mirror of
https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
synced 2024-09-19 18:30:15 +00:00
Version 2.1.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This commit is contained in:
parent
6a1b199b52
commit
c7a98b7d13
@ -1,3 +1,10 @@
|
||||
2023-09-05 NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
* VERSION: 2.1.
|
||||
|
||||
* tool/gnuk_token.py (gnuk_token.cmd_external_authenticate): Don't
|
||||
use command chaining.
|
||||
|
||||
2023-09-05 NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
* chopstx: Update to Chopstx 2.5.
|
||||
|
36
NEWS
36
NEWS
@ -3,13 +3,41 @@ Gnuk NEWS - User visible changes
|
||||
|
||||
* Major changes in Gnuk 2.1
|
||||
|
||||
Released 2022-XX-XX, by NIIBE Yutaka
|
||||
Released 2023-09-05, by NIIBE Yutaka
|
||||
|
||||
** Removal of RSA support
|
||||
** Ed448 and X448 support.
|
||||
Ed448 and X448 support are added. This support is experimental.
|
||||
|
||||
** Replace AES implementation
|
||||
** Removal of RSA support.
|
||||
RSA support has been removed.
|
||||
|
||||
** Change of authentication for firmware upgrade
|
||||
** Removal of NIST P-256 support.
|
||||
NIST P-256 curve support has been removed.
|
||||
|
||||
** Removal of debug option at configure (--enable-debug).
|
||||
Debug option with CDC-ACM has been removed. Please have a JTAG/SWD
|
||||
debugger and use GDB.
|
||||
|
||||
** Removal of highly experimental pinpad support.
|
||||
Pinpad support has been removed.
|
||||
|
||||
** Removal of old test.
|
||||
We had old tests under "test/" directory which used python-nose. We
|
||||
switched to pytest and it's now under "tests/" directory.
|
||||
|
||||
** Replace AES implementation for encrypting secret keys on flash.
|
||||
Secret keys on flash is encrypted with AES-GCM-SIV. We now use
|
||||
AES-256 implementation of our own.
|
||||
|
||||
** Change of authentication for firmware upgrade.
|
||||
In Gnuk 1.2, we registered an RSA public key for firmware upgrade.
|
||||
The RSA key is used by Gnuk Token to do challenge-response
|
||||
authentication, so that only the secret key holder of RSA can do the
|
||||
firmware upgrade. In Gnuk 2, PIN authentication for Admin is used
|
||||
for firmware upgrade.
|
||||
|
||||
** Upgrade of Chopstx
|
||||
We use Chopstx 2.5. It uses picolibc (instead of newlib).
|
||||
|
||||
|
||||
* Major changes in Gnuk 1.2.19
|
||||
|
114
README
114
README
@ -1,26 +1,21 @@
|
||||
Gnuk - An Implementation of USB Cryptographic Token for GnuPG
|
||||
|
||||
Version 2.1
|
||||
2022-0?-??
|
||||
2023-09-05
|
||||
Niibe Yutaka
|
||||
Free Software Initiative of Japan
|
||||
|
||||
Release Notes
|
||||
=============
|
||||
|
||||
This is the release of Gnuk, version 2.1, which has major incompatible
|
||||
changes to Gnuk 1.
|
||||
|
||||
Please update your documentation for Gnuk Token, so that the
|
||||
instruction of importing keys won't cause any confusion.
|
||||
This is the release of Gnuk, version 2.1, which has major clean up
|
||||
from Gnuk 1.2. Many (questionable) features have been removed.
|
||||
|
||||
It has supports of Ed25519 and X25519 (ECDH on Curve25519). It also
|
||||
has experimental support of ECDSA on secp256k1 and ECDH on secp256k1.
|
||||
has experimental support of Ed448 and X448.
|
||||
|
||||
It supports new KDF-DO feature. Please note that this is
|
||||
experimental. To use the feature, you need to use newer GnuPG (2.2.6
|
||||
or later). You need to prepare the KDF-DO on your token by the
|
||||
card-edit/kdf-setup command.
|
||||
It supports the KDF-DO feature. You need to prepare the KDF-DO on
|
||||
your token by the card-edit/kdf-setup command of GnuPG.
|
||||
|
||||
With FST-01SZ and GNU/Linux emulation, experimental ack button support
|
||||
is available for test.
|
||||
@ -63,13 +58,10 @@ A0: Good points of Gnuk are:
|
||||
"for Free Software"; Gnuk supports GnuPG.
|
||||
|
||||
Q1: What kind of key algorithm is supported?
|
||||
A1: Gnuk version 1.0 only supports RSA-2048.
