Using GnuPG in the UbuntuPhone BQ E4.5 (part2: OpenPGP CCID Card)

  • Final step is getting support for the GnuPG-card to not have to key-in
    longish passphrases with the OSK.

    We need the 'pcscd' daemon.
    Its build is a bit tricky because it must later, on start from outside the
    chrooted syste, find the ccid driver.

    We compile the following pieces inside the chroot'ed system in that order:


    first we need some more packages:

    phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot
    phablet@ubuntu-phablet-bq:~# su - phablet
    phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-dev
    phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-1.0-0-dev
    phablet@ubuntu-phablet-bq:~$ sudo apt-get install pkg-config

    now we make pcsc-lite-1.8.23 with the following options set on ./configure ...

    phablet@ubuntu-phablet-bq:~$ cd pcsc-lite-1.8.23
    phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ ./configure --enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers --enable-confdir=/home/phablet/myRoot/etc/reader.conf.d --disable-libsystemd
    PC/SC lite has been configured with following options:
    Version:             1.8.23
    System binaries:     /usr/local/sbin
    Configuration dir:   /usr/local/etc/reader.conf.d
    Host:                armv7l-unknown-linux-gnueabihf
    Compiler:            gcc
    Preprocessor flags:  -I${top_srcdir}/src
    Compiler flags:      -Wall -fno-common -g -O2
    Preprocessor flags:  -I${top_srcdir}/src
    Linker flags:
    Libraries:           -ldl  -lrt
    PTHREAD_CFLAGS:      -pthread
    PCSC_ARCH:           Linux
    pcscd binary            /usr/local/sbin/pcscd
    polkit support:         no
    polkit policy dir:
    libudev support:        yes
    libusb support:         no
    USB drop directory:     /home/phablet/myRoot/usr/local/lib/pcsc/drivers
    ATR parsing messages:   false
    ipcdir:                 /var/run/pcscd
    use serial:             yes
    use usb:                yes
    systemd unit directory: /lib/systemd/system
    serial config dir.:     /home/phablet/myRoot/etc/reader.conf.d
    filter:                 no
    PCSCLITE_FEATURES:       Linux armv7l-unknown-linux-gnueabihf serial usb libudev usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/home/phablet/myRoot/etc/reader.conf.d
    checking that generated files are newer than configure... done
    phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make
    phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make install

    ok, now the 'ccid' driver, installed (copied) to be seen by the daemon:

    phablet@ubuntu-phablet-bq:~$ cd ccid-1.4.30
    phablet@ubuntu-phablet:~/ccid-1.4.30$ ./configure -enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers
    libccid has been configured with following options:
    Version:             1.4.30
    User binaries:       /usr/local/bin
    Configuration files: /usr/local/etc
    Host:                armv7l-unknown-linux-gnueabihf
    Compiler:            gcc
    Preprocessor flags:
    Compiler flags:      -g -O2
    Preprocessor flags:
    Linker flags:
    PCSC_CFLAGS:         -pthread -I/usr/local/include/PCSC
    PCSC_LIBS:           -L/usr/local/lib -lpcsclite
    PTHREAD_CFLAGS:      -pthread
    BUNDLE_HOST:         Linux
    DYN_LIB_EXT:         so
    LIBUSB_CFLAGS:       -I/usr/include/libusb-1.0
    LIBUSB_LIBS:         -lusb-1.0
    SYMBOL_VISIBILITY:   -fvisibility=hidden
    libusb support:          yes
    composite as multislot:  no
    multi threading:         yes
    bundle directory name:   ifd-ccid.bundle
    USB drop directory:      /home/phablet/myRoot/usr/local/lib/pcsc/drivers
    serial Twin support:     no
    serial twin install dir: /home/phablet/myRoot/usr/local/lib/pcsc/drivers/serial
    serial config directory: /home/phablet/myRoot/etc/reader.conf.d
    compiled for pcsc-lite:  yes
    syslog debug:            no
    class driver:            yes
    phablet@ubuntu-phablet:~/ccid-1.4.30$ make
    phablet@ubuntu-phablet:~/ccid-1.4.30$ sudo make install

    the driver and its control file Info.plist ended up as configured:

    phablet@ubuntu-phablet:~$ find /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/

    but if we rund the daemon from outside the chrooted system, it must be in
    /usr/local/lib/pcsc/drivers/ifd-ccid.bundle because /home/phablet/myRoot gets
    added in front; so we copy them over to the correct place:

    phablet@ubuntu-phablet:~$ sudo mkdir -p /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
    phablet@ubuntu-phablet:~$ sudo cp -rp /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
    phablet@ubuntu-phablet:~$ find /usr/local/lib/pcsc/drivers/ifd-ccid.bundle

    from outside the chrooted system we can now start the daemon as:

