gnupg-pkcs11-users Mailing List for GnuPG PKCS#11
Brought to you by:
alonbl
You can subscribe to this list here.
2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(13) |
Nov
(7) |
Dec
(10) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2007 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
(5) |
Jul
|
Aug
|
Sep
(11) |
Oct
(41) |
Nov
(10) |
Dec
|
2008 |
Jan
(4) |
Feb
(2) |
Mar
(3) |
Apr
(7) |
May
(2) |
Jun
(2) |
Jul
(4) |
Aug
(1) |
Sep
|
Oct
(2) |
Nov
|
Dec
|
2009 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(5) |
2010 |
Jan
|
Feb
(3) |
Mar
(1) |
Apr
|
May
(8) |
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
(16) |
Apr
(6) |
May
|
Jun
|
Jul
(3) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2012 |
Jan
(7) |
Feb
(7) |
Mar
(7) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(4) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
(2) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2016 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
(4) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(9) |
2020 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Ostovary, D. <dan...@ru...> - 2020-06-22 12:52:03
|
Oh, and thanks a lot for your help! -----Original Message----- From: Ostovary, Daniel Sent: Montag, 22. Juni 2020 14:36 To: 'Alon Bar-Lev' <alo...@gm...> Cc: 'gnu...@li...' <gnu...@li...> Subject: RE: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Hi, using an end entity certificate did not solve the problem. However, I recently retried to setup everything with gnupg-pkcs11-scd v. 0.9.2 which worked. (Ubuntu 18.04, which I used initially came with v. 0.9.1). Best regards, Daniel -----Original Message----- From: Ostovary, Daniel Sent: Montag, 23. Dezember 2019 11:53 To: 'Alon Bar-Lev' <alo...@gm...> Cc: gnu...@li... Subject: FW: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in: gpg: key generation failed: Bad session key Key generation failed: Bad session key -----Original Message----- From: Ostovary, Daniel <dan...@ru...> Sent: Montag, 23. Dezember 2019 11:06 To: Alon Bar-Lev <alo...@gm...>; gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Hi, see attachement. Best regards, Daniel -----Original Message----- From: Alon Bar-Lev <alo...@gm...> Sent: Samstag, 21. Dezember 2019 19:49 To: Ostovary, Daniel <dan...@ru...> Cc: gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote: > > Here is the log: <snip> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=(nil), > *p_certificate_blob_size=0000000000000000 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=0x559309d9b200, > *p_certificate_blob_size=000000000000037e > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > entry session=0x559309d6aef0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry > certificate_id=0x559309d701b0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x559309d9a160 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate return > gpg-agent[2367]: DBG: chan_5 <- [eof] > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > ERR 67125247 End of file <GPG Agent> Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate? '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e Thanks! |
From: Ostovary, D. <dan...@ru...> - 2020-06-22 12:51:25
|
Hi, using an end entity certificate did not solve the problem. However, I recently retried to setup everything with gnupg-pkcs11-scd v. 0.9.2 which worked. (Ubuntu 18.04, which I used initially came with v. 0.9.1). Best regards, Daniel -----Original Message----- From: Ostovary, Daniel Sent: Montag, 23. Dezember 2019 11:53 To: 'Alon Bar-Lev' <alo...@gm...> Cc: gnu...@li... Subject: FW: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in: gpg: key generation failed: Bad session key Key generation failed: Bad session key -----Original Message----- From: Ostovary, Daniel <dan...@ru...> Sent: Montag, 23. Dezember 2019 11:06 To: Alon Bar-Lev <alo...@gm...>; gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Hi, see attachement. Best regards, Daniel -----Original Message----- From: Alon Bar-Lev <alo...@gm...> Sent: Samstag, 21. Dezember 2019 19:49 To: Ostovary, Daniel <dan...@ru...> Cc: gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote: > > Here is the log: <snip> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=(nil), > *p_certificate_blob_size=0000000000000000 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=0x559309d9b200, > *p_certificate_blob_size=000000000000037e > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > entry session=0x559309d6aef0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry > certificate_id=0x559309d701b0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x559309d9a160 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate return > gpg-agent[2367]: DBG: chan_5 <- [eof] > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > ERR 67125247 End of file <GPG Agent> Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate? '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e Thanks! |
From: Alon Bar-L. <alo...@gm...> - 2019-12-30 16:55:42
|
Hi, I do not think this is the right certificate that is being used. Anyway, you enrolled a CA, please use end-certificate. Thanks! On Mon, Dec 23, 2019 at 12:53 PM Ostovary, Daniel < dan...@ru...> wrote: > When I delete the certificate from the HSM the SCD LEARN command works > (though it doesn’t learn anything). However when I'm trying to generate a > key pair on the HSM with gpg2 --card-edit, the key generation results in: > > gpg: key generation failed: Bad session key > Key generation failed: Bad session key > > -----Original Message----- > From: Ostovary, Daniel <dan...@ru...> > Sent: Montag, 23. Dezember 2019 11:06 > To: Alon Bar-Lev <alo...@gm...>; > gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with > SafeNet HSM > > Hi, > > see attachement. > > Best regards, > Daniel > > -----Original Message----- > From: Alon Bar-Lev <alo...@gm...> > Sent: Samstag, 21. Dezember 2019 19:49 > To: Ostovary, Daniel <dan...@ru...> > Cc: gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with > SafeNet HSM > > On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel < > dan...@ru...> wrote: > > > > Here is the log: > > <snip> > > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_getCertificateBlob entry > > certificate=0x559309d6b070, certificate_blob=(nil), > > *p_certificate_blob_size=0000000000000000 > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_getCertificateBlob entry > > certificate=0x559309d6b070, certificate_blob=0x559309d9b200, > > *p_certificate_blob_size=000000000000037e > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > > entry session=0x559309d6aef0 > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_freeCertificateId entry > > certificate_id=0x559309d701b0 > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > > entry certificate_id=0x559309d9a160 > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > > return > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_freeCertificateId return > > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > > pkcs11h_certificate_freeCertificate return > > gpg-agent[2367]: DBG: chan_5 <- [eof] > > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > > ERR 67125247 End of file <GPG Agent> > > Interesting... the certificate is extracted but probably cannot be > converted to gnupg exp format. Can you please send me the certificate? > '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size > 0x37e > > Thanks! > |
From: Ostovary, D. <dan...@ru...> - 2019-12-23 10:53:12
|
When I delete the certificate from the HSM the SCD LEARN command works (though it doesn’t learn anything). However when I'm trying to generate a key pair on the HSM with gpg2 --card-edit, the key generation results in: gpg: key generation failed: Bad session key Key generation failed: Bad session key -----Original Message----- From: Ostovary, Daniel <dan...@ru...> Sent: Montag, 23. Dezember 2019 11:06 To: Alon Bar-Lev <alo...@gm...>; gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Hi, see attachement. Best regards, Daniel -----Original Message----- From: Alon Bar-Lev <alo...@gm...> Sent: Samstag, 21. Dezember 2019 19:49 To: Ostovary, Daniel <dan...@ru...> Cc: gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote: > > Here is the log: <snip> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=(nil), > *p_certificate_blob_size=0000000000000000 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=0x559309d9b200, > *p_certificate_blob_size=000000000000037e > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > entry session=0x559309d6aef0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry > certificate_id=0x559309d701b0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x559309d9a160 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate return > gpg-agent[2367]: DBG: chan_5 <- [eof] > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > ERR 67125247 End of file <GPG Agent> Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate? '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e Thanks! |
From: Ostovary, D. <dan...@ru...> - 2019-12-23 10:06:01
|
Hi, see attachement. Best regards, Daniel -----Original Message----- From: Alon Bar-Lev <alo...@gm...> Sent: Samstag, 21. Dezember 2019 19:49 To: Ostovary, Daniel <dan...@ru...> Cc: gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote: > > Here is the log: <snip> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=(nil), > *p_certificate_blob_size=0000000000000000 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry > certificate=0x559309d6b070, certificate_blob=0x559309d9b200, > *p_certificate_blob_size=000000000000037e > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release > entry session=0x559309d6aef0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry > certificate_id=0x559309d701b0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x559309d9a160 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId > return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: > pkcs11h_certificate_freeCertificate return > gpg-agent[2367]: DBG: chan_5 <- [eof] > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > ERR 67125247 End of file <GPG Agent> Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate? '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e Thanks! |
From: Alon Bar-L. <alo...@gm...> - 2019-12-21 18:49:04
|
On Wed, Dec 18, 2019 at 10:51 AM Ostovary, Daniel <dan...@ru...> wrote: > > Here is the log: <snip> > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=0x559309d9b200, *p_certificate_blob_size=000000000000037e > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160 > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return > gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate return > gpg-agent[2367]: DBG: chan_5 <- [eof] > gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > ERR 67125247 End of file <GPG Agent> Interesting... the certificate is extracted but probably cannot be converted to gnupg exp format. Can you please send me the certificate? '/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert' should be at size 0x37e Thanks! |
From: Ostovary, D. <dan...@ru...> - 2019-12-18 08:51:20
|