|
||||
Gnuk version 1.2.x supports 255-bit EdDSA, as well as RSA-4096.
|
||||
(Note that it takes long time to sign with RSA-4096.)
|
||||
A1: Gnuk version 2.1 supports Ed25519, Ed448, X25519 and X448.
|
||||
|
||||
Q2: How long does it take for digital signing?
|
||||
A2: It takes a second and a half or so for RSA-2048.
|
||||
It takes more than 8 seconds for RSA-4096.
|
||||
A2: It takes less than a second for ECC.
|
||||
|
||||
Q3: What's your recommendation for target board?
|
||||
A3: Orthodox choice is Olimex STM32-H103.
|
||||
@ -78,13 +70,11 @@ A3: Orthodox choice is Olimex STM32-H103.
|
||||
electronics, STM32 Nucleo F103 is the best choice for experiment.
|
||||
|
||||
Q4: What's version of GnuPG are you using?
|
||||
A4: In Debian GNU/Linux system, I use GnuPG modern 2.2.23.
|
||||
A4: In Debian GNU/Linux system, I use GnuPG modern 2.4.1.
|
||||
|
||||
Q5: What's version of pcscd and libccid are you using?
|
||||
A5: I don't use them, pcscd and libccid are optional, you can use Gnuk
|
||||
Token without them.
|
||||
I tested pcscd 1.5.5-4 and libccid 1.3.11-2 which were in Debian
|
||||
squeeze.
|
||||
|
||||
Q6: What kinds of hardware is required for development?
|
||||
A6: You need a target board plus a JTAG/SWD debugger. If you just
|
||||
@ -98,44 +88,6 @@ A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
|
||||
Q8: How much does it cost for DIY version?
|
||||
A8: STM32 Nucleo F103 costs about $10 USD.
|
||||
|
||||
Q9: I got an error like "gpg: selecting openpgp failed: ec=6.108", what's up?
|
||||
A9: Older GnuPG's SCDaemon has problems for handling insertion/removal of
|
||||
card/reader. When your newly inserted token is not found by
|
||||
GnuPG, try killing scdaemon and let it to be invoked again. I do:
|
||||
|
||||
$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
|
||||
|
||||
and confirm scdaemon doesn't exist, then,
|
||||
|
||||
$ gpg-connect-agent learn /bye
|
||||
|
||||
Qa: With GNOME 2, I can't use Gnuk Token for SSH. How can we use it for SSH?
|
||||
Aa: You need to deactivate seahorse-agent and gnome-keyring, but use
|
||||
gpg-agant for the role of ssh-agent. For gnome-keyring please do:
|
||||
|
||||
$ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
|
||||
|
||||
Qb: With GNOME 3.0, I can't use Gnuk Token at all. Why?
|
||||
Ab: That's because gnome-keyring-daemon interferes GnuPG. Type:
|
||||
|
||||
$ gnome-session-properties
|
||||
|
||||
and at the tab of "Startup Programs", disable check buttons for
|
||||
"GPG Password Agent" and "SSH Key Agent".
|
||||
|
||||
Qc: With GNOME 3.x (x >= 8?), I can't use Gnuk Token at all. Why?
|
||||
Ac: That's because gnome-keyring-daemon interferes GnuPG. Please
|
||||
disable the invocation of gnome-keyring-daemon. In Debian
|
||||
wheezy, it's in the files /etc/xdg/autostart/gnome-keyring-ssh.desktop
|
||||
and /etc/xdg/autostart/gnome-keyring-gpg.desktop.
|
||||
We have a line something like:
|
||||
|
||||
OnlyShowIn=GNOME;Unity;MATE;
|
||||
|
||||
Please edit this line to:
|
||||
|
||||
OnlyShowIn=
|
||||
|
||||
Qd: Do you know a good SWD debugger to connect FST-01 or something?
|
||||
Ad: ST-Link/V2 is cheap one. We have a tool/stlinkv2.py as flash ROM
|
||||
writer program. STM32 Nucleo F103 comes with the valiant of
|
||||
@ -165,11 +117,9 @@ Gnuk is tested by test suite. Please see the "tests" directory.
|
||||
* PSO: Decipher
|
||||
* INTERNAL AUTHENTICATE
|
||||
* Changing value of password status bytes (0x00C4): forcesig
|
||||
* Verify with pin pad
|
||||
* Modify with pin pad
|
||||
* Card holder certificate (read)
|
||||
* Removal of keys
|
||||
* Key generation on device side for RSA-2048
|
||||
* Key generation on device side
|
||||
* Overriding key import
|
||||
|
||||
Original features of Gnuk, tested manually lightly:
|
||||
@ -200,7 +150,7 @@ script prepending 'bash' before './configure'.