    $ sudo /home/phablet/myRoot/usr/local/sbin/pcscd --foreground --debug | tee pcscd.log

    and check the log file pcscd.log to see if it sees the card attaching;

    Now we start in the phone the pcscd daemon as:

    $ sudo /home/phablet/myRoot/usr/local/sbin/pcscd
    $ ps ax | grep pcscd
    31669 pts/53   Sl     0:00 /home/phablet/myRoot/usr/local/sbin/pcscd

    to restart the pcscd after device reboot we put the above line into
    a small script ~phablet/; this script allows to start and stop the daemon:

    $ ./ 
    [sudo] password for phablet: 
    started pcscd pid 9187
    $ ./ 
    killing pcscd pid 9187

    its logic is simple:

    $ cat ./ 
    # if pcscd is running, we only kill it, else we start it
    test -f /run/pcscd/ &&  {
        echo killing pcscd pid `cat /run/pcscd/`
        sudo kill `cat /run/pcscd/`
        rm -f /run/pcscd/
        exit 0
    sudo /home/phablet/myRoot/usr/local/sbin/pcscd --auto-exit
    test -f /run/pcscd/ && echo started pcscd pid `cat /run/pcscd/`

    We can now run the gpg --card-status to see if it finds the card on attach:

    $ ./ --card-status
    Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00
    Application ID ...: D27600012401020100050000532B0000
    Version ..........: 2.1
    Manufacturer .....: ZeitControl
    Serial number ....: 0000532B
    Name of cardholder: Matthias Apitz
    Language prefs ...: en
    Sex ..............: unspecified
    URL of public key :
    Login data .......: [not set]
    Signature PIN ....: not forced
    Key attributes ...: rsa4096 rsa4096 rsa4096
    Max. PIN lengths .: 32 32 32
    PIN retry counter : 3 0 3
    Signature counter : 457
    Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
          created ....: 2017-05-14 18:20:07
    Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
          created ....: 2017-05-14 18:20:07
    Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
          created ....: 2017-05-14 18:20:07
    General key info..: [none]

    We rename ~/.gnupg (to save the *.conf files) and copied over from my
    real netbook the ~/.password-store and the key material for the GnuPG-card;

    phablet@ubuntu-phablet:~$ mv .gnupg .gnupg-localkey
    phablet@ubuntu-phablet:~$ mv .password-store .password-store-localkey
    phablet@ubuntu-phablet:~$ mkdir .password-store
    phablet@ubuntu-phablet:~$ chmod 0700 .password-store

    from the host:

    $ scp -rp .gnupg-ccid     phablet@
    $ scp -rp .password-store phablet@
    phablet@ubuntu-phablet:~$ mv .gnupg-ccid .gnupg
    phablet@ubuntu-phablet:~$ cp -p .gnupg-localkey/*.conf .gnupg

    let's see if ./ can unlock the card (via the gpg-agent) and decipher the
    crypted information:

    $ ./ cards/cuba
                              │ Please insert the card with serial number:  │
                              │                                             │
                              │ 0005 0000532B                               │
                              │                                             │
                              │      <OK>                       <Cancel>    │
                              │ Please unlock the card                       │
                              │                                              │
                              │ Number: 0005 0000532B                        │
                              │ Holder: Matthias Apitz                       │
                              │                                              │
                              │ PIN ________________________________________ │
                              │                                              │
                              │      <OK>                        <Cancel>    │

    on the 2nd run it does not need anymore the PIN:

    $ ./

    i.e. all is fine! The OpenPGP card remains unlocked until power-off, i.e.
    until withdraw the card.

Log in to reply