[Gnuk-users] State of EdDSA in Gnuk / GnuPG

Bertrand Jacquin bertrand at jacquin.bzh
Tue Jan 20 23:05:38 UTC 2015


On 19/01/2015 05:41, NIIBE Yutaka wrote:
> On 01/18/2015 09:24 AM, Bertrand Jacquin wrote:
>> I'm playing with GnuPG 2.1 and Gnuk in the idea to use EdDSA keys,
>> but it seems that some patches are needed around libgcrypt, gnupg to
>> fully to able to do this and to currently have limitation.
> 
> For EdDSA to use with GnuPG and Gnuk, only a single patch is needed:
> 
>     
> http://lists.gnupg.org/pipermail/gnupg-devel/2014-December/029283.html
> 
> I assume you will get source code from master branch of git.gnupg.org.
> 
> If you want to apply changes to GnuPG 2.1.1, you also need:
> 
>     
> http://lists.gnupg.org/pipermail/gnupg-devel/2014-December/029183.html

Thank you very much for that. That two patches apply finely.

> I think that you need libgcrypt 1.6.2 (at least).

   $ gpg --version
   gpg (GnuPG) 2.1.1
   libgcrypt 1.6.2

> Gnuk 1.1.4 has EdDSA support already.  But you need to enable it
> manually, as GnuPG doesn't has support of changing corresponding
> attributes yet.
> 
> In the following script I use gnuk_token.py under gnuk/tool/.  It will
> overwrite the attribute of OpenPGP.3 (auth) key, provided the Auth
> passphrase is factory setting.
> 
> ================================ enable-ed25519-gnuk-auth.py
> from gnuk_token import get_gnuk_device
> g = get_gnuk_device()
> g.cmd_select_openpgp()
> g.cmd_verify(3,"12345678")
> g.cmd_put_data(0,0xc3,"\x16\x2b\x06\x01\x04\x01\xda\x47\x0f\x01")
> ================================

   $ python2.7 ./usb_strings.py
   Device:
       Vendor: Free Software Initiative of Japan
      Product: Gnuk Token
       Serial: FSIJ-1.1.4-50FF6A06
     Revision: release/1.1.4
       Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
          Sys: 2.0

   $ python2.7 ./enable-ed25519-gnuk-auth.py
   Traceback (most recent call last):
     File "./enable-ed25519-gnuk-auth.py", line 2, in <module>
       g = get_gnuk_device()
     File "/home/beber/src/gnuk/tool/gnuk_token.py", line 622, in 
get_gnuk_device
       raise ValueError("No ICC present")
   ValueError: No ICC present

I can see that it fail on function gnuk_token.__init__ on line 75:

         self.__devhandle.claimInterface(interface)

This happens when gpg-agent is running. After that can changing the 
admin PIN for g.cmd_verify, it's better.

   $ gpg --card-status | grep -F attributes

   Key attributes ...: 2048R 4096R 255?

Then after when trying to transfer a key to the smartcard:

   $ gpg --edit-key ..
   ..
   sub* ed25519/0x7E28893D85B7D8D1
        created: 2015-01-20  expires: 2017-01-19  usage: A
   [ultimate] (1). esdf fwesdf <fwesdf at gesdg>

   gpg> keytocard
   Please select where to store the key:
      (3) Authentication key
   Your selection? 3

   gpg: WARNING: such a key has already been stored on the card!

   Replace existing key? (y/N) y
   gpg: KEYTOCARD failed: End of file

Is this something you already experienced ?

> For Curve25519 (encryption/decryption), Gnuk only has lower-level
> routine and upper-layer is comming soon, together with changes needed
> to GnuPG.

Thank you for that.

Cheers,

-- 
Bertrand



More information about the gnuk-users mailing list