Here is the log: gpg-agent --server gpg-agent[2367]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg-agent[2367]: DBG: chan_3 -> OK Pleased to meet you OK Pleased to meet you SCD LEARN gpg-agent[2367]: DBG: chan_3 <- SCD LEARN gpg-agent[2367]: no running SCdaemon - starting it gnupg-pkcs11-scd[2368.718124864]: version: 0.9.1 gnupg-pkcs11-scd[2368.718124864]: config: debug=1, verbose=1 gnupg-pkcs11-scd[2368.718124864]: config: pin_cache=-1 gnupg-pkcs11-scd[2368.718124864]: config: provider: name=libCryptoki2_64, library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=0, cert_is_private=0, private_mask=00000000 gnupg-pkcs11-scd[2368.718124864]: run_mode: 2 gnupg-pkcs11-scd[2368.718124864]: crypto: openssl gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=2368, reference='libCryptoki2_64', provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Adding provider 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider Provider 'libCryptoki2_64' manufacturerID 'SafeNet, Inc. ' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Provider 'libCryptoki2_64' added rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: Listening to socket '/tmp/gnupg-pkcs11-scd.1nTpQG/agent.S' gnupg-pkcs11-scd[2368.718124864]: accepting connection gnupg-pkcs11-scd[2368]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[2368.718124864]: processing connection gpg-agent[2367]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG ready gpg-agent[2367]: DBG: first connection to SCdaemon established gpg-agent[2367]: DBG: chan_5 -> GETINFO socket_name gnupg-pkcs11-scd[2368]: chan_0 <- GETINFO socket_name gnupg-pkcs11-scd[2368]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1nTpQG/agent.S gnupg-pkcs11-scd[2368]: chan_0 -> OK gpg-agent[2367]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.1nTpQG/agent.S gpg-agent[2367]: DBG: chan_5 <- OK gpg-agent[2367]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.1nTpQG/agent.S' gpg-agent[2367]: DBG: chan_5 -> LEARN gnupg-pkcs11-scd[2368]: chan_0 <- LEARN gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffd4f25d2c0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25d188, pulCount=0x7ffd4f25d190 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x559309d67d28 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25d120 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffd4f25d2c0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x559309d56630, *max=000000000000003f, token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x559309d67d20 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenIdList return gnupg-pkcs11-scd[2368]: chan_0 -> S SERIALNO D276000124011150313152552EE11111 gnupg-pkcs11-scd[2368]: chan_0 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffd4f25d2f8, p_cert_id_end_list=0x7ffd4f25d2f0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25d1b0, pulCount=0x7ffd4f25d1b8 gpg-agent[2367]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1gpg-agent[2367]: DBG: chan_3 -> S SERIALNO D276000124011150313152552EE11111 S SERIALNO D276000124011150313152552EE11111 gpg-agent[2367]: DBG: chan_5 <- S APPTYPE PKCS11 gpg-agent[2367]: DBG: chan_3 -> S APPTYPE PKCS11 S APPTYPE PKCS11 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffd4f25d1c8 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25d120 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x559309d701b0, p_session=0x7ffd4f25d1c0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Creating a new session gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x559309d6af08 form=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x559309d5a110 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x559309d6aef0, user_data=0x559309d66e50, mask_prompt=00000003 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate entry session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_login entry session=0x559309d6aef0, is_publicOnly=1, readonly=1, user_data=0x559309d66e50, mask_prompt=00000001 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_logout entry session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_logout return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset entry session=0x559309d6aef0, user_data=0x559309d66e50, mask_prompt=00000001, p_slot=0x7ffd4f25cc08 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x559309d1ad90, token_present=1, pSlotList=0x7ffd4f25cab8, pulCount=0x7ffd4f25cac0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffd4f25cac8 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffd4f25ca30 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d5a580 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x559309d5a580 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d5a580 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate entry session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1576579809 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_findObjects entry session=0x559309d6aef0, filter=0x7ffd4f25d0c0, filter_attrs=1, p_objects=0x7ffd4f25d0a0, p_objects_found=0x7ffd4f25d0a8 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x559309d6aef0, object=40, attrs=0x7ffd4f25d0e0, count=2 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffd4f25d0b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x559309d5acc0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x559309d5acc0 form=0x559309d5a110 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x559309d5b0f0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x559309d5acc0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x559309d99d30, ptr=(nil), ad=0x559309d99d98, idx=1, argl=0, argp=0x7f9129a9c842 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffd4f25d0e0, count=2 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_freeObjectAttributes return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d67fd8 form=0x559309d5acc0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x559309d67fd0, p_cert_id_issuers_list=0x7ffd4f25d2f8, p_cert_id_end_list=0x7ffd4f25d2f0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d5b858 form=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d9a5d0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x559309d67fd0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x559309d9a5d0, user_data=0x559309d66e50, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffd4f25d1b8 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x559309d6b070 form=0x559309d9a5d0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x559309d9a160, p_session=0x559309d6b080 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: Using cached session gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x559309d6b070 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x559309d6b070, certificate_blob=0x559309d9b200, *p_certificate_blob_size=000000000000037e gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x559309d6b070 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release entry session=0x559309d6aef0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x559309d701b0 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x559309d9a160 gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[2368.718124864]: PKCS#11: pkcs11h_certificate_freeCertificate return gpg-agent[2367]: DBG: chan_5 <- [eof] gpg-agent[2367]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> ERR 67125247 End of file <GPG Agent> Best regards, Daniel -----Original Message----- From: Alon Bar-Lev <alo...@gm...> Sent: Dienstag, 17. Dezember 2019 21:22 To: Ostovary, Daniel <dan...@ru...> Cc: gnu...@li... Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Please use only these statements: --- verbose debug-all providers libCryptoki2_64 provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so --- And send me the log of learn command. Thanks! On Tue, Dec 17, 2019 at 12:03 PM Ostovary, Daniel <dan...@ru...> wrote: > > Hi, > > > > I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways. > > > > My config file for gnupg-pkcs11-scd is: > > verbose > > debug-all > > providers libCryptoki2_64 > > provider-libCryptoki2_64-library > /usr/safenet/lunaclient/lib/libCryptoki2_64.so > > provider-libCryptoki2_64-allow-protected-auth > > provider-libCryptoki2_64-cert-private > > provider-libCryptoki2_64-private-mask 0 > > > > With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is: > > scdaemon-program /usr/bin/gnupg-pkcs11-scd > > pinentry-program /usr/bin/pinentry-tty > > debug-level guru > > debug-all > > > > For the gpg version, I am using 2.2.4. > > > > Best regards, > > Daniel |
From: Alon Bar-L. <alo...@gm...> - 2019-12-17 20:22:00
|
Please use only these statements: --- verbose debug-all providers libCryptoki2_64 provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so --- And send me the log of learn command. Thanks! On Tue, Dec 17, 2019 at 12:03 PM Ostovary, Daniel <dan...@ru...> wrote: > > Hi, > > > > I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways. > > > > My config file for gnupg-pkcs11-scd is: > > verbose > > debug-all > > providers libCryptoki2_64 > > provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so > > provider-libCryptoki2_64-allow-protected-auth > > provider-libCryptoki2_64-cert-private > > provider-libCryptoki2_64-private-mask 0 > > > > With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is: > > scdaemon-program /usr/bin/gnupg-pkcs11-scd > > pinentry-program /usr/bin/pinentry-tty > > debug-level guru > > debug-all > > > > For the gpg version, I am using 2.2.4. > > > > Best regards, > > Daniel > > > > > > From: Alon Bar-Lev <alo...@gm...> > Sent: Montag, 16. Dezember 2019 20:10 > To: Ostovary, Daniel <dan...@ru...> > Cc: gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM > > > > Hi, > > Why do you use cert-private? What is the exact configuration of gpg-agent and pkcs11-scd? > > Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man page? > > Alon > > |
From: Ostovary, D. <dan...@ru...> - 2019-12-17 10:05:53
|
Hi, I used cert-private to make sure its not an authentication problem. Cert-private always leads to a PIN entry prompt. Not using cert-private leads to the same EOF error anyways. My config file for gnupg-pkcs11-scd is: verbose debug-all providers libCryptoki2_64 provider-libCryptoki2_64-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so provider-libCryptoki2_64-allow-protected-auth provider-libCryptoki2_64-cert-private provider-libCryptoki2_64-private-mask 0 With the last three lines I was just debugging. Their presence or absence does not change the result of SCD LEARN or gpg2 --card-edit. My config file for gpg is: scdaemon-program /usr/bin/gnupg-pkcs11-scd pinentry-program /usr/bin/pinentry-tty debug-level guru debug-all For the gpg version, I am using 2.2.4. Best regards, Daniel From: Alon Bar-Lev <alo...@gm...<mailto:alo...@gm...>> Sent: Montag, 16. Dezember 2019 20:10 To: Ostovary, Daniel <dan...@ru...<mailto:dan...@ru...>> Cc: gnu...@li...<mailto:gnu...@li...> Subject: Re: [Gnupg-pkcs11-users] SCD LEARN leads to EOF error with SafeNet HSM Hi, Why do you use cert-private? What is the exact configuration of gpg-agent and pkcs11-scd? Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man page? Alon |
From: Alon Bar-L. <alo...@gm...> - 2019-12-16 19:10:12
|
