [ REDACTED ...(76 byte(s) skipped) ]
gpg-agent[2177]: DBG: chan_5 -> END
gnupg-pkcs11-scd[2180]: chan_0 <- [ REDACTED ...(76 byte(s) skipped) ]
gnupg-pkcs11-scd[2180]: chan_0 <- END
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pin_prompt hook return rv=0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login C_Login rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate entry session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1576502751
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects entry session=0x5571427ec000, filter=0x7ffdbfa44110, filter_attrs=1, p_objects=0x7ffdbfa440f0, p_objects_found=0x7ffdbfa440f8
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x5571427ec000, object=40, attrs=0x7ffdbfa44130, count=2
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdbfa44100
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x5571427dd080
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5571427dd080 form=0x5571427dc450
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5571427dd4b0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x5571427dd080
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x55714281adf0, ptr=(nil), ad=0x55714281ae58, idx=1, argl=0, argp=0x7f16daacc842
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffdbfa44130, count=2
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427dc928 form=0x5571427dd080
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x5571427dc920, p_cert_id_issuers_list=0x7ffdbfa44348, p_cert_id_end_list=0x7ffdbfa44340
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ddc18 form=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x55714281b690
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x5571427dc920
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55714281b220
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x55714281b690, user_data=0x5571427db110, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdbfa44208
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ec320 form=0x55714281b690
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x55714281b220, p_session=0x5571427ec330
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Using cached session
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x5571427ec320
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, certificate_blob=0x55714281c2c0, *p_certificate_blob_size=000000000000037e
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x5571427ec320
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry session=0x5571427ec000
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55714281b220
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificate return
gpg-agent[2177]: DBG: chan_5 <- [eof]
gpg-agent[2177]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent>
ERR 67125247 End of file <GPG Agent>

As the code quality from SafeNet is not great I could imagine that the HSM might respond to SCD LEARN in an unexpected way. However when I execute 'gpg2 --card-edit' I get this error:

gpg: WARNING: server 'scdaemon' is older than us (0.9.1 < 2.2.4)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: No inquire callback in IPC

It appears that another user already had a similar problem: https://sourceforge.net/p/gnupg-pkcs11/mailman/message/35846920/.

Does anybody know what the problem is and how to fix it? Thanks for your help!

Kind regards,
Daniel Ostovary
IT Security Engineer
RUBICON IT GmbH

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Dustin R. <dus...@ho...>]

This actually helped me a lot. I thought I was dealing with a broken protocol issue, rather then conflicting packages. I have it working with the newer version now.


Also I tried to get a stub utility working for replacing pinentry and could not get it working. Your python script worked nicely.


Thank you for the help.

-Dustin



________________________________
From: Alon Bar-Lev <alo...@gm...>
Sent: Thursday, June 1, 2017 7:34 AM
To: Dustin Rogers
Cc: Gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

You probably have different issue with conflict of two versions or
components, it probably has nothing to do with gnupg-pkcs11, please
resolve this via other channels first with standard operation of
gnupg.

In any case in order to feed agent with static pin, a solution such as
custom pinentry[1] is available.

Put a custom pinentry script in gpg-agent file and then run the this
[1] with --file= that refer to the static PIN.


[1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file
[https://avatars1.githubusercontent.com/u/1263789?v=3&s=400]<https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file>

alonbl/gnupg-pkcs11-scd<https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file>
github.com
gnupg-pkcs11-scd - PKCS#11 GnuPG SCD




On 1 June 2017 at 15:07, Dustin Rogers <dus...@ho...> wrote:
> You are correct. RHEL comes with native gnupg-2.0.14. I can get
> gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent
> running.
>
>
> Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel.
>
>
> (sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry
> support it provides. I could not do this with gnupg-2.0)
>
>
> -Dustin
>
>
> ________________________________
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Thursday, June 1, 2017 12:03 AM
>
> To: Dustin Rogers
> Cc: Gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
> callback in IPC
>
> How do you run gnupg-2.1 in rhel-2.8?
> Have you installed it manually? as far as I know rhel has gnupg-2.0.
>
> On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote:
>>
>> I apologize for the confusion.
>>
>>
>> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with
>> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg
>> 2.0.14 I am able to get the pkcs11-scd to work.
>>
>>
>> On the newer version the gpg-agent is forced, and seems to intercept any
>> callbacks for the PIN. So I am not recieving the PIN request, and the
>> gpg-agent protocol breaks down.
>>
>>
>> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
>> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token
>> 'gnupg-par1HA' (try 0)
>> gpg-agent[12159]: DBG: chan_9 -> END
>> gpg-agent[12159]: DBG: chan_9 <- OK
>> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
>> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
>>
>>
>> This does not seem to relate to the tty environment. Do you know how I can
>> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in
>> previous agentless versions of gnupg? Is there some other reason why my
>> card
>> learn is breaking?
>>
>> Thank you,
>> -Dustin
>> ________________________________
>> From: Alon Bar-Lev <alo...@gm...>
>> Sent: Wednesday, May 31, 2017 3:21 PM
>> To: Dustin Rogers
>> Cc: Gnu...@li...
>> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
>> callback in IPC
>>
>> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>>>
>>> Hi Alon:
>>>
>>>
>>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems
>>> to
>>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not
>>> prepared
>>> for this callback at this point.  gnupg 2.0.x did not require the running
>>> agent and therefore the scdaemon was not intercepting the INQUIRE
>>> callbacks.
>>> Any thoughts?
>>>
>> <snip>
>>
>> Hi,
>> I do not understand what you ask, do you ask if you can automate the
>> pin entry for batch applications?
>> Thanks,
>> Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Alon Bar-L. <alo...@gm...>]

