Using GnuPG in the UbuntuPhone BQ E4.5 (part2: OpenPGP CCID Card)
-
Final step is getting support for the GnuPG-card to not have to key-in
longish passphrases with the OSK.
We need the 'pcscd' daemon.
Its build is a bit tricky because it must later, on start from outside the
chrooted syste, find the ccid driver.We compile the following pieces inside the chroot'ed system in that order:
pcsc-lite-1.8.23 ccid-1.4.30first we need some more packages:
phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot phablet@ubuntu-phablet-bq:~# su - phablet phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-dev phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-1.0-0-dev phablet@ubuntu-phablet-bq:~$ sudo apt-get install pkg-confignow we make pcsc-lite-1.8.23 with the following options set on ./configure ...
phablet@ubuntu-phablet-bq:~$ cd pcsc-lite-1.8.23 phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ ./configure --enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers --enable-confdir=/home/phablet/myRoot/etc/reader.conf.d --disable-libsystemd ... PC/SC lite has been configured with following options: Version: 1.8.23 System binaries: /usr/local/sbin Configuration dir: /usr/local/etc/reader.conf.d Host: armv7l-unknown-linux-gnueabihf Compiler: gcc Preprocessor flags: -I${top_srcdir}/src Compiler flags: -Wall -fno-common -g -O2 Preprocessor flags: -I${top_srcdir}/src Linker flags: Libraries: -ldl -lrt PTHREAD_CFLAGS: -pthread PTHREAD_LIBS: PCSC_ARCH: Linux pcscd binary /usr/local/sbin/pcscd polkit support: no polkit policy dir: libudev support: yes libusb support: no USB drop directory: /home/phablet/myRoot/usr/local/lib/pcsc/drivers ATR parsing messages: false ipcdir: /var/run/pcscd use serial: yes use usb: yes systemd unit directory: /lib/systemd/system serial config dir.: /home/phablet/myRoot/etc/reader.conf.d filter: no PCSCLITE_FEATURES: Linux armv7l-unknown-linux-gnueabihf serial usb libudev usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/home/phablet/myRoot/etc/reader.conf.d checking that generated files are newer than configure... done ... phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make installok, now the 'ccid' driver, installed (copied) to be seen by the daemon:
phablet@ubuntu-phablet-bq:~$ cd ccid-1.4.30 phablet@ubuntu-phablet:~/ccid-1.4.30$ ./configure -enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ... libccid has been configured with following options: Version: 1.4.30 User binaries: /usr/local/bin Configuration files: /usr/local/etc Host: armv7l-unknown-linux-gnueabihf Compiler: gcc Preprocessor flags: Compiler flags: -g -O2 Preprocessor flags: Linker flags: Libraries: PCSC_CFLAGS: -pthread -I/usr/local/include/PCSC PCSC_LIBS: -L/usr/local/lib -lpcsclite PTHREAD_CFLAGS: -pthread PTHREAD_LIBS: BUNDLE_HOST: Linux DYN_LIB_EXT: so LIBUSB_CFLAGS: -I/usr/include/libusb-1.0 LIBUSB_LIBS: -lusb-1.0 SYMBOL_VISIBILITY: -fvisibility=hidden NOCLASS: libusb support: yes composite as multislot: no multi threading: yes bundle directory name: ifd-ccid.bundle USB drop directory: /home/phablet/myRoot/usr/local/lib/pcsc/drivers serial Twin support: no serial twin install dir: /home/phablet/myRoot/usr/local/lib/pcsc/drivers/serial serial config directory: /home/phablet/myRoot/etc/reader.conf.d compiled for pcsc-lite: yes syslog debug: no class driver: yes ... phablet@ubuntu-phablet:~/ccid-1.4.30$ make phablet@ubuntu-phablet:~/ccid-1.4.30$ sudo make installthe driver libccid.so and its control file Info.plist ended up as configured:
phablet@ubuntu-phablet:~$ find /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/ /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/ /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plistbut if we rund the daemon from outside the chrooted system, it must be in