Hi, Why do you use cert-private? What is the exact configuration of gpg-agent and pkcs11-scd? Have you strictly followed the ">=gpg-2.1.19" usage instructions in the man page? Alon On Mon, Dec 16, 2019 at 9:01 PM Ostovary, Daniel <dan...@ru...> wrote: > Hi, > > > > am trying to connect GPG with the gnupg-pkcs11-scd to my SafeNet HSM (over > the network). Using tools like pkcs11-tool I can access the HSM and list > keys/certificates. However when I execute SCD LEARN I get the following > error message: > > > > gpg-agent --server > > gpg-agent[2177]: enabled debug flags: mpi crypto memory cache memstat > hashing ipc > > gpg-agent[2177]: DBG: chan_3 -> OK Pleased to meet you > > OK Pleased to meet you > > SCD LEARN > > gpg-agent[2177]: DBG: chan_3 <- SCD LEARN > > gpg-agent[2177]: no running SCdaemon - starting it > > gnupg-pkcs11-scd[2180.3687888704]: version: 0.9.1 > > gnupg-pkcs11-scd[2180.3687888704]: config: debug=1, verbose=1 > > gnupg-pkcs11-scd[2180.3687888704]: config: pin_cache=-1 > > gnupg-pkcs11-scd[2180.3687888704]: config: provider: name=libCryptoki2_64, > library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=1, > cert_is_private=1, private_mask=00000000 > > gnupg-pkcs11-scd[2180.3687888704]: run_mode: 2 > > gnupg-pkcs11-scd[2180.3687888704]: crypto: openssl > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider entry > version='1.22', pid=2180, reference='libCryptoki2_64', > provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so', > allow_protected_auth=1, mask_private_mode=00000000, cert_is_private=1 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Adding provider > 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider Provider > 'libCryptoki2_64' manufacturerID 'SafeNet, Inc. ' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify entry > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Provider 'libCryptoki2_64' > added rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider return > rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: Listening to socket > '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S' > > gnupg-pkcs11-scd[2180.3687888704]: accepting connection > > gnupg-pkcs11-scd[2180]: chan_0 -> OK PKCS#11 smart-card server for GnuPG > ready > > gnupg-pkcs11-scd[2180.3687888704]: processing connection > > gpg-agent[2177]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG > ready > > gpg-agent[2177]: DBG: first connection to SCdaemon established > > gpg-agent[2177]: DBG: chan_5 -> GETINFO socket_name > > gnupg-pkcs11-scd[2180]: chan_0 <- GETINFO socket_name > > gnupg-pkcs11-scd[2180]: chan_0 -> D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S > > gnupg-pkcs11-scd[2180]: chan_0 -> OK > > gpg-agent[2177]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S > > gpg-agent[2177]: DBG: chan_5 <- OK > > gpg-agent[2177]: DBG: additional connections at > '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S' > > gpg-agent[2177]: DBG: chan_5 -> LEARN > > gnupg-pkcs11-scd[2180]: chan_0 <- LEARN > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds > entry method=1, p_token_id_list=0x7ffdbfa44310 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa441d8, > pulCount=0x7ffdbfa441e0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > return rv=0-'CKR_OK' *pulCount=1 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > entry p_token_id=0x5571427e8c58 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > entry p_token_id=0x7ffdbfa44170 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds > return rv=0-'CKR_OK', *p_token_id_list=0x7ffdbfa44310 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId > entry sz=(nil), *max=0000000000000000, token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId > return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId > entry sz=0x5571427d7630, *max=000000000000003f, token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId > return rv=0-'CKR_OK', *max=000000000000003f, > sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList > entry token_id_list=0x5571427e8c50 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList > return > > gnupg-pkcs11-scd[2180]: chan_0 -> S SERIALNO > D276000124011150313152552EE11111 > > gnupg-pkcs11-scd[2180]: chan_0 -> S APPTYPE PKCS11 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_enumCertificateIds entry method=1, > mask_prompt=00000003, p_cert_id_issuers_list=0x7ffdbfa44348, > p_cert_id_end_list=0x7ffdbfa44340 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa44200, > pulCount=0x7ffdbfa44208 > > gpg-agent[2177]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > return rv=0-'CKR_OK' *pulCount=1 > > gpg-agent[2177]: DBG: chan_3 -> S SERIALNO D276000124011150313152552EE11111 > > S SERIALNO D276000124011150313152552EE11111 > > gpg-agent[2177]: DBG: chan_5 <- S APPTYPE PKCS11 > > gpg-agent[2177]: DBG: chan_3 -> S APPTYPE PKCS11 > > S APPTYPE PKCS11 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > entry p_token_id=0x7ffdbfa44218 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > entry p_token_id=0x7ffdbfa44170 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getSessionByTokenId entry token_id=0x5571427dbfe0, > p_session=0x7ffdbfa44210 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Creating a new session > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId > entry to=0x5571427ec018 form=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId > return rv=0-'CKR_OK', *to=0x5571427dc450 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', > *p_session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_certificate_enumSessionCertificates entry session=0x5571427ec000, > user_data=0x5571427db110, mask_prompt=00000003 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate > entry session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate > return rv=179-'CKR_SESSION_HANDLE_INVALID' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Get certificate attributes > failed: 179:'CKR_SESSION_HANDLE_INVALID' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login entry > session=0x5571427ec000, is_publicOnly=1, readonly=1, > user_data=0x5571427db110, mask_prompt=00000001 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout entry > session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset entry > session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000001, > p_slot=0x7ffdbfa43c58 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset > Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', > serialNumber='1066520144508', label='dev' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa43b08, > pulCount=0x7ffdbfa43b10 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList > return rv=0-'CKR_OK' *pulCount=1 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > entry p_token_id=0x7ffdbfa43b18 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > entry p_token_id=0x7ffdbfa43a80 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId > return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Found > token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', > serialNumber='1066520144508', label='dev' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x5571427dc8c0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset return > rv=0-'CKR_OK', *p_slot=0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Calling pin_prompt hook for > 'dev' > > gnupg-pkcs11-scd[2180]: chan_0 -> INQUIRE NEEDPIN PIN required for token > 'dev' (try 0) > > gpg-agent[2177]: DBG: chan_5 <- INQUIRE NEEDPIN PIN required for token > 'dev' (try 0) > > gpg-agent[2177]: starting a new PIN Entry > > gpg-agent[2177]: DBG: connection to PIN entry established > > Please enter the PIN (PIN required for token 'dev' (try 0)) to unlock the > card > > PIN: > > gpg-agent[2177]: DBG: chan_5 -> [ REDACTED ...(76 byte(s) skipped) ] > > gpg-agent[2177]: DBG: chan_5 -> END > > gnupg-pkcs11-scd[2180]: chan_0 <- [ REDACTED ...(76 byte(s) skipped) ] > > gnupg-pkcs11-scd[2180]: chan_0 <- END > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pin_prompt hook return rv=0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login C_Login > rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login return > rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate > entry session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate > session->pin_expire_time=0, time=1576502751 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate > return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects > entry session=0x5571427ec000, filter=0x7ffdbfa44110, filter_attrs=1, > p_objects=0x7ffdbfa440f0, p_objects_found=0x7ffdbfa440f8 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects > return rv=0-'CKR_OK', *p_objects_found=1 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getObjectAttributes entry session=0x5571427ec000, > object=40, attrs=0x7ffdbfa44130, count=2 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdbfa44100 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', > *p_certificate_id=0x5571427dd080 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId > entry to=0x5571427dd080 form=0x5571427dc450 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId > return rv=0-'CKR_OK', *to=0x5571427dd4b0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > __pkcs11h_certificate_updateCertificateIdDescription entry > certificate_id=0x5571427dd080 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_openssl_ex_data_free > entered - parent=0x55714281adf0, ptr=(nil), ad=0x55714281ae58, idx=1, > argl=0, argp=0x7f16daacc842 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > __pkcs11h_certificate_updateCertificateIdDescription return > displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffdbfa44130, count=2 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_freeObjectAttributes return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry > session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release > return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId entry to=0x5571427dc928 > form=0x5571427dd080 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', > *to=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > __pkcs11h_certificate_splitCertificateIdList entry > cert_id_all=0x5571427dc920, p_cert_id_issuers_list=0x7ffdbfa44348, > p_cert_id_end_list=0x7ffdbfa44340 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ddc18 > form=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', > *to=0x55714281b690 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x5571427dc920 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x55714281b220 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateIdList return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create > entry certificate_id=0x55714281b690, user_data=0x5571427db110, > mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdbfa44208 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ec320 > form=0x55714281b690 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', > *to=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getSessionByTokenId entry token_id=0x55714281b220, > p_session=0x5571427ec330 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Using cached session > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', > *p_session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create > return rv=0-'CKR_OK' *p_certificate=0x5571427ec320 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, > certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, > certificate_blob=0x55714281c2c0, *p_certificate_blob_size=000000000000037e > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificate entry certificate=0x5571427ec320 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry > session=0x5571427ec000 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release > return rv=0-'CKR_OK' > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > entry certificate_id=0x55714281b220 > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId > return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificateId return > > gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: > pkcs11h_certificate_freeCertificate return > > gpg-agent[2177]: DBG: chan_5 <- [eof] > > gpg-agent[2177]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> > > ERR 67125247 End of file <GPG Agent> > > > > As the code quality from SafeNet is not great I could imagine that the HSM > might respond to SCD LEARN in an unexpected way. However when I execute > ‘gpg2 --card-edit’ I get this error: > > > > gpg: WARNING: server 'scdaemon' is older than us (0.9.1 < 2.2.4) > > gpg: Note: Outdated servers may lack important security fixes. > > gpg: Note: Use the command "gpgconf --kill all" to restart them. > > gpg: OpenPGP card not available: No inquire callback in IPC > > > > It appears that another user already had a similar problem: > https://sourceforge.net/p/gnupg-pkcs11/mailman/message/35846920/. > > > > Does anybody know what the problem is and how to fix it? Thanks for your > help! > > > > Kind regards, > > Daniel Ostovary > IT Security Engineer > > *RUBICON IT GmbH* > > > _______________________________________________ > Gnupg-pkcs11-users mailing list > Gnu...@li... > https://lists.sourceforge.net/lists/listinfo/gnupg-pkcs11-users > |
