Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

card serials change and keys without certifificates are not shown during learn? #68

Open
inorton-entrust opened this issue Nov 16, 2024 · 2 comments

Comments

@inorton-entrust
Copy link

Hi, I'm using an nCipher HSM as my pkcs11 device. I have my key available and can do normal pkcs11 signing with it but this key isnt appearing during the LEARN command.

When I originally got the key into gpg on another system the application ID value (and card serial) shown by doing "gpg --card-status" showed different values.

Application ID ...: D27600012401115031312CF4EEE61111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 2CF4EEE6

Now, with a different computer the same command now reports.

Application ID ...: D2760001240111503131476E4A811111
Application type .: OpenPGP
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: 476E4A81

This now means that the agent prompts me to insert a card with the "2CF4EEE6" serial.

If however I hex edit the gpg shadow file to set the new value, my token is loaded and signs correctly.

Where are we getting this application ID string from? is it possible to override it? or generate it in a way that is consistent with only data on a token?

@inorton-entrust inorton-entrust changed the title keys without certifificates are not shown during learn? card serials change and keys without certifificates are not shown during learn? Nov 16, 2024
@inorton-entrust
Copy link
Author

inorton-entrust commented Nov 16, 2024

I see now! The hex string "application id" is a serialised string made up by pkcs11-helper out of:

	{ /* Must be after assert */
		sources[0] = token_id->manufacturerID;
		sources[1] = token_id->model;
		sources[2] = token_id->serialNumber;
		sources[3] = token_id->label;
		sources[4] = NULL;
	}

In my case I have several HSMs and each HSM has a different serial, my pkcs11 token can be loaded on any one of these devices

@inorton-entrust
Copy link
Author

I've also noticed that gnupg-pkcs11-scd only searches the first token it finds, that is useful to know

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant