Navigation

    UBports Robot Logo

    UBports Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search

    Using GnuPG in the UbuntuPhone BQ E4.5 (part2: OpenPGP CCID Card)

    Support
    1
    1
    122
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      guru last edited by guru

      Final step is getting support for the GnuPG-card to not have to key-in
      longish passphrases with the OSK.
      UbuntuPhone-GnuPG-card.png

      We need the 'pcscd' daemon.
      Its build is a bit tricky because it must later, on start from outside the
      chrooted syste, find the ccid driver.

      We compile the following pieces inside the chroot'ed system in that order:

      pcsc-lite-1.8.23
      ccid-1.4.30
      

      first we need some more packages:

      phablet@ubuntu-phablet-bq:~$ sudo chroot myRoot
      phablet@ubuntu-phablet-bq:~# su - phablet
      phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-dev
      phablet@ubuntu-phablet-bq:~$ sudo apt-get install libusb-1.0-0-dev
      phablet@ubuntu-phablet-bq:~$ sudo apt-get install pkg-config
      

      now we make pcsc-lite-1.8.23 with the following options set on ./configure ...

      phablet@ubuntu-phablet-bq:~$ cd pcsc-lite-1.8.23
      phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ ./configure --enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers --enable-confdir=/home/phablet/myRoot/etc/reader.conf.d --disable-libsystemd
      
      ...
      PC/SC lite has been configured with following options:
      
      Version:             1.8.23
      System binaries:     /usr/local/sbin
      Configuration dir:   /usr/local/etc/reader.conf.d
      
      
      Host:                armv7l-unknown-linux-gnueabihf
      Compiler:            gcc
      Preprocessor flags:  -I${top_srcdir}/src
      Compiler flags:      -Wall -fno-common -g -O2
      Preprocessor flags:  -I${top_srcdir}/src
      Linker flags:
      Libraries:           -ldl  -lrt
      
      PTHREAD_CFLAGS:      -pthread
      PTHREAD_LIBS:
      PCSC_ARCH:           Linux
      
      pcscd binary            /usr/local/sbin/pcscd
      polkit support:         no
      polkit policy dir:
      libudev support:        yes
      libusb support:         no
      USB drop directory:     /home/phablet/myRoot/usr/local/lib/pcsc/drivers
      ATR parsing messages:   false
      ipcdir:                 /var/run/pcscd
      use serial:             yes
      use usb:                yes
      systemd unit directory: /lib/systemd/system
      serial config dir.:     /home/phablet/myRoot/etc/reader.conf.d
      filter:                 no
      
      PCSCLITE_FEATURES:       Linux armv7l-unknown-linux-gnueabihf serial usb libudev usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/home/phablet/myRoot/etc/reader.conf.d
      
      checking that generated files are newer than configure... done
      ...
      
      phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make
      phablet@ubuntu-phablet-bq:~/pcsc-lite-1.8.23$ make install
      

      ok, now the 'ccid' driver, installed (copied) to be seen by the daemon:

      phablet@ubuntu-phablet-bq:~$ cd ccid-1.4.30
      phablet@ubuntu-phablet:~/ccid-1.4.30$ ./configure -enable-usbdropdir=/home/phablet/myRoot/usr/local/lib/pcsc/drivers
      ...
      libccid has been configured with following options:
      
      Version:             1.4.30
      User binaries:       /usr/local/bin
      Configuration files: /usr/local/etc
      
      
      Host:                armv7l-unknown-linux-gnueabihf
      Compiler:            gcc
      Preprocessor flags:
      Compiler flags:      -g -O2
      Preprocessor flags:
      Linker flags:
      Libraries:
      
      PCSC_CFLAGS:         -pthread -I/usr/local/include/PCSC
      PCSC_LIBS:           -L/usr/local/lib -lpcsclite
      PTHREAD_CFLAGS:      -pthread
      PTHREAD_LIBS:
      BUNDLE_HOST:         Linux
      DYN_LIB_EXT:         so
      LIBUSB_CFLAGS:       -I/usr/include/libusb-1.0
      LIBUSB_LIBS:         -lusb-1.0
      SYMBOL_VISIBILITY:   -fvisibility=hidden
      NOCLASS:
      
      libusb support:          yes
      composite as multislot:  no
      multi threading:         yes
      bundle directory name:   ifd-ccid.bundle
      USB drop directory:      /home/phablet/myRoot/usr/local/lib/pcsc/drivers
      serial Twin support:     no
      serial twin install dir: /home/phablet/myRoot/usr/local/lib/pcsc/drivers/serial
      serial config directory: /home/phablet/myRoot/etc/reader.conf.d
      compiled for pcsc-lite:  yes
      syslog debug:            no
      class driver:            yes
      
      ...
      