/usr/local/lib/pcsc/drivers/ifd-ccid.bundlebecause/home/phablet/myRootgets
added in front; so we copy them over to the correct place:phablet@ubuntu-phablet:~$ sudo mkdir -p /usr/local/lib/pcsc/drivers/ifd-ccid.bundle phablet@ubuntu-phablet:~$ sudo cp -rp /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle phablet@ubuntu-phablet:~$ find /usr/local/lib/pcsc/drivers/ifd-ccid.bundle /usr/local/lib/pcsc/drivers/ifd-ccid.bundle /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plistfrom outside the chrooted system we can now start the daemon as:
$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd --foreground --debug | tee pcscd.logand check the log file pcscd.log to see if it sees the card attaching;
Now we start in the phone the pcscd daemon as:
$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd $ ps ax | grep pcscd 31669 pts/53 Sl 0:00 /home/phablet/myRoot/usr/local/sbin/pcscdto restart the
pcscdafter device reboot we put the above line into
a small script~phablet/pcscd.sh; this script allows to start and stop the daemon:$ ./pcscd.sh [sudo] password for phablet: started pcscd pid 9187 $ ./pcscd.sh killing pcscd pid 9187its logic is simple:
$ cat ./pcscd.sh #!/bin/sh # if pcscd is running, we only kill it, else we start it # test -f /run/pcscd/pcscd.pid && { echo killing pcscd pid `cat /run/pcscd/pcscd.pid` sudo kill `cat /run/pcscd/pcscd.pid` rm -f /run/pcscd/pcscd.pid exit 0 } sudo /home/phablet/myRoot/usr/local/sbin/pcscd --auto-exit test -f /run/pcscd/pcscd.pid && echo started pcscd pid `cat /run/pcscd/pcscd.pid`We can now run the
gpg --card-statusto see if it finds the card on attach:$ ./gpg.sh --card-status Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00 Application ID ...: D27600012401020100050000532B0000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000532B Name of cardholder: Matthias Apitz Language prefs ...: en Sex ..............: unspecified URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 457 Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 created ....: 2017-05-14 18:20:07 Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 created ....: 2017-05-14 18:20:07 Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C created ....: 2017-05-14 18:20:07 General key info..: [none]We rename
~/.gnupg(to save the*.conffiles) and copied over from my
real netbook the~/.password-storeand the key material for the GnuPG-card;phablet@ubuntu-phablet:~$ mv .gnupg .gnupg-localkey phablet@ubuntu-phablet:~$ mv .password-store .password-store-localkey phablet@ubuntu-phablet:~$ mkdir .password-store phablet@ubuntu-phablet:~$ chmod 0700 .password-storefrom the host:
$ scp -rp .gnupg-ccid phablet@10.42.0.1:. $ scp -rp .password-store phablet@10.42.0.1:.phablet@ubuntu-phablet:~$ mv .gnupg-ccid .gnupg phablet@ubuntu-phablet:~$ cp -p .gnupg-localkey/*.conf .gnupglet's see if
./pass.shcan unlock the card (via the gpg-agent) and decipher the
crypted information:$ ./pass.sh cards/cuba ┌─────────────────────────────────────────────┐ │ Please insert the card with serial number: │ │ │ │ 0005 0000532B │ │ │ │ <OK> <Cancel> │ └─────────────────────────────────────────────┘ ┌──────────────────────────────────────────────┐ │ Please unlock the card │ │ │ │ Number: 0005 0000532B │ │ Holder: Matthias Apitz │ │ │ │ PIN ________________________________________ │ │ │ │ <OK> <Cancel> │ └──────────────────────────────────────────────┘ 4711 $on the 2nd run it does not need anymore the PIN:
$ ./pass.sh askubuntu.com/guru@unixarea.de 4711i.e. all is fine! The OpenPGP card remains unlocked until power-off, i.e.
until withdraw the card.