Generic smartcard widget for PKCS# 15 and other apps
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	aheinecke
	Mar 11 2020, 3:22 PM

Description

When there is no Netkey or OpenPGP card inserted Kleopatra does not show any Smartcard widget, this should change.

The idea is to always do a learn --keypairinfo and then show PIN Change option and any info about the card.

Details

Version: master

Revisions and Commits

rKLEOPATRA Kleopatra
	rKLEOPATRAde7fe0712a4d Preserve the double space in the formatted fingerprint in RichText mode
	rKLEOPATRAb6b2d04d9834 Make card information also selectable by keyboard
	rKLEOPATRAfa20a4de2c02 Use getCryptoConfigEntry() helper to get configured keyserver
	rKLEOPATRA706f0f2d9f25 Use OpenPGPKeyCardWidget for PKCS#15 cards
	rKLEOPATRA079c4ee9434c Make key information selectable by keyboard and mouse
	rKLEOPATRA5ea28758d92e Add button for displaying detailed information about an OpenPGP key
	rKLEOPATRA73cb87f0e776 Add possibility to specify allowed key actions
	rKLEOPATRAe7a526cc8dfb Hide OpenPGP keys section if card does not provide OpenPGP keys
	rKLEOPATRA74f90c8ffccf Support OpenPGP keys on other cards than OpenPGP cards
	rKLEOPATRA9ea7dfff7d51 Improve layout and messages
	rKLEOPATRA75c25653a4a1 Hide widgets of keys not supported by the card
	rKLEOPATRAbc607f1e0040 Add key title label to KeyWidgets
	rKLEOPATRA81dbad4a1f76 Separate update of cached values from card and update of widgets
	rKLEOPATRA3947c79380c7 Add authenticationKeyRef to Card
	rKLEOPATRA4e96ade3f378 Fix equality operator of Card
	rKLEOPATRA9309102065cb Allow checking KeyPairInfo for equality
	rKLEOPATRA8db2859a8a01 Cache fingerprint so that we can update key information without card
	rKLEOPATRA377ac424e4ba Show more information about keys
	rKLEOPATRA6ca23e058c18 Modernize code
	rKLEOPATRA7dc62e3c0677 Factor widget displaying OpenPGP keys out of PGPCardWidget
	rKLEOPATRA219578205a8c Move getter for key fingerprints from OpenPGPCard to base class Card
	rKLEOPATRA011e71ff7eeb Remove now superfluous P15Card::appKeyFingerprint()
	rKLEOPATRA6c08d0a22c59 Remove unimplemented member functions
	rKLEOPATRAa396f548a8ae Parse OpenPGP key fingerprint information in Card
	rKLEOPATRAd8970759bbca Take manufacturer from card info if available
	rKLEOPATRA5e08d5d5fb02 Deduplicate setCardInfo()
	rKLEOPATRA0137dee0df93 Update/fix copyright information
	rKLEOPATRAd2d8cb238809 Store card info map in base class
	rKLEOPATRA88ce1d28c172 Add a first impl and widget for PKCS#15 cards

Related Objects
Search...

		Status	Assigned	Task
		Resolved	aheinecke	T4875 Kleopatra: Improve support for S/MIME Smartcards and add additional card support
		Resolved	aheinecke	T4876 Generic smartcard widget for PKCS# 15 and other apps

Event Timeline

aheinecke created this task.Mar 11 2020, 3:22 PM

So, I've implemented a small widget and p15card class.

For now it is read only and does not show any actions. We could for example show to generate a CSR or another OpenPGP key for such a card. I'm a bit unsure how to decide that. For the current smartcard which we want to present tomorrow we do not want any actions because the smartcard itself is managed by a different application.

The difficultiy for p15card as I understand it is that CardOS / PKCS#15 is just a generic Operating System and how they interact with GnuPG depends a lot on the apps running on the Smartcard. For example we support the Bundesdruckerei card, which have keys for qualified and normal S/MIME operations. But then we also have the Atos Card with R&S apps that I've based the current implementation on and they have a lot of internal keys used for Trusted Disk for example and then additionaly some OpenPGP keys.