You probably have different issue with conflict of two versions or
components, it probably has nothing to do with gnupg-pkcs11, please
resolve this via other channels first with standard operation of
gnupg.

In any case in order to feed agent with static pin, a solution such as
custom pinentry[1] is available.

Put a custom pinentry script in gpg-agent file and then run the this
[1] with --file= that refer to the static PIN.


[1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file

On 1 June 2017 at 15:07, Dustin Rogers <dus...@ho...> wrote:
> You are correct. RHEL comes with native gnupg-2.0.14. I can get
> gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent
> running.
>
>
> Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel.
>
>
> (sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry
> support it provides. I could not do this with gnupg-2.0)
>
>
> -Dustin
>
>
> ________________________________
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Thursday, June 1, 2017 12:03 AM
>
> To: Dustin Rogers
> Cc: Gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
> callback in IPC
>
> How do you run gnupg-2.1 in rhel-2.8?
> Have you installed it manually? as far as I know rhel has gnupg-2.0.
>
> On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote:
>>
>> I apologize for the confusion.
>>
>>
>> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with
>> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg
>> 2.0.14 I am able to get the pkcs11-scd to work.
>>
>>
>> On the newer version the gpg-agent is forced, and seems to intercept any
>> callbacks for the PIN. So I am not recieving the PIN request, and the
>> gpg-agent protocol breaks down.
>>
>>
>> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
>> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token
>> 'gnupg-par1HA' (try 0)
>> gpg-agent[12159]: DBG: chan_9 -> END
>> gpg-agent[12159]: DBG: chan_9 <- OK
>> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
>> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
>>
>>
>> This does not seem to relate to the tty environment. Do you know how I can
>> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in
>> previous agentless versions of gnupg? Is there some other reason why my
>> card
>> learn is breaking?
>>
>> Thank you,
>> -Dustin
>> ________________________________
>> From: Alon Bar-Lev <alo...@gm...>
>> Sent: Wednesday, May 31, 2017 3:21 PM
>> To: Dustin Rogers
>> Cc: Gnu...@li...
>> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
>> callback in IPC
>>
>> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>>>
>>> Hi Alon:
>>>
>>>
>>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems
>>> to
>>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not
>>> prepared
>>> for this callback at this point.  gnupg 2.0.x did not require the running
>>> agent and therefore the scdaemon was not intercepting the INQUIRE
>>> callbacks.
>>> Any thoughts?
>>>
>> <snip>
>>
>> Hi,
>> I do not understand what you ask, do you ask if you can automate the
>> pin entry for batch applications?
>> Thanks,
>> Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Dustin R. <dus...@ho...>]

You are correct. RHEL comes with native gnupg-2.0.14. I can get gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent running.


Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel.


(sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry support it provides. I could not do this with gnupg-2.0)


-Dustin

________________________________
From: Alon Bar-Lev <alo...@gm...>
Sent: Thursday, June 1, 2017 12:03 AM
To: Dustin Rogers
Cc: Gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

How do you run gnupg-2.1 in rhel-2.8?
Have you installed it manually? as far as I know rhel has gnupg-2.0.

On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote:
>
> I apologize for the confusion.
>
>
> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with
> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg
> 2.0.14 I am able to get the pkcs11-scd to work.
>
>
> On the newer version the gpg-agent is forced, and seems to intercept any
> callbacks for the PIN. So I am not recieving the PIN request, and the
> gpg-agent protocol breaks down.
>
>
> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token
> 'gnupg-par1HA' (try 0)
> gpg-agent[12159]: DBG: chan_9 -> END
> gpg-agent[12159]: DBG: chan_9 <- OK
> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
>
>
> This does not seem to relate to the tty environment. Do you know how I can
> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in
> previous agentless versions of gnupg? Is there some other reason why my card
> learn is breaking?
>
> Thank you,
> -Dustin
> ________________________________
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Wednesday, May 31, 2017 3:21 PM
> To: Dustin Rogers
> Cc: Gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
> callback in IPC
>
> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>>
>> Hi Alon:
>>
>>
>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to
>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared
>> for this callback at this point.  gnupg 2.0.x did not require the running
>> agent and therefore the scdaemon was not intercepting the INQUIRE callbacks.
>> Any thoughts?
>>
> <snip>
>
> Hi,
> I do not understand what you ask, do you ask if you can automate the
> pin entry for batch applications?
> Thanks,
> Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Alon Bar-L. <alo...@gm...>]

How do you run gnupg-2.1 in rhel-2.8?
Have you installed it manually? as far as I know rhel has gnupg-2.0.