From: Ostovary, D. <dan...@ru...> - 2019-12-16 15:41:49
|
Hi, am trying to connect GPG with the gnupg-pkcs11-scd to my SafeNet HSM (over the network). Using tools like pkcs11-tool I can access the HSM and list keys/certificates. However when I execute SCD LEARN I get the following error message: gpg-agent --server gpg-agent[2177]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg-agent[2177]: DBG: chan_3 -> OK Pleased to meet you OK Pleased to meet you SCD LEARN gpg-agent[2177]: DBG: chan_3 <- SCD LEARN gpg-agent[2177]: no running SCdaemon - starting it gnupg-pkcs11-scd[2180.3687888704]: version: 0.9.1 gnupg-pkcs11-scd[2180.3687888704]: config: debug=1, verbose=1 gnupg-pkcs11-scd[2180.3687888704]: config: pin_cache=-1 gnupg-pkcs11-scd[2180.3687888704]: config: provider: name=libCryptoki2_64, library=/usr/safenet/lunaclient/lib/libCryptoki2_64.so, allow_protected=1, cert_is_private=1, private_mask=00000000 gnupg-pkcs11-scd[2180.3687888704]: run_mode: 2 gnupg-pkcs11-scd[2180.3687888704]: crypto: openssl gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=2180, reference='libCryptoki2_64', provider_location='/usr/safenet/lunaclient/lib/libCryptoki2_64.so', allow_protected_auth=1, mask_private_mode=00000000, cert_is_private=1 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Adding provider 'libCryptoki2_64'-'/usr/safenet/lunaclient/lib/libCryptoki2_64.so' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider Provider 'libCryptoki2_64' manufacturerID 'SafeNet, Inc. ' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Provider 'libCryptoki2_64' added rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: Listening to socket '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S' gnupg-pkcs11-scd[2180.3687888704]: accepting connection gnupg-pkcs11-scd[2180]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[2180.3687888704]: processing connection gpg-agent[2177]: DBG: chan_5 <- OK PKCS#11 smart-card server for GnuPG ready gpg-agent[2177]: DBG: first connection to SCdaemon established gpg-agent[2177]: DBG: chan_5 -> GETINFO socket_name gnupg-pkcs11-scd[2180]: chan_0 <- GETINFO socket_name gnupg-pkcs11-scd[2180]: chan_0 -> D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S gnupg-pkcs11-scd[2180]: chan_0 -> OK gpg-agent[2177]: DBG: chan_5 <- D /tmp/gnupg-pkcs11-scd.W0nbo3/agent.S gpg-agent[2177]: DBG: chan_5 <- OK gpg-agent[2177]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.W0nbo3/agent.S' gpg-agent[2177]: DBG: chan_5 -> LEARN gnupg-pkcs11-scd[2180]: chan_0 <- LEARN gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffdbfa44310 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa441d8, pulCount=0x7ffdbfa441e0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x5571427e8c58 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa44170 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffdbfa44310 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='(null)' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x5571427d7630, *max=000000000000003f, token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000003f, sz='Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E0/1066520144508/dev' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x5571427e8c50 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenIdList return gnupg-pkcs11-scd[2180]: chan_0 -> S SERIALNO D276000124011150313152552EE11111 gnupg-pkcs11-scd[2180]: chan_0 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffdbfa44348, p_cert_id_end_list=0x7ffdbfa44340 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa44200, pulCount=0x7ffdbfa44208 gpg-agent[2177]: DBG: chan_5 <- S SERIALNO D276000124011150313152552EE11111 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 gpg-agent[2177]: DBG: chan_3 -> S SERIALNO D276000124011150313152552EE11111 S SERIALNO D276000124011150313152552EE11111 gpg-agent[2177]: DBG: chan_5 <- S APPTYPE PKCS11 gpg-agent[2177]: DBG: chan_3 -> S APPTYPE PKCS11 S APPTYPE PKCS11 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdbfa44218 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa44170 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x5571427dbfe0, p_session=0x7ffdbfa44210 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Creating a new session gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5571427ec018 form=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5571427dc450 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000003 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate entry session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login entry session=0x5571427ec000, is_publicOnly=1, readonly=1, user_data=0x5571427db110, mask_prompt=00000001 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout entry session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_logout return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset entry session=0x5571427ec000, user_data=0x5571427db110, mask_prompt=00000001, p_slot=0x7ffdbfa43c58 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55714279bd90, token_present=1, pSlotList=0x7ffdbfa43b08, pulCount=0x7ffdbfa43b10 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffdbfa43b18 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffdbfa43a80 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x5571427dc8c0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='Safenet, Inc.' model='LunaSA 6.2.0', serialNumber='1066520144508', label='dev' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dc8c0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Calling pin_prompt hook for 'dev' gnupg-pkcs11-scd[2180]: chan_0 -> INQUIRE NEEDPIN PIN required for token 'dev' (try 0) gpg-agent[2177]: DBG: chan_5 <- INQUIRE NEEDPIN PIN required for token 'dev' (try 0) gpg-agent[2177]: starting a new PIN Entry gpg-agent[2177]: DBG: connection to PIN entry established Please enter the PIN (PIN required for token 'dev' (try 0)) to unlock the card PIN: gpg-agent[2177]: DBG: chan_5 -> [ REDACTED ...(76 byte(s) skipped) ] gpg-agent[2177]: DBG: chan_5 -> END gnupg-pkcs11-scd[2180]: chan_0 <- [ REDACTED ...(76 byte(s) skipped) ] gnupg-pkcs11-scd[2180]: chan_0 <- END gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pin_prompt hook return rv=0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login C_Login rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate entry session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1576502751 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects entry session=0x5571427ec000, filter=0x7ffdbfa44110, filter_attrs=1, p_objects=0x7ffdbfa440f0, p_objects_found=0x7ffdbfa440f8 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x5571427ec000, object=40, attrs=0x7ffdbfa44130, count=2 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffdbfa44100 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x5571427dd080 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x5571427dd080 form=0x5571427dc450 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x5571427dd4b0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x5571427dd080 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x55714281adf0, ptr=(nil), ad=0x55714281ae58, idx=1, argl=0, argp=0x7f16daacc842 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=AT/ST=Test/O=Internet Widgits Pty Ltd/CN=TestCert on dev' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffdbfa44130, count=2 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_freeObjectAttributes return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427dc928 form=0x5571427dd080 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x5571427dc920, p_cert_id_issuers_list=0x7ffdbfa44348, p_cert_id_end_list=0x7ffdbfa44340 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ddc18 form=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x55714281b690 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x5571427dc920 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55714281b220 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x55714281b690, user_data=0x5571427db110, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffdbfa44208 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x5571427ec320 form=0x55714281b690 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x55714281b220, p_session=0x5571427ec330 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: Using cached session gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x5571427ec320 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x5571427ec320, certificate_blob=0x55714281c2c0, *p_certificate_blob_size=000000000000037e gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x5571427ec320 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release entry session=0x5571427ec000 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x5571427dbfe0 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55714281b220 gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[2180.3687888704]: PKCS#11: pkcs11h_certificate_freeCertificate return gpg-agent[2177]: DBG: chan_5 <- [eof] gpg-agent[2177]: DBG: chan_3 -> ERR 67125247 End of file <GPG Agent> ERR 67125247 End of file <GPG Agent> As the code quality from SafeNet is not great I could imagine that the HSM might respond to SCD LEARN in an unexpected way. However when I execute 'gpg2 --card-edit' I get this error: gpg: WARNING: server 'scdaemon' is older than us (0.9.1 < 2.2.4) gpg: Note: Outdated servers may lack important security fixes. gpg: Note: Use the command "gpgconf --kill all" to restart them. gpg: OpenPGP card not available: No inquire callback in IPC It appears that another user already had a similar problem: https://sourceforge.net/p/gnupg-pkcs11/mailman/message/35846920/. Does anybody know what the problem is and how to fix it? Thanks for your help! Kind regards, Daniel Ostovary IT Security Engineer RUBICON IT GmbH |
From: Dustin R. <dus...@ho...> - 2017-06-06 02:00:00
|
