[Gnuk-users] Gnuk (on "Blue Pill") issues

Jeremy Drake jeremydrake+gnuk at eacceleration.com
Wed Aug 2 22:53:08 UTC 2017

Lately I've been looking at using Gnuk running on the "blue pill" boards 
as a hardware token for OpenVPN.  I've been very impressed with it.

During the course of my testing, I've found a few minor issues.  I don't 
know if they are specific to the "blue pill" board or not, but here's a 
quick list:

1) I have not been able to find any tool, other than the 
gnuk_put_binary_libusb.py script in the repository, that is able to load a 
cardholder certificate.  The main contenders were pkcs15-init 
--store-certificate, and gpg --card-edit's 'writecert 3 < file.der'

2) The gnuk_put_binary_libusb.py script seems to work to load the 
certificate, but claims that verify failed.  Despite this, 
both gpg --card-edit's "readcert 3 > file.der" and pkcs15-tool 
--read-certificate are able to get the certificate, and the certificate 
retrieved either way compares identical to the certificate loaded.

3) The firmware update mechanism, invoked via the 'upgrade_by_passwd.py' 
script, didn't work for me.  Toward the end of the process, it printed out 
a bunch of "failed" lines, then protected the flash and reset the device. 
The device sometimes worked, sometimes didn't after that, and even if it 
did seem to work it was not stable.  It had to be re-flashed over the SWD 
port to get back to normal.  I was able to track down a cause for this, 
and have a proposed patch that I'll send as a separate email that solves 
this for me.

More information about the gnuk-users mailing list