On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote:
>
> I apologize for the confusion.
>
>
> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with
> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg
> 2.0.14 I am able to get the pkcs11-scd to work.
>
>
> On the newer version the gpg-agent is forced, and seems to intercept any
> callbacks for the PIN. So I am not recieving the PIN request, and the
> gpg-agent protocol breaks down.
>
>
> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token
> 'gnupg-par1HA' (try 0)
> gpg-agent[12159]: DBG: chan_9 -> END
> gpg-agent[12159]: DBG: chan_9 <- OK
> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
>
>
> This does not seem to relate to the tty environment. Do you know how I can
> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in
> previous agentless versions of gnupg? Is there some other reason why my card
> learn is breaking?
>
> Thank you,
> -Dustin
> ________________________________
> From: Alon Bar-Lev <alo...@gm...>
> Sent: Wednesday, May 31, 2017 3:21 PM
> To: Dustin Rogers
> Cc: Gnu...@li...
> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire
> callback in IPC
>
> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>>
>> Hi Alon:
>>
>>
>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to
>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared
>> for this callback at this point.  gnupg 2.0.x did not require the running
>> agent and therefore the scdaemon was not intercepting the INQUIRE callbacks.
>> Any thoughts?
>>
> <snip>
>
> Hi,
> I do not understand what you ask, do you ask if you can automate the
> pin entry for batch applications?
> Thanks,
> Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Dustin R. <dus...@ho...>]

I apologize for the confusion.


I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg 2.0.14 I am able to get the pkcs11-scd to work.


On the newer version the gpg-agent is forced, and seems to intercept any callbacks for the PIN. So I am not recieving the PIN request, and the gpg-agent protocol breaks down.


gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gpg-agent[12159]: DBG: chan_9 -> END
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC

This does not seem to relate to the tty environment. Do you know how I can get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in previous agentless versions of gnupg? Is there some other reason why my card learn is breaking?

Thank you,
-Dustin
________________________________
From: Alon Bar-Lev <alo...@gm...>
Sent: Wednesday, May 31, 2017 3:21 PM
To: Dustin Rogers
Cc: Gnu...@li...
Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>
> Hi Alon:
>
>
> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point.  gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts?
>
<snip>

Hi,
I do not understand what you ask, do you ask if you can automate the
pin entry for batch applications?
Thanks,
Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Alon Bar-L. <alo...@gm...>]

On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote:
>
> Hi Alon:
>
>
> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point.  gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts?
>
<snip>

Hi,
I do not understand what you ask, do you ask if you can automate the
pin entry for batch applications?
Thanks,
Alon

Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC

[Dustin R. <dus...@ho...>]

Hi Alon:


How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point.  gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts?



gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version
gpg-agent[12159]: no running SCdaemon - starting it
gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[12159]: DBG: first connection to SCdaemon established
gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name
gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S'
gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_9 -> GETINFO version
gpg-agent[12159]: DBG: chan_9 <- D 0.7.5
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> D 0.7.5
gpg-agent[12159]: DBG: chan_8 -> OK
gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)
gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo
gpg-agent[12159]: DBG: chan_9 -> LEARN --force
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gpg-agent[12159]: DBG: chan_9 -> END
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent>
gpg: OpenPGP card not available: No inquire callback in IPC
[root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof]
gpg-agent[12159]: DBG: chan_9 -> RESTART
gpg-agent[12159]: DBG: chan_9 <- OK

Thank you,
-Dustin Rogers


________________________________
From: Dustin Rogers <dus...@ho...>
Sent: Thursday, May 18, 2017 11:17 AM
To: Gnu...@li...
Subject: Fw: command 'LEARN' failed: No inquire callback in IPC



Hi gnupg-pkcs11-scd users:


Does anyone have any ideas why the gnupg 2.0 can locate keys on our network attached Safenet Luna SA HSM, through the gnupg-pkcs11-scd, yet the newer version gnupg2.1.x cannot?


The developers at gnupg feel that this sc daemon is breaking the LEARN protocol. You can see from my response (with example) to them below that I dont necessarily think it is breaking the protocol, moreover, it is not allowing the scd a direct interaction with the card anymore, for the LEARN command that is.


I really need the INQUIRE call back to pass through like in the older version without the constantly running agent.


The newer gnupg2.1 has a unnattended PINENTRY feature that I would like to manipulate for batch decryptions.


Thank you for your time and any advice you may have.