This actually helped me a lot. I thought I was dealing with a broken protocol issue, rather then conflicting packages. I have it working with the newer version now. Also I tried to get a stub utility working for replacing pinentry and could not get it working. Your python script worked nicely. Thank you for the help. -Dustin ________________________________ From: Alon Bar-Lev <alo...@gm...> Sent: Thursday, June 1, 2017 7:34 AM To: Dustin Rogers Cc: Gnu...@li... Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC You probably have different issue with conflict of two versions or components, it probably has nothing to do with gnupg-pkcs11, please resolve this via other channels first with standard operation of gnupg. In any case in order to feed agent with static pin, a solution such as custom pinentry[1] is available. Put a custom pinentry script in gpg-agent file and then run the this [1] with --file= that refer to the static PIN. [1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file [https://avatars1.githubusercontent.com/u/1263789?v=3&s=400]<https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file> alonbl/gnupg-pkcs11-scd<https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file> github.com gnupg-pkcs11-scd - PKCS#11 GnuPG SCD On 1 June 2017 at 15:07, Dustin Rogers <dus...@ho...> wrote: > You are correct. RHEL comes with native gnupg-2.0.14. I can get > gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent > running. > > > Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel. > > > (sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry > support it provides. I could not do this with gnupg-2.0) > > > -Dustin > > > ________________________________ > From: Alon Bar-Lev <alo...@gm...> > Sent: Thursday, June 1, 2017 12:03 AM > > To: Dustin Rogers > Cc: Gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire > callback in IPC > > How do you run gnupg-2.1 in rhel-2.8? > Have you installed it manually? as far as I know rhel has gnupg-2.0. > > On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote: >> >> I apologize for the confusion. >> >> >> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with >> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg >> 2.0.14 I am able to get the pkcs11-scd to work. >> >> >> On the newer version the gpg-agent is forced, and seems to intercept any >> callbacks for the PIN. So I am not recieving the PIN request, and the >> gpg-agent protocol breaks down. >> >> >> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 >> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token >> 'gnupg-par1HA' (try 0) >> gpg-agent[12159]: DBG: chan_9 -> END >> gpg-agent[12159]: DBG: chan_9 <- OK >> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC >> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC >> >> >> This does not seem to relate to the tty environment. Do you know how I can >> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in >> previous agentless versions of gnupg? Is there some other reason why my >> card >> learn is breaking? >> >> Thank you, >> -Dustin >> ________________________________ >> From: Alon Bar-Lev <alo...@gm...> >> Sent: Wednesday, May 31, 2017 3:21 PM >> To: Dustin Rogers >> Cc: Gnu...@li... >> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire >> callback in IPC >> >> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: >>> >>> Hi Alon: >>> >>> >>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems >>> to >>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not >>> prepared >>> for this callback at this point. gnupg 2.0.x did not require the running >>> agent and therefore the scdaemon was not intercepting the INQUIRE >>> callbacks. >>> Any thoughts? >>> >> <snip> >> >> Hi, >> I do not understand what you ask, do you ask if you can automate the >> pin entry for batch applications? >> Thanks, >> Alon |
From: Alon Bar-L. <alo...@gm...> - 2017-06-01 12:34:17
|
You probably have different issue with conflict of two versions or components, it probably has nothing to do with gnupg-pkcs11, please resolve this via other channels first with standard operation of gnupg. In any case in order to feed agent with static pin, a solution such as custom pinentry[1] is available. Put a custom pinentry script in gpg-agent file and then run the this [1] with --file= that refer to the static PIN. [1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/misc/pinentry-file On 1 June 2017 at 15:07, Dustin Rogers <dus...@ho...> wrote: > You are correct. RHEL comes with native gnupg-2.0.14. I can get > gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent > running. > > > Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel. > > > (sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry > support it provides. I could not do this with gnupg-2.0) > > > -Dustin > > > ________________________________ > From: Alon Bar-Lev <alo...@gm...> > Sent: Thursday, June 1, 2017 12:03 AM > > To: Dustin Rogers > Cc: Gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire > callback in IPC > > How do you run gnupg-2.1 in rhel-2.8? > Have you installed it manually? as far as I know rhel has gnupg-2.0. > > On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote: >> >> I apologize for the confusion. >> >> >> I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with >> gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg >> 2.0.14 I am able to get the pkcs11-scd to work. >> >> >> On the newer version the gpg-agent is forced, and seems to intercept any >> callbacks for the PIN. So I am not recieving the PIN request, and the >> gpg-agent protocol breaks down. >> >> >> gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 >> gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token >> 'gnupg-par1HA' (try 0) >> gpg-agent[12159]: DBG: chan_9 -> END >> gpg-agent[12159]: DBG: chan_9 <- OK >> gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC >> gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC >> >> >> This does not seem to relate to the tty environment. Do you know how I can >> get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in >> previous agentless versions of gnupg? Is there some other reason why my >> card >> learn is breaking? >> >> Thank you, >> -Dustin >> ________________________________ >> From: Alon Bar-Lev <alo...@gm...> >> Sent: Wednesday, May 31, 2017 3:21 PM >> To: Dustin Rogers >> Cc: Gnu...@li... >> Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire >> callback in IPC >> >> On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: >>> >>> Hi Alon: >>> >>> >>> How are people getting past the INQUIRE NEEDPIN PIN callback that seems >>> to >>> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not >>> prepared >>> for this callback at this point. gnupg 2.0.x did not require the running >>> agent and therefore the scdaemon was not intercepting the INQUIRE >>> callbacks. >>> Any thoughts? >>> >> <snip> >> >> Hi, >> I do not understand what you ask, do you ask if you can automate the >> pin entry for batch applications? >> Thanks, >> Alon |
From: Dustin R. <dus...@ho...> - 2017-06-01 12:07:56
|
You are correct. RHEL comes with native gnupg-2.0.14. I can get gnupg-pkcs11-scd to work with that version, which does not leave gpg-agent running. Yes, I manually installed gnupg-2.1.20 on RHEL, but with 2.6.32 kernel. (sidenote: the reason I wish to use gnupg-2.1 is for unattended pinentry support it provides. I could not do this with gnupg-2.0) -Dustin ________________________________ From: Alon Bar-Lev <alo...@gm...> Sent: Thursday, June 1, 2017 12:03 AM To: Dustin Rogers Cc: Gnu...@li... Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC How do you run gnupg-2.1 in rhel-2.8? Have you installed it manually? as far as I know rhel has gnupg-2.0. On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote: > > I apologize for the confusion. > > > I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with > gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg > 2.0.14 I am able to get the pkcs11-scd to work. > > > On the newer version the gpg-agent is forced, and seems to intercept any > callbacks for the PIN. So I am not recieving the PIN request, and the > gpg-agent protocol breaks down. > > > gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 > gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token > 'gnupg-par1HA' (try 0) > gpg-agent[12159]: DBG: chan_9 -> END > gpg-agent[12159]: DBG: chan_9 <- OK > gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC > gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC > > > This does not seem to relate to the tty environment. Do you know how I can > get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in > previous agentless versions of gnupg? Is there some other reason why my card > learn is breaking? > > Thank you, > -Dustin > ________________________________ > From: Alon Bar-Lev <alo...@gm...> > Sent: Wednesday, May 31, 2017 3:21 PM > To: Dustin Rogers > Cc: Gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire > callback in IPC > > On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: >> >> Hi Alon: >> >> >> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to >> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared >> for this callback at this point. gnupg 2.0.x did not require the running >> agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. >> Any thoughts? >> > <snip> > > Hi, > I do not understand what you ask, do you ask if you can automate the > pin entry for batch applications? > Thanks, > Alon |
From: Alon Bar-L. <alo...@gm...> - 2017-06-01 05:03:08
|
How do you run gnupg-2.1 in rhel-2.8? Have you installed it manually? as far as I know rhel has gnupg-2.0. On 1 June 2017 at 00:14, Dustin Rogers <dus...@ho...> wrote: > > I apologize for the confusion. > > > I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with > gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg > 2.0.14 I am able to get the pkcs11-scd to work. > > > On the newer version the gpg-agent is forced, and seems to intercept any > callbacks for the PIN. So I am not recieving the PIN request, and the > gpg-agent protocol breaks down. > > > gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 > gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token > 'gnupg-par1HA' (try 0) > gpg-agent[12159]: DBG: chan_9 -> END > gpg-agent[12159]: DBG: chan_9 <- OK > gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC > gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC > > > This does not seem to relate to the tty environment. Do you know how I can > get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in > previous agentless versions of gnupg? Is there some other reason why my card > learn is breaking? > > Thank you, > -Dustin > ________________________________ > From: Alon Bar-Lev <alo...@gm...> > Sent: Wednesday, May 31, 2017 3:21 PM > To: Dustin Rogers > Cc: Gnu...@li... > Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire > callback in IPC > > On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: >> >> Hi Alon: >> >> >> How are people getting past the INQUIRE NEEDPIN PIN callback that seems to >> be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared >> for this callback at this point. gnupg 2.0.x did not require the running >> agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. >> Any thoughts? >> > <snip> > > Hi, > I do not understand what you ask, do you ask if you can automate the > pin entry for batch applications? > Thanks, > Alon |
From: Dustin R. <dus...@ho...> - 2017-05-31 21:14:28
|
I apologize for the confusion. I am on a rhel6.8 system. I cannot seem to get the pkcs11-scd to work with gnupg 2.1 at all due to the way the agent runs. With earlier version gnupg 2.0.14 I am able to get the pkcs11-scd to work. On the newer version the gpg-agent is forced, and seems to intercept any callbacks for the PIN. So I am not recieving the PIN request, and the gpg-agent protocol breaks down. gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gpg-agent[12159]: DBG: chan_9 -> END gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC This does not seem to relate to the tty environment. Do you know how I can get the INQUIRE NEEDPIN PIN call to pass through to pinentry like in previous agentless versions of gnupg? Is there some other reason why my card learn is breaking? Thank you, -Dustin ________________________________ From: Alon Bar-Lev <alo...@gm...> Sent: Wednesday, May 31, 2017 3:21 PM To: Dustin Rogers Cc: Gnu...@li... Subject: Re: [Gnupg-pkcs11-users] command 'LEARN' failed: No inquire callback in IPC On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: > > Hi Alon: > > > How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point. gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts? > <snip> Hi, I do not understand what you ask, do you ask if you can automate the pin entry for batch applications? Thanks, Alon |
From: Alon Bar-L. <alo...@gm...> - 2017-05-31 20:21:11
|
On 31 May 2017 at 19:24, Dustin Rogers <dus...@ho...> wrote: > > Hi Alon: > > > How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point. gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts? > <snip> Hi, I do not understand what you ask, do you ask if you can automate the pin entry for batch applications? Thanks, Alon |
From: Dustin R. <dus...@ho...> - 2017-05-31 16:24:53
|
