smartcard support

[lambdafu]

https://github.com/OpenSC/OpenSC/wiki/OpenPGP-card

[tlaurion]

Somebody is working on this?
I think neopg would be a great replacement for GnuPG under Heads.

[Bjoe]

I also have an interest to get neopg runing with my NitroKey The link to OpenSC means, we should use this library in neopg? Unfortunately it has dependencies to openssl :-( .... but I can start with that to include into cmake build system or is there another library? Or add smartcard support "from scratch" with PCSC?

[lambdafu]

The goal is to be as "normal" as possible. I think this means using whatever is the platform default. I removed pcscd support from the legacy code some time ago, and kept ccid. But I think that was a mistake. For interoperability with other smartcard applications we need to use whatever operating system service is common. I am open to advice on that matter!

[Bjoe]

I compiled OpenSC and did a deeper look.
My assumption about OpenSSL is wrong, sorry. OpenSSL is optional for OpenSC.
Here my quick summary about OpenSC:
OpenSC has some implementation of OpenPGP (see in OpenSC/src/libopensc/cardctl.h:262 ) but I'm not sure if they implement the "full feature" of OpenPGP smart card application. I read in OpenPGP card driver details:

...
In order to make OpenPGP cards accessible for OpenSC’s PKCS#15 functions, the OpenPGP card driver in OpenSC simulates a file system.
...
This file-system is currently read-only, hence any operation writing to the card, i.e. personalization and key generation, needs to be done via GnuPG.
...

Also I read that they implement v2.0, but I see in the code also they accept SC_CARD_TYPE_OPENPGP_V3 cards.

The bigger issue that I have is, after I install OpenSC I only have libs without any header files. It looks like, OpenSC provides only PKCS#11 library to use in third party application. I didn't read any think about OpenPGP in the Creating applications with smart card support. I think, OpenPGP is not a subset of PKCS#11, so it is not possible to use the PKCS#11 for OpenPGP smart card applications. But this is only a assuption from my side. I think, next I will ask in the OpenSC mailing list about OpenSC.

... removed pcscd support from the legacy code ... I think that was a mistake.

A mistake, no. It is a good idea to verify if they already exists something that is ready to use :-).
For example, OpenSC has a subproject OpenCT. OpenCT is like pcscd. Here a OpenCT project summary:

OpenCT implements drivers for several smart card readers. It comes as driver in ifdhandler format for PC/SC-Lite, as CT-API driver, or as a small and lean middleware, so applications can use it with minimal overhead.

@lambdafu Let me ask in the next days on the OpenSC mailing list. Then we have a better understanding about OpenSC and OpenCT.

[alex-nitrokey]

The support for OpenPGP Card v3 is mostly included already in OpenSC 19.0. I don't know how the implementation is working if you want to include it in a project though.

The only things that are missing regarding v3 are the new features like ECC support, multiple certs and alike. I am kind of working on that.

The most important source files for OpenPGP Card are:

• OpenSC/src/libopensc/card-openpgp.c
• OpenSC/src/pkcs15-init/pkcs15-openpgp.c

I don't know what you need especially and what you are looking for. I may can help.

[Bjoe]

Hi @alex-nitrokey ... nice to have you here 👍 ... help is always welcome :-)
My question is, how can I "use" / call / link against the OpenSC/src/libopensc/card-openpgp.c and OpenSC/src/pkcs15-init/pkcs15-openpgp.c functions?

I build and install from the master branch and it looks like libopensc.a provide these functions, but where are the header files for libopensc.a?

[Bjoe]

Interesting, I read this here:
Now, however, the OpenSC project now supports the OpenPGP card as a PKCS#11 and PKCS#15 card,
Hm I will try ... :-)

[alex-nitrokey]

My question is, how can I "use" / call / link against the OpenSC/src/libopensc/card-openpgp.c and OpenSC/src/pkcs15-init/pkcs15-openpgp.c functions?

As far as I can say you don't use them directly anyway. Instead you probably use one of the libraries (see below).

Unfortunately, I only worked with OpenSC directly so far, but did not try to integrate it in another program. For me it looks like the previously linked instructions of the OpenSC project is the best resource for this objective.

Especially the listed PKCS11 libraries should help here, but as I said, I have no experience with it yet. I'd be happy to hear how it worked out.

[jans23]

For integrating OpenSC, you find an example application here.

[Bjoe]

@alex-nitrokey Ok, I will try to use opensc-pkcs11.so ...

@jans23 Ah great 👍 there is an example, how to use opensc-pkcs11.so for OpenPGP cards. Thanks for the hint!

For a quick test, I use the pkcs11-tool (because this tool uses opensc-pkcs11.so) and I try to use sign with the ./pkcs11-tool -s --input-file ~/tmp/test.txt --output-file ~/tmp/test.sig
But I get only:

Using slot 0 with a present token (0x0)
Logging in to "User PIN (OpenPGP card)".
Please enter User PIN: 
Using signature algorithm RSA-PKCS
error: Invalid RSA-PSS parameters
Aborting.

@jans23 I see in https://github.com/Nitrokey/nitrokey-encryption-tool there is also no support to sign. Is this not possible via the opensc-pkcs11.so for OpenPGP?

[alex-nitrokey]

For a quick test, I use the pkcs11-tool (because this tool uses opensc-pkcs11.so) and I try to use sign with the ./pkcs11-tool -s --input-file ~/tmp/test.txt --output-file ~/tmp/test.sig

Please try to add a "--id 03". This should help. The third key slot is supposed to be used for signing. As pkcs11-tool is a general purpose tool of OpenSC this has to be set manually.

Make sure you have a key in the third slot 😉

[Bjoe]

I create a POC version with opensc-pkcs11.so. The good news is, that botan has a good API to handle the PKCS11 commands.
Here the result:

• encryption (export public key and encrypt content)
• decryption (on the card)
• sign (on the card)
• verify sign (export public key and verify signature)

Only key generation is not possible. Neither on the card nor upload local generated keys. Every time I get an Not supported exception.

I try to look how gnupg-pkcs11 implemented the key generation. It looks like there are also not generating the keys, but this is only an assumption from me! Maybe I find the time to test this.

I think, NEOPG should have support for PKCS11 but when I created the POC version I considered that NEOPG maybe needs also a well documented API how a linux distribution, window manager or maybe a vendor can implement/links again there own support of smartcard daemon.
The major issue with smart cards is, that only one process can communicate with the smart card. If there are more than one processes, like for example you use gpg-agent with scdaemon and then the Nitrokey-App to unlock the password storage. After that you try to use again the gpg-agent with scdaemon ... its every time stuck.
That`s my conclusion/idea.

[jans23]

@jans23 I see in https://github.com/Nitrokey/nitrokey-encryption-tool there is also no support to sign. Is this not possible via the opensc-pkcs11.so for OpenPGP?

It is possible but not in scope of the Encryption Tool (yet).

Regarding key generation: It would be good to give users the option to make a key backup. Technically this results in two approaches:
a) Generate keys on the smart card itself without a backup
b) Generate keys on the computer, make a backup and import keys to the smart card.

Note that GnuPG offers these options too but doesn't allow a full key backup but only a backup of the encryption key (not signing and auth keys). IMHO this is a very confusing and limiting design choice which neopg should avoid.