-Dustin Rogers

Cryptographic Engineer at Capital One


________________________________
From: Rogers, Dustin <Dus...@ca...>
Sent: Thursday, May 18, 2017 11:06 AM
To: NIIBE Yutaka; Dustin Rogers; gnu...@gn...
Subject: RE: command 'LEARN' failed: No inquire callback in IPC

Hi Mr. Yutaka:

Okay I will bring the question to them and see if they can help.
You are correct and now I realize from the output below that in the newer version the agent is forcing itself onto a channel, and grabbing any callback. As you point out, it does not know what to do with the callback. In the previous version the agent would merely pass the information through, allowing the scd to manipulate the channel and socket. I have to say though, this was a nice coincidence.

[root@ip-10-206-8-51 ~]# gpg --version
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
[root@ip-10-206-8-51 ~]# gpg --card-status
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gnupg-pkcs11-scd[23086.3299858176]: Cannot open configuration file '/root/.gnupg/gnupg-pkcs11-scd.conf'
gnupg-pkcs11-scd[23086.3299858176]: Listening to socket '/tmp/gnupg-pkcs11-scd.lmAaRp/agent.S'
gnupg-pkcs11-scd[23086]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[23086]: chan_6 <- GETINFO socket_name
gnupg-pkcs11-scd[23086]: chan_6 -> D /tmp/gnupg-pkcs11-scd.lmAaRp/agent.S
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- OPTION event-signal=12
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- LEARN --force
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[23086]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gnupg-pkcs11-scd[23086]: chan_6 <- [ 44 20 67 6e 75 70 67 2d 70 61 72 31 00 00 00 00 ...(76 byte(s) skipped) ]
gnupg-pkcs11-scd[23086]: chan_6 <- END
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FRIEDNLY 73DF3EBFxxxxxxxxxxxxxxxxA1C101ED65FC61F894 /C=US/O=Capital One/OU=Web Servers/CN=gnupguser01 on gnupg-par1HA
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FPR 1 73DF3EBF24561B6296AF30A1C101ED65FC61F894
gnupg-pkcs11-scd[23086]: chan_6 -> S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931
gnupg-pkcs11-scd[23086]: chan_6 -> S KEYPAIRINFO 73DF3EBFxxxxxxxxxxxxxxxxxxC101ED65FC61F894 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- GETATTR KEY-ATTR
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 1 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 2 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 3 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
Application ID ...: D2760001240111504B43532331311111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 53233131
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 1R 1R 1R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 73DF 3EBF XXXX XXXX XXXX XXA1 C101 ED65 FC61 F894
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
[root@ip-10-206-8-51 ~]# gnupg-pkcs11-scd[23086]: chan_6 <- RESTART
gnupg-pkcs11-scd[23086]: chan_6 -> OK



[root@ip-10-206-8-250 ~]# gpg --version
gpg (GnuPG) 2.1.20
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
[root@ip-10-206-8-250 ~]# gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --daemon
gpg-agent[12158]: reading options from '/root/.gnupg/gpg-agent.conf'
gpg-agent[12158]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.extra'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.browser'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.ssh'
[root@ip-10-206-8-250 ~]# gpg-agent[12159]: gpg-agent (GnuPG) 2.1.20 started
gpg-agent --debug-level=gugpg --card-status
gpg-agent[12159]: DBG: chan_8 -> OK Pleased to meet you, process 12160
gpg-agent[12159]: DBG: chan_8 <- RESET
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION ttyname=/dev/pts/2
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION ttytype=xterm
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- GETINFO version
gpg-agent[12159]: DBG: chan_8 -> D 2.1.20
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION allow-pinentry-notify
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION agent-awareness=2.1.0
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version
gpg-agent[12159]: no running SCdaemon - starting it
gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[12159]: DBG: first connection to SCdaemon established
gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name
gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S'
gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_9 -> GETINFO version
gpg-agent[12159]: DBG: chan_9 <- D 0.7.5
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> D 0.7.5
gpg-agent[12159]: DBG: chan_8 -> OK
gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)
gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo
gpg-agent[12159]: DBG: chan_9 -> LEARN --force
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gpg-agent[12159]: DBG: chan_9 -> END
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent>
gpg: OpenPGP card not available: No inquire callback in IPC
[root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof]
gpg-agent[12159]: DBG: chan_9 -> RESTART
gpg-agent[12159]: DBG: chan_9 <- OK


You can see in the last example that the agent is running on channel 8, and simultaneously the scd is running on chan_9. Both agents are trying to learn the card at the same time now. That is why the INQUIRE does not pass through anymore.

Questions:
Is there anyway to run gpg2 without the agent? (Seems this is not likely as the --no-use-agent directive is deprecated.)
Is there anyway to adjust the gpg-agent options so that it doesn't try to force learn the card? (gpg --send-info)

Also, to answer your question...on a network attached HSM there must be authentication on a LEARN command. It is not USB attached, thus authentication cannot be just assumed on a learn.