Hi Alon: How are people getting past the INQUIRE NEEDPIN PIN callback that seems to be breaking the gpg-agent protocol in gnupg 2.1.x? gpg-agent is not prepared for this callback at this point. gnupg 2.0.x did not require the running agent and therefore the scdaemon was not intercepting the INQUIRE callbacks. Any thoughts? gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version gpg-agent[12159]: no running SCdaemon - starting it gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready gpg-agent[12159]: DBG: first connection to SCdaemon established gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S' gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_9 -> GETINFO version gpg-agent[12159]: DBG: chan_9 <- D 0.7.5 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> D 0.7.5 gpg-agent[12159]: DBG: chan_8 -> OK gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20) gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo gpg-agent[12159]: DBG: chan_9 -> LEARN --force gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gpg-agent[12159]: DBG: chan_9 -> END gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent> gpg: OpenPGP card not available: No inquire callback in IPC [root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof] gpg-agent[12159]: DBG: chan_9 -> RESTART gpg-agent[12159]: DBG: chan_9 <- OK Thank you, -Dustin Rogers ________________________________ From: Dustin Rogers <dus...@ho...> Sent: Thursday, May 18, 2017 11:17 AM To: Gnu...@li... Subject: Fw: command 'LEARN' failed: No inquire callback in IPC Hi gnupg-pkcs11-scd users: Does anyone have any ideas why the gnupg 2.0 can locate keys on our network attached Safenet Luna SA HSM, through the gnupg-pkcs11-scd, yet the newer version gnupg2.1.x cannot? The developers at gnupg feel that this sc daemon is breaking the LEARN protocol. You can see from my response (with example) to them below that I dont necessarily think it is breaking the protocol, moreover, it is not allowing the scd a direct interaction with the card anymore, for the LEARN command that is. I really need the INQUIRE call back to pass through like in the older version without the constantly running agent. The newer gnupg2.1 has a unnattended PINENTRY feature that I would like to manipulate for batch decryptions. Thank you for your time and any advice you may have. -Dustin Rogers Cryptographic Engineer at Capital One ________________________________ From: Rogers, Dustin <Dus...@ca...> Sent: Thursday, May 18, 2017 11:06 AM To: NIIBE Yutaka; Dustin Rogers; gnu...@gn... Subject: RE: command 'LEARN' failed: No inquire callback in IPC Hi Mr. Yutaka: Okay I will bring the question to them and see if they can help. You are correct and now I realize from the output below that in the newer version the agent is forcing itself onto a channel, and grabbing any callback. As you point out, it does not know what to do with the callback. In the previous version the agent would merely pass the information through, allowing the scd to manipulate the channel and socket. I have to say though, this was a nice coincidence. [root@ip-10-206-8-51 ~]# gpg --version gpg (GnuPG) 2.0.14 libgcrypt 1.4.5 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 [root@ip-10-206-8-51 ~]# gpg --card-status can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory gnupg-pkcs11-scd[23086.3299858176]: Cannot open configuration file '/root/.gnupg/gnupg-pkcs11-scd.conf' gnupg-pkcs11-scd[23086.3299858176]: Listening to socket '/tmp/gnupg-pkcs11-scd.lmAaRp/agent.S' gnupg-pkcs11-scd[23086]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[23086]: chan_6 <- GETINFO socket_name gnupg-pkcs11-scd[23086]: chan_6 -> D /tmp/gnupg-pkcs11-scd.lmAaRp/agent.S gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- OPTION event-signal=12 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- LEARN --force gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[23086]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gnupg-pkcs11-scd[23086]: chan_6 <- [ 44 20 67 6e 75 70 67 2d 70 61 72 31 00 00 00 00 ...(76 byte(s) skipped) ] gnupg-pkcs11-scd[23086]: chan_6 <- END gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FRIEDNLY 73DF3EBFxxxxxxxxxxxxxxxxA1C101ED65FC61F894 /C=US/O=Capital One/OU=Web Servers/CN=gnupguser01 on gnupg-par1HA gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FPR 1 73DF3EBF24561B6296AF30A1C101ED65FC61F894 gnupg-pkcs11-scd[23086]: chan_6 -> S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931 gnupg-pkcs11-scd[23086]: chan_6 -> S KEYPAIRINFO 73DF3EBFxxxxxxxxxxxxxxxxxxC101ED65FC61F894 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- GETATTR KEY-ATTR gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 1 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 2 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 3 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK Application ID ...: D2760001240111504B43532331311111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: 53233131 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 1R 1R 1R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 73DF 3EBF XXXX XXXX XXXX XXA1 C101 ED65 FC61 F894 Encryption key....: [none] Authentication key: [none] General key info..: [none] [root@ip-10-206-8-51 ~]# gnupg-pkcs11-scd[23086]: chan_6 <- RESTART gnupg-pkcs11-scd[23086]: chan_6 -> OK [root@ip-10-206-8-250 ~]# gpg --version gpg (GnuPG) 2.1.20 libgcrypt 1.7.6 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /root/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB [root@ip-10-206-8-250 ~]# gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --daemon gpg-agent[12158]: reading options from '/root/.gnupg/gpg-agent.conf' gpg-agent[12158]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.extra' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.browser' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.ssh' [root@ip-10-206-8-250 ~]# gpg-agent[12159]: gpg-agent (GnuPG) 2.1.20 started gpg-agent --debug-level=gugpg --card-status gpg-agent[12159]: DBG: chan_8 -> OK Pleased to meet you, process 12160 gpg-agent[12159]: DBG: chan_8 <- RESET gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION ttyname=/dev/pts/2 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION ttytype=xterm gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- GETINFO version gpg-agent[12159]: DBG: chan_8 -> D 2.1.20 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION allow-pinentry-notify gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION agent-awareness=2.1.0 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version gpg-agent[12159]: no running SCdaemon - starting it gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready gpg-agent[12159]: DBG: first connection to SCdaemon established gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S' gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_9 -> GETINFO version gpg-agent[12159]: DBG: chan_9 <- D 0.7.5 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> D 0.7.5 gpg-agent[12159]: DBG: chan_8 -> OK gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20) gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo gpg-agent[12159]: DBG: chan_9 -> LEARN --force gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gpg-agent[12159]: DBG: chan_9 -> END gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent> gpg: OpenPGP card not available: No inquire callback in IPC [root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof] gpg-agent[12159]: DBG: chan_9 -> RESTART gpg-agent[12159]: DBG: chan_9 <- OK You can see in the last example that the agent is running on channel 8, and simultaneously the scd is running on chan_9. Both agents are trying to learn the card at the same time now. That is why the INQUIRE does not pass through anymore. Questions: Is there anyway to run gpg2 without the agent? (Seems this is not likely as the --no-use-agent directive is deprecated.) Is there anyway to adjust the gpg-agent options so that it doesn't try to force learn the card? (gpg --send-info) Also, to answer your question...on a network attached HSM there must be authentication on a LEARN command. It is not USB attached, thus authentication cannot be just assumed on a learn. Thank you, -Dustin Rogers ____________________________________________ Dustin Rogers, MSIA Data Security Encryption Services (pulse) 224.404.8919 (office) 218.331.0186 (mobile) -----Original Message----- From: NIIBE Yutaka [mailto:gn...@fs...] Sent: Wednesday, May 17, 2017 1:32 AM To: Dustin Rogers <dus...@ho...>; Rogers, Dustin <Dus...@ca...>; gnu...@gn... Subject: Re: command 'LEARN' failed: No inquire callback in IPC Dustin Rogers <dus...@ho...> wrote: > In fact the native support for smart cards does not seem to support > network attached HSM "virtual tokens" devices at all. It could be > possible that I need to specify the local port the installed HSM agent > is running on, but I dont think I will be that lucky. No, scdaemon doesn't support it. > I have this other scdaemon (gnupg-pkcs11-scd) working fine with gnupg > 2.0, Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or 2.1. It is a kind of... independently developed program, unfortunately. It was just coincidence (from my view point) it worked with GnuPG 2.0. It would be good if someone around gnupg-pkcs11-scd shares developement information with GnuPG. > but with manual pinentry for each operation. I cant get it working > with gnupg 2.1. (again, I am looking for the unattended pinentry > support the later version seems to have) Thus, I really dont think > this is an issue with the scdaemon I am using. Moreover, I can see the > INQUIRE PIN callback is there, the pinentry is just not appearing. > Really I would like to understand why the gpg-connect-agent is > allowing the pin call back through, and the gpg-agent itself is not? Well, it's the detail of protocol between gpg-agent and scdaemon. INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN --force is issued. This situation is same in GnuPG 2.0. We don't know how gnupg-pkcs11-scd works, according to your log, it breaks the protocol for LEARN. gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD. For gpg-connect-agent with SCD command, it is prepared, thus it works. I think that it would be good to check why gnupg-pkcs11-scd called back with INQUIRE NEEDPIN for LEARN command. -- |
From: Dustin R. <dus...@ho...> - 2017-05-18 16:17:21
|