      phablet@ubuntu-phablet:~/ccid-1.4.30$ make
      phablet@ubuntu-phablet:~/ccid-1.4.30$ sudo make install
      

      the driver libccid.so and its control file Info.plist ended up as configured:

      phablet@ubuntu-phablet:~$ find /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/
      /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/
      /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux
      /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
      /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
      

      but if we rund the daemon from outside the chrooted system, it must be in
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle because /home/phablet/myRoot gets
      added in front; so we copy them over to the correct place:

      phablet@ubuntu-phablet:~$ sudo mkdir -p /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
      phablet@ubuntu-phablet:~$ sudo cp -rp /home/phablet/myRoot/usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
      phablet@ubuntu-phablet:~$ find /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so
      /usr/local/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist
      

      from outside the chrooted system we can now start the daemon as:

      $ sudo /home/phablet/myRoot/usr/local/sbin/pcscd --foreground --debug | tee pcscd.log
      

      and check the log file pcscd.log to see if it sees the card attaching;

      Now we start in the phone the pcscd daemon as:

      $ sudo /home/phablet/myRoot/usr/local/sbin/pcscd
      $ ps ax | grep pcscd
      31669 pts/53   Sl     0:00 /home/phablet/myRoot/usr/local/sbin/pcscd
      

      to restart the pcscd after device reboot we put the above line into
      a small script ~phablet/pcscd.sh; this script allows to start and stop the daemon:

      $ ./pcscd.sh 
      [sudo] password for phablet: 
      started pcscd pid 9187
      
      $ ./pcscd.sh 
      killing pcscd pid 9187
      

      its logic is simple:

      $ cat ./pcscd.sh 
      #!/bin/sh
        
      # if pcscd is running, we only kill it, else we start it
      #
      test -f /run/pcscd/pcscd.pid &&  {
          echo killing pcscd pid `cat /run/pcscd/pcscd.pid`
          sudo kill `cat /run/pcscd/pcscd.pid`
          rm -f /run/pcscd/pcscd.pid
          exit 0
      }
      sudo /home/phablet/myRoot/usr/local/sbin/pcscd --auto-exit
      test -f /run/pcscd/pcscd.pid && echo started pcscd pid `cat /run/pcscd/pcscd.pid`
      

      We can now run the gpg --card-status to see if it finds the card on attach:

      $ ./gpg.sh --card-status
      Reader ...........: Identiv uTrust 3512 SAM slot Token [CCID Interface] (55511514602745) 00 00
      Application ID ...: D27600012401020100050000532B0000
      Version ..........: 2.1
      Manufacturer .....: ZeitControl
      Serial number ....: 0000532B
      Name of cardholder: Matthias Apitz
      Language prefs ...: en
      Sex ..............: unspecified
      URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
      Login data .......: [not set]
      Signature PIN ....: not forced
      Key attributes ...: rsa4096 rsa4096 rsa4096
      Max. PIN lengths .: 32 32 32
      PIN retry counter : 3 0 3
      Signature counter : 457
      Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
            created ....: 2017-05-14 18:20:07
      Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
            created ....: 2017-05-14 18:20:07
      Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
            created ....: 2017-05-14 18:20:07
      General key info..: [none]
      

      We rename ~/.gnupg (to save the *.conf files) and copied over from my
      real netbook the ~/.password-store and the key material for the GnuPG-card;

      phablet@ubuntu-phablet:~$ mv .gnupg .gnupg-localkey
      phablet@ubuntu-phablet:~$ mv .password-store .password-store-localkey
      phablet@ubuntu-phablet:~$ mkdir .password-store
      phablet@ubuntu-phablet:~$ chmod 0700 .password-store
      

      from the host:

      $ scp -rp .gnupg-ccid     phablet@10.42.0.1:.
      $ scp -rp .password-store phablet@10.42.0.1:.
      
      phablet@ubuntu-phablet:~$ mv .gnupg-ccid .gnupg
      phablet@ubuntu-phablet:~$ cp -p .gnupg-localkey/*.conf .gnupg
      

      let's see if ./pass.sh can unlock the card (via the gpg-agent) and decipher the
      crypted information:

      $ ./pass.sh cards/cuba
      
                                ┌─────────────────────────────────────────────┐
                                │ Please insert the card with serial number:  │
                                │                                             │
                                │ 0005 0000532B                               │
                                │                                             │
                                │      <OK>                       <Cancel>    │
                                └─────────────────────────────────────────────┘
      
                                ┌──────────────────────────────────────────────┐
                                │ Please unlock the card                       │
                                │                                              │
                                │ Number: 0005 0000532B                        │
                                │ Holder: Matthias Apitz                       │
                                │                                              │
                                │ PIN ________________________________________ │
                                │                                              │
                                │      <OK>                        <Cancel>    │
                                └──────────────────────────────────────────────┘
      
      4711
      $
      

      on the 2nd run it does not need anymore the PIN:

      $ ./pass.sh askubuntu.com/guru@unixarea.de
      4711
      

      i.e. all is fine! The OpenPGP card remains unlocked until power-off, i.e.
      until withdraw the card.

      1 Reply Last reply Reply Quote 2
      • First post
        Last post