Thank you,
-Dustin Rogers


____________________________________________
Dustin Rogers, MSIA
Data Security
Encryption Services (pulse)
224.404.8919 (office)
218.331.0186 (mobile)


-----Original Message-----
From: NIIBE Yutaka [mailto:gn...@fs...]
Sent: Wednesday, May 17, 2017 1:32 AM
To: Dustin Rogers <dus...@ho...>; Rogers, Dustin <Dus...@ca...>; gnu...@gn...
Subject: Re: command 'LEARN' failed: No inquire callback in IPC

Dustin Rogers <dus...@ho...> wrote:
> In fact the native support for smart cards does not seem to support
> network attached HSM "virtual tokens" devices at all. It could be
> possible that I need to specify the local port the installed HSM agent
> is running on, but I dont think I will be that lucky.

No, scdaemon doesn't support it.

> I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg
> 2.0,

Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or 2.1.  It is a kind of... independently developed program, unfortunately.
It was just coincidence (from my view point) it worked with GnuPG 2.0.

It would be good if someone around gnupg-pkcs11-scd shares developement information with GnuPG.

> but with manual pinentry for each operation. I cant get it working
> with gnupg 2.1. (again, I am looking for the unattended pinentry
> support the later version seems to have) Thus, I really dont think
> this is an issue with the scdaemon I am using. Moreover, I can see the
> INQUIRE PIN callback is there, the pinentry is just not appearing.
> Really I would like to understand why the gpg-connect-agent is
> allowing the pin call back through, and the gpg-agent itself is not?

Well, it's the detail of protocol between gpg-agent and scdaemon.
INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN --force is issued.  This situation is same in GnuPG 2.0.

We don't know how gnupg-pkcs11-scd works, according to your log, it breaks the protocol for LEARN.

gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD.

For gpg-connect-agent with SCD command, it is prepared, thus it works.

I think that it would be good to check why gnupg-pkcs11-scd called back with INQUIRE NEEDPIN for LEARN command.
--

[Gnupg-pkcs11-users] Fw: command 'LEARN' failed: No inquire callback in IPC

[Dustin R. <dus...@ho...>]

Hi gnupg-pkcs11-scd users:


Does anyone have any ideas why the gnupg 2.0 can locate keys on our network attached Safenet Luna SA HSM, through the gnupg-pkcs11-scd, yet the newer version gnupg2.1.x cannot?


The developers at gnupg feel that this sc daemon is breaking the LEARN protocol. You can see from my response (with example) to them below that I dont necessarily think it is breaking the protocol, moreover, it is not allowing the scd a direct interaction with the card anymore, for the LEARN command that is.


I really need the INQUIRE call back to pass through like in the older version without the constantly running agent.


The newer gnupg2.1 has a unnattended PINENTRY feature that I would like to manipulate for batch decryptions.


Thank you for your time and any advice you may have.

-Dustin Rogers

Cryptographic Engineer at Capital One


________________________________
From: Rogers, Dustin <Dus...@ca...>
Sent: Thursday, May 18, 2017 11:06 AM
To: NIIBE Yutaka; Dustin Rogers; gnu...@gn...
Subject: RE: command 'LEARN' failed: No inquire callback in IPC

Hi Mr. Yutaka:

Okay I will bring the question to them and see if they can help.
You are correct and now I realize from the output below that in the newer version the agent is forcing itself onto a channel, and grabbing any callback. As you point out, it does not know what to do with the callback. In the previous version the agent would merely pass the information through, allowing the scd to manipulate the channel and socket. I have to say though, this was a nice coincidence.

[root@ip-10-206-8-51 ~]# gpg --version
gpg (GnuPG) 2.0.14
libgcrypt 1.4.5
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,
        CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
[root@ip-10-206-8-51 ~]# gpg --card-status
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gnupg-pkcs11-scd[23086.3299858176]: Cannot open configuration file '/root/.gnupg/gnupg-pkcs11-scd.conf'
gnupg-pkcs11-scd[23086.3299858176]: Listening to socket '/tmp/gnupg-pkcs11-scd.lmAaRp/agent.S'
gnupg-pkcs11-scd[23086]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[23086]: chan_6 <- GETINFO socket_name
gnupg-pkcs11-scd[23086]: chan_6 -> D /tmp/gnupg-pkcs11-scd.lmAaRp/agent.S
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- OPTION event-signal=12
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- LEARN --force
gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0
gnupg-pkcs11-scd[23086]: chan_6 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[23086]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gnupg-pkcs11-scd[23086]: chan_6 <- [ 44 20 67 6e 75 70 67 2d 70 61 72 31 00 00 00 00 ...(76 byte(s) skipped) ]
gnupg-pkcs11-scd[23086]: chan_6 <- END
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FRIEDNLY 73DF3EBFxxxxxxxxxxxxxxxxA1C101ED65FC61F894 /C=US/O=Capital One/OU=Web Servers/CN=gnupguser01 on gnupg-par1HA
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FPR 1 73DF3EBF24561B6296AF30A1C101ED65FC61F894
gnupg-pkcs11-scd[23086]: chan_6 -> S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931
gnupg-pkcs11-scd[23086]: chan_6 -> S KEYPAIRINFO 73DF3EBFxxxxxxxxxxxxxxxxxxC101ED65FC61F894 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931
gnupg-pkcs11-scd[23086]: chan_6 -> OK
gnupg-pkcs11-scd[23086]: chan_6 <- GETATTR KEY-ATTR
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 1 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 2 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 3 1 1 2048 0
gnupg-pkcs11-scd[23086]: chan_6 -> OK
Application ID ...: D2760001240111504B43532331311111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 53233131
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 1R 1R 1R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 73DF 3EBF XXXX XXXX XXXX XXA1 C101 ED65 FC61 F894
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
[root@ip-10-206-8-51 ~]# gnupg-pkcs11-scd[23086]: chan_6 <- RESTART
gnupg-pkcs11-scd[23086]: chan_6 -> OK