Hi gnupg-pkcs11-scd users: Does anyone have any ideas why the gnupg 2.0 can locate keys on our network attached Safenet Luna SA HSM, through the gnupg-pkcs11-scd, yet the newer version gnupg2.1.x cannot? The developers at gnupg feel that this sc daemon is breaking the LEARN protocol. You can see from my response (with example) to them below that I dont necessarily think it is breaking the protocol, moreover, it is not allowing the scd a direct interaction with the card anymore, for the LEARN command that is. I really need the INQUIRE call back to pass through like in the older version without the constantly running agent. The newer gnupg2.1 has a unnattended PINENTRY feature that I would like to manipulate for batch decryptions. Thank you for your time and any advice you may have. -Dustin Rogers Cryptographic Engineer at Capital One ________________________________ From: Rogers, Dustin <Dus...@ca...> Sent: Thursday, May 18, 2017 11:06 AM To: NIIBE Yutaka; Dustin Rogers; gnu...@gn... Subject: RE: command 'LEARN' failed: No inquire callback in IPC Hi Mr. Yutaka: Okay I will bring the question to them and see if they can help. You are correct and now I realize from the output below that in the newer version the agent is forcing itself onto a channel, and grabbing any callback. As you point out, it does not know what to do with the callback. In the previous version the agent would merely pass the information through, allowing the scd to manipulate the channel and socket. I have to say though, this was a nice coincidence. [root@ip-10-206-8-51 ~]# gpg --version gpg (GnuPG) 2.0.14 libgcrypt 1.4.5 Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 [root@ip-10-206-8-51 ~]# gpg --card-status can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory gnupg-pkcs11-scd[23086.3299858176]: Cannot open configuration file '/root/.gnupg/gnupg-pkcs11-scd.conf' gnupg-pkcs11-scd[23086.3299858176]: Listening to socket '/tmp/gnupg-pkcs11-scd.lmAaRp/agent.S' gnupg-pkcs11-scd[23086]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[23086]: chan_6 <- GETINFO socket_name gnupg-pkcs11-scd[23086]: chan_6 -> D /tmp/gnupg-pkcs11-scd.lmAaRp/agent.S gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- OPTION event-signal=12 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- SERIALNO openpgp gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- LEARN --force gnupg-pkcs11-scd[23086]: chan_6 -> S SERIALNO D2760001240111504B43532331311111 0 gnupg-pkcs11-scd[23086]: chan_6 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[23086]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gnupg-pkcs11-scd[23086]: chan_6 <- [ 44 20 67 6e 75 70 67 2d 70 61 72 31 00 00 00 00 ...(76 byte(s) skipped) ] gnupg-pkcs11-scd[23086]: chan_6 <- END gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FRIEDNLY 73DF3EBFxxxxxxxxxxxxxxxxA1C101ED65FC61F894 /C=US/O=Capital One/OU=Web Servers/CN=gnupguser01 on gnupg-par1HA gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-FPR 1 73DF3EBF24561B6296AF30A1C101ED65FC61F894 gnupg-pkcs11-scd[23086]: chan_6 -> S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931 gnupg-pkcs11-scd[23086]: chan_6 -> S KEYPAIRINFO 73DF3EBFxxxxxxxxxxxxxxxxxxC101ED65FC61F894 Safenet\x2C\x20Inc\x2E/LunaVirtual/1499402018/gnupg\x2Dpar1HA/393931393931393931 gnupg-pkcs11-scd[23086]: chan_6 -> OK gnupg-pkcs11-scd[23086]: chan_6 <- GETATTR KEY-ATTR gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 1 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 2 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> S KEY-ATTR 3 1 1 2048 0 gnupg-pkcs11-scd[23086]: chan_6 -> OK Application ID ...: D2760001240111504B43532331311111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: 53233131 Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 1R 1R 1R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 73DF 3EBF XXXX XXXX XXXX XXA1 C101 ED65 FC61 F894 Encryption key....: [none] Authentication key: [none] General key info..: [none] [root@ip-10-206-8-51 ~]# gnupg-pkcs11-scd[23086]: chan_6 <- RESTART gnupg-pkcs11-scd[23086]: chan_6 -> OK [root@ip-10-206-8-250 ~]# gpg --version gpg (GnuPG) 2.1.20 libgcrypt 1.7.6 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /root/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB [root@ip-10-206-8-250 ~]# gpg-agent --debug-level=guru --debug 1024 --debug-pinentry --daemon gpg-agent[12158]: reading options from '/root/.gnupg/gpg-agent.conf' gpg-agent[12158]: enabled debug flags: mpi crypto memory cache memstat hashing ipc gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.extra' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.browser' gpg-agent[12158]: listening on socket '/root/.gnupg/S.gpg-agent.ssh' [root@ip-10-206-8-250 ~]# gpg-agent[12159]: gpg-agent (GnuPG) 2.1.20 started gpg-agent --debug-level=gugpg --card-status gpg-agent[12159]: DBG: chan_8 -> OK Pleased to meet you, process 12160 gpg-agent[12159]: DBG: chan_8 <- RESET gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION ttyname=/dev/pts/2 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION ttytype=xterm gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION lc-ctype=en_US.UTF-8 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION lc-messages=en_US.UTF-8 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- GETINFO version gpg-agent[12159]: DBG: chan_8 -> D 2.1.20 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION allow-pinentry-notify gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- OPTION agent-awareness=2.1.0 gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- SCD GETINFO version gpg-agent[12159]: no running SCdaemon - starting it gpg-agent[12159]: DBG: chan_9 <- OK PKCS#11 smart-card server for GnuPG ready gpg-agent[12159]: DBG: first connection to SCdaemon established gpg-agent[12159]: DBG: chan_9 -> GETINFO socket_name gpg-agent[12159]: DBG: chan_9 <- D /tmp/gnupg-pkcs11-scd.igcOYh/agent.S gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: additional connections at '/tmp/gnupg-pkcs11-scd.igcOYh/agent.S' gpg-agent[12159]: DBG: chan_9 -> OPTION event-signal=12 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_9 -> GETINFO version gpg-agent[12159]: DBG: chan_9 <- D 0.7.5 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> D 0.7.5 gpg-agent[12159]: DBG: chan_8 -> OK gpg: WARNING: server 'scdaemon' is older than us (0.7.5 < 2.1.20) gpg-agent[12159]: DBG: chan_8 <- SCD SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 -> SERIALNO openpgp gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_8 -> S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: chan_8 -> OK gpg-agent[12159]: DBG: chan_8 <- LEARN --sendinfo gpg-agent[12159]: DBG: chan_9 -> LEARN --force gpg-agent[12159]: DBG: chan_9 <- S SERIALNO D2760001240111504B43532331311111 0 gpg-agent[12159]: DBG: chan_9 <- S APPTYPE PKCS11 gpg-agent[12159]: DBG: chan_9 <- INQUIRE NEEDPIN PIN required for token 'gnupg-par1HA' (try 0) gpg-agent[12159]: DBG: chan_9 -> END gpg-agent[12159]: DBG: chan_9 <- OK gpg-agent[12159]: DBG: agent_card_learn failed: No inquire callback in IPC gpg-agent[12159]: command 'LEARN' failed: No inquire callback in IPC gpg-agent[12159]: DBG: chan_8 -> ERR 67109130 No inquire callback in IPC <GPG Agent> gpg: OpenPGP card not available: No inquire callback in IPC [root@ip-10-206-8-250 ~]# gpg-agent[12159]: DBG: chan_8 <- [eof] gpg-agent[12159]: DBG: chan_9 -> RESTART gpg-agent[12159]: DBG: chan_9 <- OK You can see in the last example that the agent is running on channel 8, and simultaneously the scd is running on chan_9. Both agents are trying to learn the card at the same time now. That is why the INQUIRE does not pass through anymore. Questions: Is there anyway to run gpg2 without the agent? (Seems this is not likely as the --no-use-agent directive is deprecated.) Is there anyway to adjust the gpg-agent options so that it doesn't try to force learn the card? (gpg --send-info) Also, to answer your question...on a network attached HSM there must be authentication on a LEARN command. It is not USB attached, thus authentication cannot be just assumed on a learn. Thank you, -Dustin Rogers ____________________________________________ Dustin Rogers, MSIA Data Security Encryption Services (pulse) 224.404.8919 (office) 218.331.0186 (mobile) -----Original Message----- From: NIIBE Yutaka [mailto:gn...@fs...] Sent: Wednesday, May 17, 2017 1:32 AM To: Dustin Rogers <dus...@ho...>; Rogers, Dustin <Dus...@ca...>; gnu...@gn... Subject: Re: command 'LEARN' failed: No inquire callback in IPC Dustin Rogers <dus...@ho...> wrote: > In fact the native support for smart cards does not seem to support > network attached HSM "virtual tokens" devices at all. It could be > possible that I need to specify the local port the installed HSM agent > is running on, but I dont think I will be that lucky. No, scdaemon doesn't support it. > I have this other scdaemon (gnupg-pkcs11-scd) working fine with gnupg > 2.0, Well, I think that gnupg-pkcs11-scd is not supported by GnuPG, 2.0 or 2.1. It is a kind of... independently developed program, unfortunately. It was just coincidence (from my view point) it worked with GnuPG 2.0. It would be good if someone around gnupg-pkcs11-scd shares developement information with GnuPG. > but with manual pinentry for each operation. I cant get it working > with gnupg 2.1. (again, I am looking for the unattended pinentry > support the later version seems to have) Thus, I really dont think > this is an issue with the scdaemon I am using. Moreover, I can see the > INQUIRE PIN callback is there, the pinentry is just not appearing. > Really I would like to understand why the gpg-connect-agent is > allowing the pin call back through, and the gpg-agent itself is not? Well, it's the detail of protocol between gpg-agent and scdaemon. INQUIRE NEEDPIN from scdaemon is not expected by gpg-agent when LEARN --force is issued. This situation is same in GnuPG 2.0. We don't know how gnupg-pkcs11-scd works, according to your log, it breaks the protocol for LEARN. gpg-agent only delegates back the INQUIRE NEEDPIN request to gpg when it is prepared: PKSIGN, PKDECRYPT, WRITEKEY, and generic SCD. For gpg-connect-agent with SCD command, it is prepared, thus it works. I think that it would be good to check why gnupg-pkcs11-scd called back with INQUIRE NEEDPIN for LEARN command. -- |
From: Jaap v. W. <mai...@va...> - 2016-01-01 22:01:10
|
Op 2015-12-24T19:51:47 UTC schreef Alon Bar-Lev <alo...@gm...> in het bericht <Re: [Gnupg-pkcs11-users] Problems with ESTEID, gnupg-pkcs11-scd and gpgsm>, mid:CAOazyz0uJ9hYSaVAFF=BU78RCqj22soh0L+A_cjK_Jx=fo...@ma... het volgende. > Please attach log files - do not paste. > Please configure gpg to write to log files and not to terminal. > > ~/.gnupg/gpg-agent.conf > --- > debug-all > log-file /tmp/gpg-agent.log > --- > > ~/.gnupg/gnupg-pkcs11-scd.conf > --- > log-file /tmp/gnupg-pkcs11-scd.log > verbose > debug-all 3 attachments! -- Jaap van Wingerde e-mail: 123...@va... |
From: Jaap v. W. <mai...@va...> - 2015-12-24 17:41:38
|
How can I solve them? jaap@jaap:~$ gpgsm --help gpgsm (GnuPG) 2.0.26 libgcrypt 1.6.3 libksba 1.3.2-unknown ... jaap@jaap:~$ jaap@jaap:~$ /usr/bin/gpgsm -vvvvs txt.txt gpgsm: enabled debug flags: x509 assuan gpgsm: no key usage specified - assuming all usages gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 39 C0 56 38 84 B2 C1 01 B2 0C 59 ED 40 27 B5 01 93 FF F7 72 gpgsm: no running gpg-agent - starting one gpg-agent[22381]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 31 F0 60 FB CE A5 21 00 E5 68 D2 6C 98 FD ED 9A 12 B1 60 15 gpgsm: certificate is not usable for signing gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= 23 59 EB D7 45 0D 9A 7F F3 25 FD 94 27 7E CC 32 D2 DD 22 53 gpgsm: DBG: get_keygrip for public key gpgsm: DBG: keygrip= C5 BD 3D 02 E5 E7 6D D2 75 40 C6 62 D0 B7 47 7C 16 92 67 39 gpgsm: no default signer found gpgsm: error creating signature: General error <GpgSM> secmem usage: 0/16384 bytes in 0 blocks jaap@jaap:~$ jaap@jaap:~$ /usr/bin/gpgsm --learn-card gpgsm: enabled debug flags: x509 assuan gpgsm: no running gpg-agent - starting one gpg-agent[22386]: enabled debug flags: assuan gpgsm: DBG: connection to agent established gnupg-pkcs11-scd[22387.3394275072]: version: 0.7.3 gnupg-pkcs11-scd[22387.3394275072]: config: debug=1, verbose=1 gnupg-pkcs11-scd[22387.3394275072]: config: pin_cache=-1 gnupg-pkcs11-scd[22387.3394275072]: config: provider: name=esteid, library=/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so, allow_protected=1, cert_is_private=1, private_mask=00000001 gnupg-pkcs11-scd[22387.3394275072]: run_mode: 2 gnupg-pkcs11-scd[22387.3394275072]: crypto: openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider entry version='1.11', pid=22387, reference='esteid', provider_location='/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so', allow_protected_auth=1, mask_private_mode=00000001, cert_is_private=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Adding provider 'esteid'-'/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider Provider 'esteid' manufacturerID 'OpenSC (www.opensc-project.org)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Provider 'esteid' added rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: