Agent, P15: Insert Smartcard query uses serial number instead of $DISPSERIALNO
Testing, NormalPublic
Actions

Assigned To

Authored By

	• aheinecke
	Aug 12 2022, 1:22 PM

Description

For PKCS #15 Cards users are reportedly confused why Pinentry queries for: 160209155B0011311F What they see in the CardOS viewer and In Kleopatra and maybe printed on the card is only the last part of it: 0011311F

As I understand it the reason for this is that in the shadowed private key the serial number is stored and gpg-agent only knows about that. @werner Can you decide what to do about this? Naively i would just cut of the last 8 characters of the string for this smartcard type. This is something that is important to customers because users notice immediately a long string of numbers.

Revisions and Commits

rG GnuPG
	rG13013ec1c0d3 agent: Create and use Token entries to track the display s/n.
	rG1d23dc9389a1 agent: Create and use Token entries to track the display s/n.
	rGdc9b2426288e agent: Create and use Token entries to track the display s/n.

Related Objects

Mentioned In: T7189: Release GnuPG 2.5.0
T6506: Release GnuPG 2.4.2
T6386: gpg-agent 2.2: Command "READKEY --card --no-data -- OPENPGP.1" overwrites protected-private-key with shadowed-private-key
T6105: Release GnuPG 2.2.37

Event Timeline

• aheinecke triaged this task as Normal priority.Aug 12 2022, 1:22 PM

• aheinecke created this task.

We have changes for this in master; I need to see whether it is possible to backport them.

• aheinecke added a commit: rP835b690cbd85: qt: Use Dialogs foregroundwindow code in confirm.Aug 12 2022, 2:23 PM

• aheinecke removed a commit: rP835b690cbd85: qt: Use Dialogs foregroundwindow code in confirm.Aug 12 2022, 2:39 PM

I am going to introduce a new DisplaySN: value for 2.2 which might also be useful for master.

In master we already have Token lines which are created but not yet used. I am going to extend this with the display S/N and drop the idea of a separate Display-SN entry.

If the stub has been created or updated we will now ask for the card
with the Display-SN. If in addition a Label has been set to the key
that label is also shown. Note that the Display-S/N is associated wit
a card but the Label is associated with a key. For example if the
same key has been stored on two cards, the prompt will ask for one of
those cards but shows the same same Label. It is sufficient to insert
any of the cards with the key because that is what we actually need.

• werner added a commit: rGdc9b2426288e: agent: Create and use Token entries to track the display s/n..Aug 15 2022, 12:59 PM

Here is an example

using this key file:

Label: This is my key label
Key: (shadowed-private-key (ecc (curve brainpoolP512r1)(q  [...]
Token: 1602001BCF0014083E P15.DB92E9A7522152B38AAE4E6249D5DCCAC547C287
  - 0014083E
Token: 1602001BCF0014083F P15.DB92E9A7522152B38AAE4E6249D5DCCAC547C287
  - my+label%2bfoo

Note that the first Token line is used by the prompt.

• werner mentioned this in T6105: Release GnuPG 2.2.37.Aug 24 2022, 5:22 PM