Page MenuHome GnuPG

1.4.x pinpad support (reader covadis vega-alpha => cannot used secure PIN)
Closed, ResolvedPublic

Description

Hi,

I use gnupg2 2.0.13 with libccid 1.3.11 on my debian and a gnupg smartcard V2

the smartcard woks fine with this reader, but without use keypad.

the keypad reader's is supported by libccid :

SCardControl(CM_IOCTL_GET_FEATURE_REQUEST): OK

Reader supports FEATURE_VERIFY_PIN_DIRECT
Reader supports FEATURE_MODIFY_PIN_DIRECT
Reader supports FEATURE_IFD_PIN_PROPERTIES

But when pin code or admin pin code is needed it's always asked on my desktop,
not by the keypad.

thanks in advanced for your return, don't hesitate if you need more informations

Event Timeline

werner lowered the priority of this task from High to Wishlist.Oct 12 2009, 9:11 AM
werner removed a project: Bug Report.
werner added a project: Feature Request.
werner added a subscriber: werner.

We don't support the keypad with pcscd.

With the internal driver some readers with keypad are supported.
Adding more readers is easy; they merely need to be enabled. We do this on a
case by case base because sometimes the reader's don't support the standard
correctly and in turn might brick a card.

If you want to try that, locate the function ccid_tranceive_secure in
scd/ccid-driver.c and add the vendor of the card to the code:

/* We have only tested a few readers so better don't risk anything
   and do not allow the use with other readers. */
switch (handle->id_vendor)
  {
  case VENDOR_SCM:  /* Tested with SPR 532. */
  case VENDOR_KAAN: /* Tested with KAAN Advanced (1.02). */
    break;

The vendor is the USB vendor id, the constants are defined at the top of the file.

Hi Werner,

Thanks for your answer, I will try this, but is there something to do to disable
pcscd ? Or is it not affect it to used the "GnuPG ccid module" ?

Thanks in advanced for your return

Best Regards

Hi Werner,

I've done that you've proposed, but I've see nothing changed, I've surely
forgoten something like disable pcscd. So how to disable pcscd ? or what I've
forgoten, or how to verify than pinpad is actived ?

Do I need to put the option disable-keypad in scdaemon.conf file ?

Thanks in advanced for your return.

Best Regards

Hi Werner,

More informations, if I kill all pcscd process and I try gpg2 --card-status,
I've these wrong informations :

Application ID ...: D2760001240102000005XXXXXXXX0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: XXXXXXXX
Name of cardholder: [non positionné]
Language prefs ...: [non positionné]
Sex ..............: non spécifié
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: forcé
Key attributes ...: 2048R 2048R 3072R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

but if I start pcscd, I can see the good informations. Can you tell what is
wrong in my configuration ?

If I kill again all pcscd process and I close and open my gnome session, I've this :

$ gpg2 --card-status
gpg: selecting openpgp failed: Erreur de carte
gpg: la carte OpenPGP n'est pas disponible: Erreur de carte

There are no pcscd process running.

here logs :
gpg-agent.log :
gpg-agent[5518] handler 0x8804250 for fd 10 started
gpg-agent[5518.10] DBG: -> OK Pleased to meet you
gpg-agent[5518.10] DBG: <- RESET
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION ttyname=/dev/pts/3
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION ttytype=xterm
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION display=:0.0
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION xauthority=/home/masashige/.Xauthority
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION lc-ctype=fr_FR@euro
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION lc-messages=fr_FR@euro
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- OPTION allow-pinentry-notify
gpg-agent[5518.10] DBG: -> OK
gpg-agent[5518.10] DBG: <- SCD SERIALNO openpgp
2009-10-04 19:39:58 gpg-agent[5518] new connection to SCdaemon established (reusing)
gpg-agent[5518.11] DBG: -> SERIALNO openpgp
gpg-agent[5518.11] DBG: <- ERR 100663404 Erreur de carte <SCD>
gpg-agent[5518.10] DBG: -> ERR 100663404 Erreur de carte <SCD>
gpg-agent[5518.10] DBG: <- [EOF]
gpg-agent[5518.11] DBG: -> RESTART
gpg-agent[5518.11] DBG: <- OK
2009-10-04 19:40:04 gpg-agent[5518] handler 0x8804250 for fd 10 terminated

scdaemon.log:
scdaemon[5731.0] DBG: <- SERIALNO openpgp
scdaemon[5731.0] DBG: -> ERR 100663404 Erreur de carte <SCD>
scdaemon[5731.0] DBG: <- RESTART
scdaemon[5731.0] DBG: -> OK

