Mailing List Archive

Yubikey and PIV support in 2.3 (was: Multiple readers with scdaemon)
On Thu, 19 Sep 2019 00:13, uri@mit.edu said:
> Another problem is that GnuPG insists on opening the card in an
> exclusive mode - which is unacceptable for cards/tokens with multiple
> applets (OpenPGP and PIV is what I've got), as different apps require

Actually this is a another reason to have exclusive access. It allows
us to switch between the PIV and OpenPGP apps on a Yubikey as needed.

> use of both applets, sometimes running in parallel - like a browser
> session that uses PIV to authenticate to the server, an email session
> that may use both PIV and OpenPGP applets to deal with S/MIME and
> PGP/MIME emails, and occasional SSH operations during that time.

That is exactly the use case we have implemented. Needs more testing
with several cards but a single Yubikey works well enough known in 2.3.

To make testing easier we have Debian packages of gnupg master (to be
2.3) and scute (our pkcs11 provider) available:

deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta

The version currently available do not yet include gniibe's latest
changes. I was able to use gpg for signing and encrypting with a card
while also accessing PIV key protected pages with Firefox. Earlier this
year I also did tests with Thunderbird which also worked. Yubikey 5 and
4 are supported. You may want to have a look at the new gpg-card tool
and its man page. Also gpg --full-gen-key and gpgsm --gen-key now show
a list of keys available on the current smartcard and allow to use them
for the generation of OpenPGP/X.509 certificates. --quick-gen-key has
also been enhanced to act upon the special algo parameter "card" with
the generation of a standard OpenPGP key based on the standard signing
and decryption key of the card (for OpenPGP, Netkey, and PIV cards).


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: Yubikey and PIV support in 2.3 (was: Multiple readers with scdaemon) [ In reply to ]
Werner,

That is interesting. But my platform is Mac, and among the apps I need working are MS Outlook and Apple Mail (and Safari). At least the Apple apps use CTK to access smart cards. I'm pretty sure that even if everything else GnuPG-related works OK the way you described, that GnuPG exclusive access would block out the native apps that do not (cannot) use scute.

Currently in using OpenSC for PKCS#11 access (Firefox, Adobe Acrobat, everything OpenSSL-based), and OpenSC.tokend or native pivtoken for those apps that don't speak PKCS#11 - which on Mac means either CDSA or CTK (tokend addresses CDSA apps such as MS Office, and pivtoken - the new CTK ones).

Frankly, I don't see how it would work on Mac, if GnuPG would lock the token for its own use only.

Which is why I keep saying that this lock should be a configurable parameter - maybe on by default, but with the ability to turn it off.

Also, OpenSC deals with multiple applets by testing whether the required applet is active, and re-asserting/selecting it if needed.

Thanks!

Sent from my test iPhone

> On Sep 19, 2019, at 04:10, Werner Koch <wk@gnupg.org> wrote:
>
> On Thu, 19 Sep 2019 00:13, uri@mit.edu said:
>> Another problem is that GnuPG insists on opening the card in an
>> exclusive mode - which is unacceptable for cards/tokens with multiple
>> applets (OpenPGP and PIV is what I've got), as different apps require
>
> Actually this is a another reason to have exclusive access. It allows
> us to switch between the PIV and OpenPGP apps on a Yubikey as needed.
>
>> use of both applets, sometimes running in parallel - like a browser
>> session that uses PIV to authenticate to the server, an email session
>> that may use both PIV and OpenPGP applets to deal with S/MIME and
>> PGP/MIME emails, and occasional SSH operations during that time.
>
> That is exactly the use case we have implemented. Needs more testing
> with several cards but a single Yubikey works well enough known in 2.3.
>
> To make testing easier we have Debian packages of gnupg master (to be
> 2.3) and scute (our pkcs11 provider) available:
>
> deb [arch=amd64] https://ftp.g10code.com/apt buster gnupg-beta
> deb [arch=amd64] https://ftp.g10code.com/apt stretch gnupg-beta
> deb [arch=amd64] https://ftp.g10code.com/apt cosmic gnupg-beta
>
> The version currently available do not yet include gniibe's latest
> changes. I was able to use gpg for signing and encrypting with a card
> while also accessing PIV key protected pages with Firefox. Earlier this
> year I also did tests with Thunderbird which also worked. Yubikey 5 and
> 4 are supported. You may want to have a look at the new gpg-card tool
> and its man page. Also gpg --full-gen-key and gpgsm --gen-key now show
> a list of keys available on the current smartcard and allow to use them
> for the generation of OpenPGP/X.509 certificates. --quick-gen-key has
> also been enhanced to act upon the special algo parameter "card" with
> the generation of a standard OpenPGP key based on the standard signing
> and decryption key of the card (for OpenPGP, Netkey, and PIV cards).
>
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.