[root@ip-10-206-8-250 ~]# gpg --version
gpg (GnuPG) 2.1.20
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB
[root@ip-10-206-8-250 ~]# gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --daemon
gpg-agent[12158]: reading options from '/root/.gnupg/gpg-agent.conf'
gpg-agent[12158]: enabled debug flags: mpi crypto memory cache memstat hashing ipc
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.extra'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.browser'
gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.ssh'
[root@ip-10-206-8-250 ~]# gpg-agent[12159]: gpg-agent (GnuPG) 2.1.20 started
gpg-agent --debug-level=gugpg --card-status
gpg-agent[12159]: DBG: chan_8 -> OK Pleased to meet you, process 12160
gpg-agent[12159]: DBG: chan_8 <- RESET
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION ttyname=/dev/pts/2
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION ttytype=xterm
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- GETINFO version
gpg-agent[12159]: DBG: chan_8 -> D 2.1.20
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION allow-pinentry-notify
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- OPTION agent-awareness=2.1.0
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version
gpg-agent[12159]: no running SCdaemon - starting it
gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready
gpg-agent[12159]: DBG: first connection to SCdaemon established
gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name
gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S'
gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_9 -> GETINFO version
gpg-agent[12159]: DBG: chan_9 <- D 0.7.5
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> D 0.7.5
gpg-agent[12159]: DBG: chan_8 -> OK
gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20)
gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: chan_8 -> OK
gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo
gpg-agent[12159]: DBG: chan_9 -> LEARN --force
gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0
gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11
gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0)
gpg-agent[12159]: DBG: chan_9 -> END
gpg-agent[12159]: DBG: chan_9 <- OK
gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC
gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC
gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent>
gpg: OpenPGP card not available: No inquire callback in IPC
[root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof]
gpg-agent[12159]: DBG: chan_9 -> RESTART
gpg-agent[12159]: DBG: chan_9 <- OK


You can see in the last example that the agent is running on channel 8, and simultaneously the scd is running on chan_9. Both agents are trying to learn the card at the same time now. That is why the INQUIRE does not pass through anymore.

Questions:
Is there anyway to run gpg2 without the agent? (Seems this is not likely as the --no-use-agent directive is deprecated.)
Is there anyway to adjust the gpg-agent options so that it doesn't try to force learn the card? (gpg --send-info)

Also, to answer your question...on a network attached HSM there must be authentication on a LEARN command. It is not USB attached, thus authentication cannot be just assumed on a learn.

Thank you,
-Dustin Rogers


____________________________________________
Dustin Rogers, MSIA
Data Security
Encryption Services (pulse)
224.404.8919 (office)
218.331.0186 (mobile)


-----Original Message-----
From: NIIBE Yutaka [mailto:gn...@fs...]
Sent: Wednesday, May 17, 2017 1:32 AM
To: Dustin Rogers <dus...@ho...>; Rogers, Dustin <Dus...@ca...>; gnu...@gn...
Subject: Re: command 'LEARN' failed: No inquire callback in IPC

Dustin Rogers <dus...@ho...> wrote:
> In fact the native support for smart cards does not seem to support
> network attached HSM "virtual tokens" devices at all. It could be
> possible that I need to specify the local port the installed HSM agent
> is running on, but I dont think I will be that lucky.

No, scdaemon doesn't support it.

> I have this  other scdaemon (gnupg-pkcs11-scd) working fine with gnupg
> 2.0,

Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or 2.1.  It is a kind of... independently developed program, unfortunately.
It was just coincidence (from my view point) it worked with GnuPG 2.0.

It would be good if someone around gnupg-pkcs11-scd shares developement information with GnuPG.

> but with manual pinentry for each operation. I cant get it working
> with gnupg 2.1. (again, I am looking for the unattended pinentry
> support the later version seems to have) Thus, I really dont think
> this is an issue with the scdaemon I am using. Moreover, I can see the
> INQUIRE PIN callback is there, the pinentry is just not appearing.
> Really I would like to understand why the gpg-connect-agent is
> allowing the pin call back through, and the gpg-agent itself is not?

Well, it's the detail of protocol between gpg-agent and scdaemon.
INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN --force is issued.  This situation is same in GnuPG 2.0.

We don't know how gnupg-pkcs11-scd works, according to your log, it breaks the protocol for LEARN.

gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD.