Listening to socket '/tmp/gnupg-pkcs11-scd.xWcx6d/agent.S' gnupg-pkcs11-scd[22387]: chan_6 -> OK PKCS#11 smart-card server for GnuPG ready gnupg-pkcs11-scd[22387]: chan_6 <- GETINFO socket_name gnupg-pkcs11-scd[22387]: chan_6 -> D /tmp/gnupg-pkcs11-scd.xWcx6d/agent.S gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- SERIALNO gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387]: chan_6 <- LEARN --force gnupg-pkcs11-scd[22387]: chan_6 -> S SERIALNO D2760001240111111111111111111111 0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c633e00, pulCount=0x7ffc1c633e08 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Creating a new session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd3ff28 form=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login entry session=0xd3ff10, is_publicOnly=1, readonly=1, user_data=0xd34880, mask_prompt=00000001 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_logout return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000001, p_slot=0x7ffc1c633858 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0xd1f5e0, token_present=1, pSlotList=0x7ffc1c6336f8, pulCount=0x7ffc1c633700 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633708 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633660 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='AS Sertifitseerimiskeskus' model='PKCS#15 emulated', serialNumber='N0108352', label='VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Calling pin_prompt hook for 'VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387]: chan_6 -> INQUIRE NEEDPIN PIN required for token 'VAN WINGERDE,JACOB,35402120120 (' (try 0) gnupg-pkcs11-scd[22387]: chan_6 <- END gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pin_prompt hook return rv=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login C_Login rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_login return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Cannot get token information for provider 'OpenSC (www.opensc-project.org)' slot 1 rv=1-'CKR_CANCEL' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffc1c633e18 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffc1c633d70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd3f600, p_session=0x7ffc1c633e10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0xd3ff10, user_data=0xd34880, mask_prompt=00000003 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1450824309 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects entry session=0xd3ff10, filter=0x7ffc1c633d10, filter_attrs=1, p_objects=0x7ffc1c633cf0, p_objects_found=0x7ffc1c633cf8 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0xd3ff10, object=13889536, attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffc1c633d00 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0xd40c70 form=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='/C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 (' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffc1c633d30, count=2 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_freeObjectAttributes return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3fef8 form=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0xd3fef0, p_cert_id_issuers_list=0x7ffc1c633f48, p_cert_id_end_list=0x7ffc1c633f40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd3e258 form=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fef0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd3f600 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387]: chan_6 -> S APPTYPE PKCS11 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0xd41f30, user_data=0xd34880, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffc1c633e40 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0xd40140 form=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0xd41a20, p_session=0xd40150 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Using cached session gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0xd40140, certificate_blob=0xd42ce0, *p_certificate_blob_size=0000000000000507 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0xd40140 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release entry session=0xd3ff10 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40760 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd41a20 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificate return gpgsm: error learning card: No inquire callback in IPC secmem usage: 0/16384 bytes in 0 blocks gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0xd44240, ptr=(nil), ad=0xd442a0, idx=0, argl=0, argp=0x7fb4c91f08e3 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=(nil), *max=0000000000000000, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='(null)' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId entry sz=0xd41ba0, *max=0000000000000070, certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0xd41ba0, *max=0000000000000070, token_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=000000000000006d, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_serializeCertificateId return rv=0-'CKR_OK', *max=0000000000000070, sz='AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01' gnupg-pkcs11-scd[22387]: chan_6 -> S KEY-FRIEDNLY BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 /C=EE/O=ESTEID (DIGI-ID E-RESIDENT)/OU=authentication/CN=VAN WINGERDE,JACOB,35402120120/SN=VAN WINGERDE/GN=JACOB/serialNumber=35402120120 on VAN WINGERDE,JACOB,35402120120 ( gnupg-pkcs11-scd[22387]: chan_6 -> S KEYPAIRINFO BEE4963CCC09D0CEE5DE3DEA543EBCBB702664E1 AS\x20Sertifitseerimiskeskus/PKCS\x2315\x20emulated/N0108352/VAN\x20WINGERDE\x2CJACOB\x2C35402120120\x20\x28/01 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3e250 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd41f30 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd42360 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387]: chan_6 -> OK jaap@jaap:~$ gnupg-pkcs11-scd[22387]: chan_6 <- RESTART gnupg-pkcs11-scd[22387]: chan_6 -> OK gnupg-pkcs11-scd[22387.3394275072]: assuan_process failed: Broken pipe gnupg-pkcs11-scd[22387.3357775616]: Cleaning up threads gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating openssl gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_openssl_terminate gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing providers gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider entry reference='esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Removing provider 'esteid' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_notify return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_removeProvider return rv=0-'CKR_OK' gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Releasing sessions gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd402f0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0xd3fcb0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0xd40c70 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0xd410a0 gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_token_freeTokenId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateId return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Terminating slotevent gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate entry gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: _pkcs11h_slotevent_terminate return gnupg-pkcs11-scd[22387.3394275072]: PKCS#11: Marking as uninitialized ^C jaap@jaap:~$ -- Jaap van Wingerde e-mail: 123...@va... |
From: Alon Bar-L. <alo...@gm...> - 2015-04-04 06:46:44
|
On 4 April 2015 at 02:15, Nick Econopouly <nic...@gm...> wrote: > > Hey, all. Is there a recommended blank PKCS#11 card for easy use with this project? Names or links would be great. Ideally cheaper than just buying the openpgp card. > Hi! If you find opensc usable, you can use any of the supported cards. The advantage is that even if there are issues it is easy to fix. As for vendors, it is very hard to say, most provide binary drivers and perceive linux at best case at 2nd tier, so good support is not available in general. > > Also, I'm slightly confused about gpgsm. Is gpgsm basically an alternative to openssl for something for X.509 key and certification management? Or is it an attempt to use X.509 key formats in a pgp-like web of trust? Or both? > gpg utility is openpgp implementation, it is the oldest standard for peer to peer interaction. gpgsm utility is S/MIME implementation, it what embed in standard mail (MIME). the actual library has nothing to do with the implementation, but regardless, gpg/gpgsm are using libgcrypt and not openssl. Regards, Alon Bar-Lev. |
From: Nick E. <nic...@gm...> - 2015-04-03 23:15:32
|
Hey, all. Is there a recommended blank PKCS#11 card for easy use with this project? Names or links would be great. Ideally cheaper than just buying the openpgp card. Also, I'm slightly confused about gpgsm. Is gpgsm basically an alternative to openssl for something for X.509 key and certification management? Or is it an attempt to use X.509 key formats in a pgp-like web of trust? Or both? thanks, -nick |
From: mike m. <bir...@ya...> - 2015-03-18 01:23:56
|
I see that there is not much traffic or updates to this project but I hope someone can reply, does this still work well with latest gpg? I apologize if these are noobish questions but ask before I leap: -to use, I would be importing existing x509 certs, one each for sign, encrypt and auth? -is it ok then to use same used for s/mime? -is there any concept of master and subkeys when using pkcs11 and gpg? thanks for your assistance. |
From: Alon Bar-L. <alo...@gm...> - 2013-06-15 08:02:23
|
On Sat, Jun 15, 2013 at 10:44 AM, Rick van Rein (OpenFortress) <ri...@op...> wrote: > Hello Alon, > > Thanks for your response! > >> What you ask is PKCS#11 provider specific. > > I'm currently using SoftHSM from www.opendnssec.org -- but that is basically immaterial to this discussion. > >> What important is that CKA_ID will be the same for the private key and >> certificate. > > OK, should there *must* be an X.509 certificate structure in place, even if it is self-signed. I had guessed that a public/private key object pair would suffice. > gpgsm requires certificate. And there is no difference between storing public key and self-signed certificate. Most implementation of PKCS#11 are within PKI environment so requiring X.509 is usually simpler. Public key object is not available at all implementations. > Where is the X.509 cert used? I suppose only for the "SCD LEARN" phase which reveals subject-identity information? Is this from the certificate, or its CKA_SUBJECT attribute? (In the latter case, it might be helpful to do it for public key objects as well.) > It is used for gpgsm and as a 'public key'. >> CKA_ID is provider specific, and usually automatic generated, if you >> have an option any string is good. > > Excellent. When calling C_GenerateKeyPair it can be set, so I was open to anything. This answer makes more sense than pinning it down though. > >> Single key will work if you specify the same id for all, but usually >> you do not use the same key for authentication, signature and >> encryption as each has its own lifetime and usage. > > Yeah, I know. We're trying to support privacy through light-weight pseudonyms, and sharing a key is going to be practical in several use cases. And it's not a big security problem -- it only leads to coupling pseudonyms, but they cannot be traced from one to another. > > > I think I'm reading from your response that there is no GnuPG public key information stored on the token --not even key self-signatures-- and that all this is held in GnuPG? This is probably how the SCD works, then. > Not exactly, I think openpgp requires storing public key object as public. > > Thanks, > -Rick |