Using GnuPG in the UbuntuPhone BQ E4.5 (part2: OpenPGP CCID Card)
-
Final step is getting support for the GnuPG-card to not have to key-in
longish passphrases with the OSK.
We need the 'pcscd' daemon.
Its build is a bit tricky because it must later, on start from outside the
chrooted syste, find the ccid driver.We compile the following pieces inside the chroot'ed system in that order:
pcsc-lite-1.8.23 ccid-1.4.30first we need some more packages:
phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot phablet@ubuntu-phablet-bq:~# su - phablet phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-dev phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-1.0-0-dev phablet@ubuntu-phablet-bq:~$ sudo apt-get install pkg-confignow we make pcsc-lite-1.8.23 with the following options set on ./configure ...
phablet@ubuntu-phablet-bq:~$ cd pcsc-lite-1.8.23 phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ ./configure --enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers --enable-confdir=/home/phablet/myRoot/etc/reader.conf.d --disable-libsystemd ... PC/SC lite has been configured with following options: Version: 1.8.23 System binaries: /usr/local/sbin Configuration dir: /usr/local/etc/reader.conf.d Host: armv7l-unknown-linux-gnueabihf Compiler: gcc Preprocessor flags: -I${top_srcdir}/src Compiler flags: -Wall -fno-common -g -O2 Preprocessor flags: -I${top_srcdir}/src Linker flags: Libraries: -ldl -lrt PTHREAD_CFLAGS: -pthread PTHREAD_LIBS: PCSC_ARCH: Linux pcscd binary /usr/local/sbin/pcscd polkit support: no polkit policy dir: libudev support: yes libusb support: no USB drop directory: /home/phablet/myRoot/usr/local/lib/pcsc/drivers ATR parsing messages: false ipcdir: /var/run/pcscd use serial: yes use usb: yes systemd unit directory: /lib/systemd/system serial config dir.: /home/phablet/myRoot/etc/reader.conf.d filter: no PCSCLITE_FEATURES: Linux armv7l-unknown-linux-gnueabihf serial usb libudev usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/home/phablet/myRoot/etc/reader.conf.d checking that generated files are newer than configure... done ... phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make installok, now the 'ccid' driver, installed (copied) to be seen by the daemon:
phablet@ubuntu-phablet-bq:~$ cd ccid-1.4.30 phablet@ubuntu-phablet:~/ccid-1.4.30$ ./configure -enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ... libccid has been configured with following options: Version: 1.4.30 User binaries: /usr/local/bin Configuration files: /usr/local/etc Host: armv7l-unknown-linux-gnueabihf Compiler: gcc Preprocessor flags: Compiler flags: -g -O2 Preprocessor flags: Linker flags: Libraries: PCSC_CFLAGS: -pthread -I/usr/local/include/PCSC PCSC_LIBS: -L/usr/local/lib -lpcsclite PTHREAD_CFLAGS: -pthread PTHREAD_LIBS: BUNDLE_HOST: Linux DYN_LIB_EXT: so LIBUSB_CFLAGS: -I/usr/include/libusb-1.0 LIBUSB_LIBS: -lusb-1.0 SYMBOL_VISIBILITY: -fvisibility=hidden NOCLASS: libusb support: yes composite as multislot: no multi threading: yes bundle directory name: ifd-ccid.bundle USB drop directory: /home/phablet/myRoot/usr/local/lib/pcsc/drivers serial Twin support: no serial twin install dir: /home/phablet/myRoot/usr/local/lib/pcsc/drivers/serial serial config directory: /home/phablet/myRoot/etc/reader.conf.d compiled for pcsc-lite: yes syslog debug: no class driver: yes ... phablet@ubuntu-phablet:~/ccid-1.4.30$ make phablet@ubuntu-phablet:~/ccid-1.4.30$ sudo make installthe driver libccid.so and its control file Info.plist ended up as configured:
phablet@ubuntu-phablet:~$ find /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/ /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/ /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plistbut if we rund the daemon from outside the chrooted system, it must be in