For gpg-connect-agent with SCD command, it is prepared, thus it works.

I think that it would be good to check why gnupg-pkcs11-scd called back with INQUIRE NEEDPIN for LEARN command.
--

Re: [Gnupg-pkcs11-users] Problems with ESTEID, gnupg-pkcs11-scd and gpgsm

[Jaap v. W. <mai...@va...>]

Op 2015-12-24T19:51:47 UTC schreef Alon Bar-Lev <alo...@gm...>
in het bericht <Re: [Gnupg-pkcs11-users] Problems with ESTEID,
gnupg-pkcs11-scd and gpgsm>,
mid:CAOazyz0uJ9hYSaVAFF=BU78RCqj22soh0L+A_cjK_Jx=fo...@ma...
het volgende. 
> Please attach log files - do not paste.
> Please configure gpg to write to log files and not to terminal.
> 
> ~/.gnupg/gpg-agent.conf
> ---
> debug-all
> log-file /tmp/gpg-agent.log
> ---
> 
> ~/.gnupg/gnupg-pkcs11-scd.conf
> ---
> log-file /tmp/gnupg-pkcs11-scd.log
> verbose
> debug-all

3 attachments!


-- 

Jaap van Wingerde
e-mail: 123...@va...

[Gnupg-pkcs11-users] Problems with ESTEID, gnupg-pkcs11-scd and gpgsm

[Jaap v. W. <mai...@va...>]

How can I solve them?

jaap@jaap:~$ gpgsm --help
gpgsm (GnuPG) 2.0.26
libgcrypt 1.6.3
libksba 1.3.2-unknown
...
jaap@jaap:~$

jaap@jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt
gpgsm: enabled debug flags: x509 assuan
gpgsm: no key usage specified - assuming all usages
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93
FF F7 72 gpgsm: no running gpg-agent - starting one
gpg-agent[22381]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12
B1 60 15 gpgsm: certificate is not usable for signing
gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2
DD 22 53 gpgsm: DBG: get_keygrip for public key
gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16
92 67 39 gpgsm: no default signer found
gpgsm: error creating signature: General error <GpgSM>
secmem usage: 0/16384 bytes in 0 blocks
jaap@jaap:~$

jaap@jaap:~$ /usr/bin/gpgsm --learn-card
gpgsm: enabled debug flags: x509 assuan
gpgsm: no running gpg-agent - starting one
gpg-agent[22386]: enabled debug flags: assuan
gpgsm: DBG: connection to agent established
gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3
gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1
gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1
gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid,
library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so,
allow_protected=1, cert_is_private=1, private_mask=00000001
gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2
gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry
version='1.11', pid=22387, reference='esteid',
provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so',
allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider
'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider
Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify
entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: Provider 'esteid' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return
rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket
'/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6
-> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[22387]: chan_6 <- GETINFO socket_name
gnupg-pkcs11-scd[22387]: chan_6 ->
D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6
-> OK gnupg-pkcs11-scd[22387]: chan_6 <- SERIALNO
gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 ->
OK gnupg-pkcs11-scd[22387]: chan_6 <- LEARN --force
gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO
D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1,
mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600,
p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000003
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes
failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login
entry session=0xd3ff10, is_publicOnly=1, readonly=1,
user_data=0xd34880, mask_prompt=00000001
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Expected token manufacturerID='AS Sertifitseerimiskeskus'
model='PKCS#15 emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0,
token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId
return rv=0-'CKR_OK', *p_token_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset
Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15
emulated', serialNumber='N0108352', label='VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook
for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6
-> INQUIRE NEEDPIN PIN required for token 'VAN
WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6
<- END gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pin_prompt hook
return rv=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_login C_Login rv=1-'CKR_CANCEL'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login
return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates return rv=1-'CKR_CANCEL'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Cannot get token
information for provider 'OpenSC (www.opensc-project.org)' slot 1
rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release entry session=0xd3ff10
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_freeTokenId entry certificate_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId
entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK',
*p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600,
p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10,
user_data=0xd34880, mask_prompt=00000003
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_validate session->pin_expire_time=0, time=1450824309
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_findObjects entry session=0xd3ff10,
filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0,
p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK',
*p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes entry session=0xd3ff10,
object=13889536, attrs=0x7ffc1c633d30, count=2
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_newCertificateId entry
p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK',
*p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription entry
certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_updateCertificateIdDescription return
displayName='/C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes entry
attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8
form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList entry
cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48,
p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258
form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create
entry certificate_id=0xd41f30, user_data=0xd34880,
mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId entry to=0xd40140
form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK',
*to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20,
p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using
cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK',
*p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140,
certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate entry certificate=0xd40140
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release
entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificate return gpgsm: error learning card:
No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
__pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil),
ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=(nil),
*max=0000000000000000, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000,
token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_certificate_serializeCertificateId return
rv=0-'CKR_OK', *max=0000000000000070, sz='(null)'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0,
*max=0000000000000070, certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId entry sz=0xd41ba0,
*max=0000000000000070, token_id=0xd42360
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_serializeTokenId return rv=0-'CKR_OK',
*max=000000000000006d,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28'
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK',
*max=0000000000000070,
sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01'
gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY
BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID
E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN
WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN
WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S
KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1
AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap@jaap:~$
gnupg-pkcs11-scd[22387]: chan_6 <- RESTART gnupg-pkcs11-scd[22387]:
chan_6 -> OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed:
Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider
return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_token_freeTokenId entry certificate_id=0xd402f0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId
entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11:
_pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]:
PKCS#11: _pkcs11h_slotevent_terminate return
gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized
^C
jaap@jaap:~$


