Using GnuPG in the UbuntuPhone BQ E4.5 (part2: OpenPGP CCID Card)

guru

Final step is getting support for the GnuPG-card to not have to key-in
longish passphrases with the OSK.

We need the 'pcscd' daemon.
Its build is a bit tricky because it must later, on start from outside the
chrooted syste, find the ccid driver.

We compile the following pieces inside the chroot'ed system in that order:

pcsc-lite-1.8.23
ccid-1.4.30

first we need some more packages:

phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot
phablet@ubuntu-phablet-bq:~# su - phablet
phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-dev
phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-1.0-0-dev
phablet@ubuntu-phablet-bq:~$ sudo apt-get install pkg-config

now we make pcsc-lite-1.8.23 with the following options set on ./configure ...

phablet@ubuntu-phablet-bq:~$ cd pcsc-lite-1.8.23
phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ ./configure --enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers --enable-confdir=/home/phablet/myRoot/etc/reader.conf.d --disable-libsystemd

...
PC/SC lite has been configured with following options:

Version:             1.8.23
System binaries:     /usr/local/sbin
Configuration dir:   /usr/local/etc/reader.conf.d


Host:                armv7l-unknown-linux-gnueabihf
Compiler:            gcc
Preprocessor flags:  -I${top_srcdir}/src
Compiler flags:      -Wall -fno-common -g -O2
Preprocessor flags:  -I${top_srcdir}/src
Linker flags:
Libraries:           -ldl  -lrt

PTHREAD_CFLAGS:      -pthread
PTHREAD_LIBS:
PCSC_ARCH:           Linux

pcscd binary            /usr/local/sbin/pcscd
polkit support:         no
polkit policy dir:
libudev support:        yes
libusb support:         no
USB drop directory:     /home/phablet/myRoot/usr/local/lib/pcsc/drivers
ATR parsing messages:   false
ipcdir:                 /var/run/pcscd
use serial:             yes
use usb:                yes
systemd unit directory: /lib/systemd/system
serial config dir.:     /home/phablet/myRoot/etc/reader.conf.d
filter:                 no

PCSCLITE_FEATURES:       Linux armv7l-unknown-linux-gnueabihf serial usb libudev usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/home/phablet/myRoot/etc/reader.conf.d

checking that generated files are newer than configure... done
...

phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make
phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make install

ok, now the 'ccid' driver, installed (copied) to be seen by the daemon:

phablet@ubuntu-phablet-bq:~$ cd ccid-1.4.30
phablet@ubuntu-phablet:~/ccid-1.4.30$ ./configure -enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers
...
libccid has been configured with following options:

Version:             1.4.30
User binaries:       /usr/local/bin
Configuration files: /usr/local/etc


Host:                armv7l-unknown-linux-gnueabihf
Compiler:            gcc
Preprocessor flags:
Compiler flags:      -g -O2
Preprocessor flags:
Linker flags:
Libraries:

PCSC_CFLAGS:         -pthread -I/usr/local/include/PCSC
PCSC_LIBS:           -L/usr/local/lib -lpcsclite
PTHREAD_CFLAGS:      -pthread
PTHREAD_LIBS:
BUNDLE_HOST:         Linux
DYN_LIB_EXT:         so
LIBUSB_CFLAGS:       -I/usr/include/libusb-1.0
LIBUSB_LIBS:         -lusb-1.0
SYMBOL_VISIBILITY:   -fvisibility=hidden
NOCLASS:

libusb support:          yes
composite as multislot:  no
multi threading:         yes
bundle directory name:   ifd-ccid.bundle
USB drop directory:      /home/phablet/myRoot/usr/local/lib/pcsc/drivers
serial Twin support:     no
serial twin install dir: /home/phablet/myRoot/usr/local/lib/pcsc/drivers/serial
serial config directory: /home/phablet/myRoot/etc/reader.conf.d
compiled for pcsc-lite:  yes
syslog debug:            no
class driver:            yes