$ gpg2 --card-edit
gpg: DBG: connection to agent established
gpg: selecting openpgp failed: Erreur de carte
gpg: la carte OpenPGP n'est pas disponible: Erreur de carte

Commande> quit
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0

outmix=0 getlvl1=0/0 getlvl2=0/0

secmem usage: 0/32768 bytes in 0 blocks

Here my configuration file
gpg.conf :
use-agent
utf8-strings
keyserver hkp://keys.gnupg.net

gpg-agent.conf :
verbose
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 1800

scdaemon.conf :
verbose

What is wrong in my configuration ?

Thanks in advanced

Best regards

gniibe added a subscriber: gniibe.

With current 2.0 branch of git repository, I believe that Vega-Alpha works fine.
Please confirm.

Hello Yutaka,

Yes I can confirm to you than pinpad reader covadis vega-alpha, works fine with gnupg-ccid driver and GnuPG 2 branch between 2.20.

It works also with Gnupg 1.x (actually 1.4.16) but not without gpg-agent (for reader and pinpad reader).

With gpg and without gpg-agent :

gpg: pcsc_etablish_context failed: no service (0x8010001d)
gpg: card reader not evailable

PS : I can also confirm to you (as you known) than with your last git modification code for poldi (but not actually commit on sid debian package), I can know also use pinpad for autentication login.

Thanks you very much for all of that.

Best Regards


g10 Code's BTS <gnupg@bugs.g10code.com>
<T1148>


This has recently been discussed at gnupg-devel. We have patches ready for 1.4

Hello Werner,

Werner Koch <wk@gnupg.org> added the comment:

This has recently been discussed at gnupg-devel. We have patches ready for 1.4

Many thanks for this very good news, do you know if it is already commit on debian sid ? or what gpg version included it ?

Best Regards

In 2.1.x (development), scdaemon and its pinpad support has been improved
(including name change from "keypad" support), and it's backported to 2.0.x.

However, it is not backported to 1.4.x. For gpg of 1.4.x, it only works when
you use gpg-agent and scdaemon of 2.?.x.

Some fixes (such as PC/SC support for MacOS) are backported to 1.4.x, though.

For Covadis Vega-Alpha, we would need to backport pinpad support improvement, as
well as CCID driver support improvement (for no auto configuration feature).

Changes are not trivial to merge, I don't know if it's worth for 1.4.x.

gniibe renamed this task from reader covadis vega-alpha => cannot used secure PIN to 1.4.x pinpad support (reader covadis vega-alpha => cannot used secure PIN).Jun 26 2014, 2:03 AM

Hello,

I can confirm to you as I've write last time, but this time with new gnupg2 (2.0.24)
and gnupg (1.4.16) version, than Vega reader works fine with gpg-agent, but failed without it.

If I comment use-agent on gpg.conf, a simple gpg --card-status give me :

gpg --card-status
gpg: pcsc_establish_context failed: no service (0x8010001d)
gpg: lecteur de cartes indisponible
gpg: la carte OpenPGP n'est pas disponible : erreur générale

Best Regards.

I don't think that it is worth the trouble. A pinpad reader make most sense on
desktop machines and there we have 2.x. 1.4 is maintained for use on servers
where card support is anyway hard to operate.

Hello Werner,

Thanks for your comment, if it's too hard and only for me don't take it in account.

I wanted to use it on boot for LUKS, I will see with GnuPG 2 in this case.

Best Regards.

werner removed a project: In Progress.

Just for my information, do you have done some tests for GnuPG2 on boot (because existant script are based on gpg) ?

Thanks in advanced for your return.

Best Regards

  • Mail original -----

De: "Werner Koch via BTS" <gnupg@bugs.g10code.com>
À: gniibe@fsij.org, "tux tsndcb" <tux.tsndcb@free.fr>, wk@gnupg.org
Envoyé: Vendredi 27 Juin 2014 12:59:33
Objet: [issue1148] 1.4.x pinpad support (reader covadis vega-alpha => cannot used secure PIN)

Werner Koch <wk@gnupg.org> added the comment:

okay.


status: in-progress -> resolved


g10 Code's BTS <gnupg@bugs.g10code.com>
<T1148>


werner added a project: Won't Fix.