-- 

Jaap van Wingerde
e-mail: 123...@va...

Re: [Gnupg-pkcs11-users] Easy smartcard

[Alon Bar-L. <alo...@gm...>]

On 4 April 2015 at 02:15, Nick Econopouly <nic...@gm...> wrote:
>
> Hey, all. Is there a recommended blank PKCS#11 card for easy use with this project? Names or links would be great. Ideally cheaper than just buying the openpgp card.
>

Hi!
If you find opensc usable, you can use any of the supported cards.
The advantage is that even if there are issues it is easy to fix.
As for vendors, it is very hard to say, most provide binary drivers
and perceive linux at best case at 2nd tier, so good support is not
available in general.

>
> Also, I'm slightly confused about gpgsm. Is gpgsm basically an alternative to openssl for something for X.509 key and certification management? Or is it an attempt to use X.509 key formats in a pgp-like web of trust? Or both?
>

gpg utility is openpgp implementation, it is the oldest standard for
peer to peer interaction.
gpgsm utility is S/MIME implementation, it what embed in standard mail (MIME).

the actual library has nothing to do with the implementation, but
regardless, gpg/gpgsm are using libgcrypt and not openssl.

Regards,
Alon Bar-Lev.

[Gnupg-pkcs11-users] Easy smartcard

[Nick E. <nic...@gm...>]

Hey, all. Is there a recommended blank PKCS#11 card for easy use with this project? Names or links would be great. Ideally cheaper than just buying the openpgp card.

Also, I'm slightly confused about gpgsm. Is gpgsm basically an alternative to openssl for something for X.509 key and certification management? Or is it an attempt to use X.509 key formats in a pgp-like web of trust? Or both?

thanks,

-nick

[Gnupg-pkcs11-users] some general questions

[mike m. <bir...@ya...>]

I see that there is not much traffic or updates to this project but I
hope someone can reply, does this still work well with latest gpg?

I apologize if these are noobish questions but ask before I leap:

-to use, I would be importing existing x509 certs, one each for sign,
encrypt and auth?  
-is it ok then to use same used for s/mime?
-is there any concept of master and subkeys when using pkcs11 and gpg?

thanks for your assistance.

Re: [Gnupg-pkcs11-users] How do I generate GnuPG-friendly keys through PKCS #11?

[Alon Bar-L. <alo...@gm...>]

On Sat, Jun 15, 2013 at 10:44 AM, Rick van Rein (OpenFortress)
<ri...@op...> wrote:
> Hello Alon,
>
> Thanks for your response!
>
>> What you ask is PKCS#11 provider specific.
>
> I'm currently using SoftHSM from www.opendnssec.org -- but that is basically immaterial to this discussion.
>
>> What important is that CKA_ID will be the same for the private key and
>> certificate.
>
> OK, should there *must* be an X.509 certificate structure in place, even if it is self-signed.  I had guessed that a public/private key object pair would suffice.
>

gpgsm requires certificate.
And there is no difference between storing public key and self-signed
certificate.
Most implementation of PKCS#11 are within PKI environment so requiring
X.509 is usually simpler.
Public key object is not available at all implementations.

> Where is the X.509 cert used?  I suppose only for the "SCD LEARN" phase which reveals subject-identity information?  Is this from the certificate, or its CKA_SUBJECT attribute?  (In the latter case, it might be helpful to do it for public key objects as well.)
>

It is used for gpgsm and as a 'public key'.

>> CKA_ID is provider specific, and usually automatic generated, if you
>> have an option any string is good.
>
> Excellent.  When calling C_GenerateKeyPair it can be set, so I was open to anything.  This answer makes more sense than pinning it down though.
>
>> Single key will work if you specify the same id for all, but usually
>> you do not use the same key for authentication, signature and
>> encryption as each has its own lifetime and usage.
>
> Yeah, I know.  We're trying to support privacy through light-weight pseudonyms, and sharing a key is going to be practical in several use cases.  And it's not a big security problem -- it only leads to coupling pseudonyms, but they cannot be traced from one to another.
>
>
> I think I'm reading from your response that there is no GnuPG public key information stored on the token --not even key self-signatures-- and that all this is held in GnuPG?  This is probably how the SCD works, then.
>

Not exactly, I think openpgp requires storing public key object as public.

>
> Thanks,
>  -Rick