My idea for this was that we use the keyRef of the other apps to link the generic PKCS#15 keys to a specific app usage like:

/* Obtain an application specific fingerprint for a key
 * stored on this card.
 * e.g. An App Key Ref would be
 *      OpenPGPCard::pgpSigKeyRef */
std::string appKeyFingerprint(const std::string &appKeyRef) const;

This maps "OpenPGP.1" to the fingerprint of the key returned by std::string signingKeyRef() const;
signingKeyRef for a PKCS#15 card is totally dynamic, like: P15.3F5AF7F52D55E312E7F5349D475EC6D3908A5F7B

But we should talk about this.

As we are adding more and more smartcards I think we should maybe move even more code into the card.h base class. I had to copy around some code from the OpenPGP Card for example and other things are similar to the PIV Card.
Esp. I think that we should add a virtual base implementation for setCardInfo and add mMetaInfo to the base. We could define that mMetaInfo contains everything that SCD learn --force returns, even if that is already parsed into other data members. That way we can always access the info that this command returned later.

void PIVCard::setCardInfo(const std::vector< std::pair<std::string, std::string> > &infos)
{
    qCDebug(KLEOPATRA_LOG) << "Card" << serialNumber().c_str() << "info:";
    for (const auto &pair: infos) {
        qCDebug(KLEOPATRA_LOG) << pair.first.c_str() << ":" << pair.second.c_str();
        if (parseCardInfo(pair.first, pair.second)) {
            continue;
        }
        mMetaInfo.insert(pair.first, pair.second);
    }
}

I have not done this because I did not want to fiddle too much with your architecture @ikloecker without talking to you first. I would like to leave most of that to you. I'll also open a subtask for a "PGPKeyRefWidget" as I needed something like the keyWidgets also in the p15 card.

I'll see about getting at least an atos card to you soon. We do not have many as werner has bricked some ;-)

SCD GETATTR $SIGNKEYID returns the signing key ref. This information is read in get_card_status() and stored in the Card (see rKLEOPATRAd2bf514e4963: Fetch and store IDs of signing key and encryption key for card).

So, if scdaemon returns the dynamic signing key ref of a PKCS#15, then Kleopatra will make use of this already. At least, in those places were Card::signingKeyRef() is already used. A lot of places are still hard-coded to OpenPGPCard::pgpSigKeyRef().

aheinecke added a commit: rKLEOPATRA88ce1d28c172: Add a first impl and widget for PKCS#15 cards.Apr 21 2021, 10:36 AM

Mmh, right I've used that but I still went with the key-fpr as I saw that and werner suggested this could be used by kleo. But it might be better to just ignore the key-fpr values which you have to explicitly query for PKCS#15 and just use

$SIGNKEYID -> keyref.grip to figure out the signing key for openpgp.

So I have talked with werner about this. The key-fpr is mostly required so that we can search for the public key belonging to the smarcard if we don't have it. This would also be something to do for the openpgp card.

The idea is that we can find the public key belonging to a card through the keygrip.
But if we don't then we can search for the key-fpr and import that key e.g. from LDAP. This is the case in R&S Setups so this is important and not just a corner case.

ikloecker claimed this task.May 10 2021, 10:30 AM

ikloecker added a project: Restricted Project.

ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.May 17 2021, 9:43 AM

ikloecker added a commit: rKLEOPATRAa396f548a8ae: Parse OpenPGP key fingerprint information in Card.May 18 2021, 10:47 AM

ikloecker added a commit: rKLEOPATRA0137dee0df93: Update/fix copyright information.

ikloecker added a commit: rKLEOPATRA5e08d5d5fb02: Deduplicate setCardInfo().

ikloecker added a commit: rKLEOPATRAd2d8cb238809: Store card info map in base class.

ikloecker added a commit: rKLEOPATRAd8970759bbca: Take manufacturer from card info if available.

ikloecker added a commit: rKLEOPATRA6c08d0a22c59: Remove unimplemented member functions.

ikloecker added a commit: rKLEOPATRA011e71ff7eeb: Remove now superfluous P15Card::appKeyFingerprint().

ikloecker added a commit: rKLEOPATRA219578205a8c: Move getter for key fingerprints from OpenPGPCard to base class Card.

ikloecker added a commit: rKLEOPATRA6ca23e058c18: Modernize code.May 20 2021, 12:37 PM