[Gnuk-users] State of EdDSA in Gnuk / GnuPG
Bertrand Jacquin
bertrand at jacquin.bzh
Tue Jan 20 23:05:38 UTC 2015
On 19/01/2015 05:41, NIIBE Yutaka wrote:
> On 01/18/2015 09:24 AM, Bertrand Jacquin wrote:
>> I'm playing with GnuPG 2.1 and Gnuk in the idea to use EdDSA keys,
>> but it seems that some patches are needed around libgcrypt, gnupg to
>> fully to able to do this and to currently have limitation.
>
> For EdDSA to use with GnuPG and Gnuk, only a single patch is needed:
>
>
> http://lists.gnupg.org/pipermail/gnupg-devel/2014-December/029283.html
>
> I assume you will get source code from master branch of git.gnupg.org.
>
> If you want to apply changes to GnuPG 2.1.1, you also need:
>
>
> http://lists.gnupg.org/pipermail/gnupg-devel/2014-December/029183.html
Thank you very much for that. That two patches apply finely.
> I think that you need libgcrypt 1.6.2 (at least).
$ gpg --version
gpg (GnuPG) 2.1.1
libgcrypt 1.6.2
> Gnuk 1.1.4 has EdDSA support already. But you need to enable it
> manually, as GnuPG doesn't has support of changing corresponding
> attributes yet.
>
> In the following script I use gnuk_token.py under gnuk/tool/. It will
> overwrite the attribute of OpenPGP.3 (auth) key, provided the Auth
> passphrase is factory setting.
>
> ================================ enable-ed25519-gnuk-auth.py
> from gnuk_token import get_gnuk_device
> g = get_gnuk_device()
> g.cmd_select_openpgp()
> g.cmd_verify(3,"12345678")
> g.cmd_put_data(0,0xc3,"\x16\x2b\x06\x01\x04\x01\xda\x47\x0f\x01")
> ================================
$ python2.7 ./usb_strings.py
Device:
Vendor: Free Software Initiative of Japan
Product: Gnuk Token
Serial: FSIJ-1.1.4-50FF6A06
Revision: release/1.1.4
Config: FST_01:dfu=no:debug=no:pinpad=no:certdo=yes:keygen=yes
Sys: 2.0
$ python2.7 ./enable-ed25519-gnuk-auth.py
Traceback (most recent call last):
File "./enable-ed25519-gnuk-auth.py", line 2, in <module>
g = get_gnuk_device()
File "/home/beber/src/gnuk/tool/gnuk_token.py", line 622, in
get_gnuk_device
raise ValueError("No ICC present")
ValueError: No ICC present
I can see that it fail on function gnuk_token.__init__ on line 75:
self.__devhandle.claimInterface(interface)
This happens when gpg-agent is running. After that can changing the
admin PIN for g.cmd_verify, it's better.
$ gpg --card-status | grep -F attributes
Key attributes ...: 2048R 4096R 255?
Then after when trying to transfer a key to the smartcard:
$ gpg --edit-key ..
..
sub* ed25519/0x7E28893D85B7D8D1
created: 2015-01-20 expires: 2017-01-19 usage: A
[ultimate] (1). esdf fwesdf <fwesdf at gesdg>
gpg> keytocard
Please select where to store the key:
(3) Authentication key
Your selection? 3
gpg: WARNING: such a key has already been stored on the card!
Replace existing key? (y/N) y
gpg: KEYTOCARD failed: End of file
Is this something you already experienced ?
> For Curve25519 (encryption/decryption), Gnuk only has lower-level
> routine and upper-layer is comming soon, together with changes needed
> to GnuPG.
Thank you for that.
Cheers,
--
Bertrand
More information about the gnuk-users
mailing list