/usr/local/lib/pcsc/drivers/ifd-ccid.bundlebecause/home/phablet/myRootgets
added in front; so we copy them over to the correct place:phablet@ubuntu-phablet:~$ sudo mkdir -p /usr/local/lib/pcsc/drivers/ifd-ccid.bundle phablet@ubuntu-phablet:~$ sudo cp -rp /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle phablet@ubuntu-phablet:~$ find /usr/local/lib/pcsc/drivers/ifd-ccid.bundle /usr/local/lib/pcsc/drivers/ifd-ccid.bundle /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plistfrom outside the chrooted system we can now start the daemon as:
$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd --foreground --debug | tee pcscd.logand check the log file pcscd.log to see if it sees the card attaching;
Now we start in the phone the pcscd daemon as:
$ sudo /home/phablet/myRoot/usr/local/sbin/pcscd $ ps ax | grep pcscd 31669 pts/53 Sl 0:00 /home/phablet/myRoot/usr/local/sbin/pcscdto restart the
pcscdafter device reboot we put the above line into
a small script~phablet/pcscd.sh; this script allows to start and stop the daemon:$ ./pcscd.sh [sudo] password for phablet: started pcscd pid 9187 $ ./pcscd.sh killing pcscd pid 9187its logic is simple:
$ cat ./pcscd.sh #!/bin/sh # if pcscd is running, we only kill it, else we start it # test -f /run/pcscd/pcscd.pid && { echo killing pcscd pid `cat /run/pcscd/pcscd.pid` sudo kill `cat /run/pcscd/pcscd.pid` rm -f /run/pcscd/pcscd.pid exit 0 } sudo /home/phablet/myRoot/usr/local/sbin/pcscd --auto-exit test -f /run/pcscd/pcscd.pid && echo started pcscd pid `cat /run/pcscd/pcscd.pid`We can now run the
gpg --card-statusto see if it finds the card on attach:$ ./gpg.sh --card-status Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00 Application ID ...: D27600012401020100050000532B0000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 0000532B Name of cardholder: Matthias Apitz Language prefs ...: en Sex ..............: unspecified URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub Login data .......: [not set] Signature PIN ....: not forced Key attributes ...: rsa4096 rsa4096 rsa4096 Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 457 Signature key ....: 5E69 FBAC 1618 562C B3CB FBC1 47CC F7E4 76FE 9D11 created ....: 2017-05-14 18:20:07 Encryption key....: EB62 00DA 13A1 9E80 679B 1A13 61F1 ECB6 25C9 A6C3 created ....: 2017-05-14 18:20:07 Authentication key: E51D D2D6 C727 35D6 651D EA4B 6AA5 C5C4 51A1 CD1C created ....: 2017-05-14 18:20:07 General key info..: [none]We rename
~/.gnupg(to save the*.conffiles) and copied over from my
real netbook the~/.password-storeand the key material for the GnuPG-card;phablet@ubuntu-phablet:~$ mv .gnupg .gnupg-localkey phablet@ubuntu-phablet:~$ mv .password-store .password-store-localkey phablet@ubuntu-phablet:~$ mkdir .password-store phablet@ubuntu-phablet:~$ chmod 0700 .password-storefrom the host:
$ scp -rp .gnupg-ccid phablet@10.42.0.1:. $ scp -rp .password-store phablet@10.42.0.1:.phablet@ubuntu-phablet:~$ mv .gnupg-ccid .gnupg phablet@ubuntu-phablet:~$ cp -p .gnupg-localkey/*.conf .gnupglet's see if
./pass.shcan unlock the card (via the gpg-agent) and decipher the
crypted information:$ ./pass.sh cards/cuba ┌─────────────────────────────────────────────┐ │ Please insert the card with serial number: │ │ │ │ 0005 0000532B │ │ │ │ <OK> <Cancel> │ └─────────────────────────────────────────────┘ ┌──────────────────────────────────────────────┐ │ Please unlock the card │ │ │ │ Number: 0005 0000532B │ │ Holder: Matthias Apitz │ │ │ │ PIN ________________________________________ │ │ │ │ <OK> <Cancel> │ └──────────────────────────────────────────────┘ 4711 $on the 2nd run it does not need anymore the PIN:
$ ./pass.sh askubuntu.com/guru@unixarea.de 4711i.e. all is fine! The OpenPGP card remains unlocked until power-off, i.e.
until withdraw the card.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login