Mailing List Archive

private data objects on smartcard
Hi there,

The opnPGP smartcards seem to have private data objects to store
arbitrary data, right? It seems even the old 1.1 version cards feature
these objects.

How do you write to these objects? Can GnuPG do this? I didn´t found any
way with --card-edit or --card-status. And can GnuPG read these objects?

I read somewhere, the size of these objects is 2048 bytes each. How many
of these objects do exist on a smartcard?

Thanks!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard [ In reply to ]
Hi,

On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users wrote:
>How do you write to these objects? Can GnuPG do this? I didn?t found
>any way with --card-edit or --card-status.

You can use the (undocumented) command "privatedo" from GnuPG's
--card-edit menu. For example, to write into the private DO #1:

$ gpg --card-edit
gpg/card> privatedo 1
Private DO data: [enter whatever value you want to store into the DO]

Or, to write the contents of a file into the private DO #2:

$ gpg --card-edit
gpg/card> privatedo 2 < [filename]


> And can GnuPG read these objects?

Yes. If a private DO contains a value, it will be listed in the output
from the --card-status command.


>I read somewhere, the size of these objects is 2048 bytes each. How
>many of these objects do exist on a smartcard?

First, note that private DOs are an optional feature of the OpenPGP
smart card; not all implementations support them.

You can use the following command to check if an OpenPGP smart card
supports private DOs:

$ gpg-connect-agent 'SCD LEARN --force' /bye | grep EXTCAP
S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1

Here, "pd=1" means the card does have private DOs. "pd=0" would indicate
that private DOs are not supported.

When private DOs are supported, there are four of them. For cards
compatible with versions 1.x or 2.x of the specification, they have a
size of 254 bytes. For 3.x cards, the size of the private DOs is defined
by the implementation (the OpenPGP smart card from FLOSS Shop [1] has
indeed 2048-bytes private DOs).

Cheers,

- Damien


[1]
https://www.floss-shop.de/en/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=40
Re: private data objects on smartcard [ In reply to ]
On 31.01.20 at 00:14 it was said by Damien Goutte-Gattat:

> On Thu, Jan 30, 2020 at 11:24:54PM +0100, mailing list via Gnupg-users
> wrote:
>> How do you write to these objects? Can GnuPG do this? I didn´t found
>> any way with --card-edit or --card-status.
>
> You can use the (undocumented) command "privatedo" from GnuPG's
> --card-edit menu. For example, to write into the private DO #1:

Great, thanks!


>  S EXTCAP gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=1+kdf=1

By the way, is mcl3 the length of the key currently living on the
smartcard or the maximum key length supported by this card?
I just play with a card version 1.1 and mcl3 is 0 there..... Version 1.1
support 1024 RSA AFAIK.

Thanks!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard [ In reply to ]
> (...)

> You can use the (undocumented) command "privatedo" from GnuPG's
> --card-edit menu. For example, to write into the private DO #1:
> (...)
>> And can GnuPG read these objects?
>
> Yes. If a private DO contains a value, it will be listed in the output
> from the --card-status command.

I hoped these objects may have been (read) protected by the PIN, but
they´re world readable if you have the card, a bit sad...




_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: private data objects on smartcard [ In reply to ]
On Fri, Jan 31, 2020 at 12:39:11AM +0100, mailing list wrote:
>By the way, is mcl3 the length of the key currently living on the
>smartcard or the maximum key length supported by this card?

Neither of those. It's the maximum length of the "Cardholder certificate
DO". This is another data object available on a OpenPGP smart card,
intended to store a X.509 certificate.

You can write to that DO using the (undocumented) writecert command. For
example, assumimg the cert.der file contains a DER-encoded X.509
certificate:

$ gpg --card-edit
gpg/card> writecert 3 < cert.der

GnuPG allows to write into that DO but does not actually use it. As far
as I know the only component that makes use of the Cardholder
certificate DO is Scute [1], for TLS client authentication (and even for
that the DO is actually dispensable: if Scute does not find the desired
certificate in that DO, it will obtain it from GpgSM.)


>I just play with a card version 1.1 and mcl3 is 0 there.....

The Cardholder certificate DO was added in version 2.0 of the
specification, so nothing surprising here.


Cheers,

- Damien


[1] http://scute.org/
Re: private data objects on smartcard [ In reply to ]
On Fri, Jan 31, 2020 at 12:55:05AM +0100, mailing list wrote:
>I hoped these objects may have been (read) protected by the PIN, but
>they?re world readable if you have the card, a bit sad...

Only Private DOs #1 and #2 are readable without any PIN. Reading the
private DO #3 requires the user PIN, and reading the private DO #4
requires the admin PIN.

If no PIN has been verified, the --card-status command will only ever
print out the contents of private DOs #1 and #2.

While we are at it, *writing* to the private DOs #1 and #3 requires the
user PIN, and writing to the private DOs #2 and #4 requires the admin
PIN.

You can find the details about those DOs and all the other features of
the OpenPGP smart card in the specifications for the different versions,
which are all available on GnuPG's site [1].


Cheers,

- Damien


[1] https://gnupg.org/ftp/specs/
Re: private data objects on smartcard [ In reply to ]
> (...)
> If no PIN has been verified, the --card-status command will only ever
> print out the contents of private DOs #1 and #2.
>
> While we are at it, *writing* to the private DOs #1 and #3 requires the
> user PIN, and writing to the private DOs #2 and #4 requires the admin PIN.
>
> You can find the details about those DOs and all the other features of
> the OpenPGP smart card in the specifications for the different versions,
> which are all available on GnuPG's site [1].
>

Thanks a lot for the support!


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users