...

phablet@ubuntu-phablet:~/ccid-1.4.30$ make
phablet@ubuntu-phablet:~/ccid-1.4.30$ sudo make install

the driver libccid.so and its control file Info.plist ended up as configured:

phablet@ubuntu-phablet:~$ find /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/
/home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/
/home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux
/home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
/home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist

but if we rund the daemon from outside the chrooted system, it must be in
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle because /home/phablet/myRoot gets
added in front; so we copy them over to the correct place:

phablet@ubuntu-phablet:~$ sudo mkdir -p /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
phablet@ubuntu-phablet:~$ sudo cp -rp /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
phablet@ubuntu-phablet:~$ find /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist

from outside the chrooted system we can now start the daemon as:

$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd --foreground --debug | tee pcscd.log

and check the log file pcscd.log to see if it sees the card attaching;

Now we start in the phone the pcscd daemon as:

$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd
$ ps ax | grep pcscd
31669 pts/53   Sl     0:00 /home/phablet/myRoot/usr/local/sbin/pcscd

to restart the pcscd after device reboot we put the above line into
a small script ~phablet/pcscd.sh; this script allows to start and stop the daemon:

$ ./pcscd.sh 
[sudo] password for phablet: 
started pcscd pid 9187

$ ./pcscd.sh 
killing pcscd pid 9187

its logic is simple:

$ cat ./pcscd.sh 
#!/bin/sh
  
# if pcscd is running, we only kill it, else we start it
#
test -f /run/pcscd/pcscd.pid &&  {
    echo killing pcscd pid `cat /run/pcscd/pcscd.pid`
    sudo kill `cat /run/pcscd/pcscd.pid`
    rm -f /run/pcscd/pcscd.pid
    exit 0
}
sudo /home/phablet/myRoot/usr/local/sbin/pcscd --auto-exit
test -f /run/pcscd/pcscd.pid && echo started pcscd pid `cat /run/pcscd/pcscd.pid`

We can now run the gpg --card-status to see if it finds the card on attach:

$ ./gpg.sh --card-status
Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 457
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

We rename ~/.gnupg (to save the *.conf files) and copied over from my
real netbook the ~/.password-store and the key material for the GnuPG-card;

phablet@ubuntu-phablet:~$ mv .gnupg .gnupg-localkey
phablet@ubuntu-phablet:~$ mv .password-store .password-store-localkey
phablet@ubuntu-phablet:~$ mkdir .password-store
phablet@ubuntu-phablet:~$ chmod 0700 .password-store

from the host:

$ scp -rp .gnupg-ccid     phablet@10.42.0.1:.
$ scp -rp .password-store phablet@10.42.0.1:.

phablet@ubuntu-phablet:~$ mv .gnupg-ccid .gnupg
phablet@ubuntu-phablet:~$ cp -p .gnupg-localkey/*.conf .gnupg

let's see if ./pass.sh can unlock the card (via the gpg-agent) and decipher the
crypted information:

$ ./pass.sh cards/cuba

                          ┌─────────────────────────────────────────────┐
                          │ Please insert the card with serial number:  │
                          │                                             │
                          │ 0005 0000532B                               │
                          │                                             │
                          │      <OK>                       <Cancel>    │
                          └─────────────────────────────────────────────┘

                          ┌──────────────────────────────────────────────┐
                          │ Please unlock the card                       │
                          │                                              │
                          │ Number: 0005 0000532B                        │
                          │ Holder: Matthias Apitz                       │
                          │                                              │
                          │ PIN ________________________________________ │
                          │                                              │
                          │      <OK>                        <Cancel>    │
                          └──────────────────────────────────────────────┘

4711
$

on the 2nd run it does not need anymore the PIN:

$ ./pass.sh askubuntu.com/guru@unixarea.de
4711

i.e. all is fine! The OpenPGP card remains unlocked until power-off, i.e.
until withdraw the card.