|
||||
|
||||
Some tools are written in Python. If your Python is not installed as
|
||||
/usr/bin/python, please prepend 'python' or 'python3' for your command
|
||||
invocation. I use Python 3.8 and PyUSB 1.0.2.
|
||||
invocation. I use Python 3.11, PyUSB 1.2.2, CFFI 1.15.1.
|
||||
|
||||
|
||||
Source code
|
||||
@ -237,7 +187,7 @@ External source code
|
||||
|
||||
Gnuk is distributed with external source code.
|
||||
|
||||
* chopstx/ -- Chopstx 2.4
|
||||
* chopstx/ -- Chopstx 2.5
|
||||
|
||||
We use Chopstx as the kernel for Gnuk.
|
||||
|
||||
@ -307,10 +257,10 @@ You need GNU toolchain and newlib for 'arm-none-eabi' target.
|
||||
On Debian we can install the packages of gcc-arm-none-eabi
|
||||
and its friends. I'm using:
|
||||
|
||||
binutils-arm-none-eabi 2.37-7+15
|
||||
gcc-arm-none-eabi 15:10.3-2021.07-4
|
||||
libnewlib-arm-none-eabi 3.3.0-1
|
||||
gdb-multiarch 10.1-2
|
||||
binutils-arm-none-eabi 2.40-2+18+b1
|
||||
gcc-arm-none-eabi 15:12.2.rel1-1
|
||||
picolibc-arm-none-eabi 1.8-1
|
||||
gdb-multiarch 13.1-3
|
||||
|
||||
Or else, see https://launchpad.net/gcc-arm-embedded for preparation of
|
||||
GNU Toolchain for 'arm-none-eabi' target.
|
||||
@ -427,15 +377,7 @@ In case of PyUSB tool, you need to stop pcscd.
|
||||
# systemctl stop pcscd
|
||||
|
||||
|
||||
(2) [Optional] Write fixed serial number
|
||||
|
||||
If you use fixed serial number in the file 'GNUK_SERIAL_NUMBER', you can do:
|
||||
|
||||
$ EMAIL=<YOUR-EMAIL-ADDRESS> ../tool/gnuk_put_binary_usb.py -s ../GNUK_SERIAL_NUMBER
|
||||
Writing serial number
|
||||
...
|
||||
|
||||
(3) [Optional] Write card holder certificate
|
||||
(2) [Optional] Write card holder certificate
|
||||
|
||||
If you have card holder certificate binary file, you can do:
|
||||
|
||||
@ -448,18 +390,6 @@ If you have card holder certificate binary file, you can do:
|
||||
How to run
|
||||
==========
|
||||
|
||||
Debug enabled
|
||||
-------------
|
||||
|
||||
If you compiled with --enable-debug option, Gnuk has two interfaces
|
||||
(one is CCID/ICCD device and another is virtual COM port). Open
|
||||
virtual COM port by:
|
||||
|
||||
$ cu -l /dev/ttyACM0
|
||||
|
||||
and you will see debug output of Gnuk.
|
||||
|
||||
|
||||
Testing Gnuk
|
||||
------------
|
||||
|
||||
@ -483,12 +413,12 @@ Login name, Sex, Languages, URL. To do so, GnuPG command is:
|
||||
Note that the factory setting of user password is "123456" and admin
|
||||
password is "12345678" as the specification.
|
||||
|
||||
It is recommended to create your keys on your computer, and import
|
||||
them to Gnuk Token. After you create your keys (they must be 2048-bit
|
||||
RSA), you can import them.
|
||||
It is recommended to create your keys on your host computer, and
|
||||
import them to Gnuk Token. After you create your keys (they must be
|
||||
supported ones by Gnuk Token), you can import them.
|
||||
|
||||
Gnuk supports key generation, but this feature is young and should be
|
||||
considered experimental.
|
||||
Gnuk supports key generation, but this feature should be considered
|
||||
experimental.
|
||||
|
||||
For detail, please see documentation under doc/. You can see the HTML
|
||||
version at: https://www.fsij.org/doc-gnuk/
|
||||
|
@ -1,7 +1,7 @@
|
||||
"""
|
||||
gnuk_token.py - a library for Gnuk Token
|
||||
|
||||
Copyright (C) 2011, 2012, 2013, 2015, 2017, 2018
|
||||
Copyright (C) 2011, 2012, 2013, 2015, 2017, 2018, 2023
|
||||
Free Software Initiative of Japan
|
||||
Author: NIIBE Yutaka <gniibe@fsij.org>
|
||||
|
||||
@ -469,7 +469,7 @@ class gnuk_token(object):
|
||||
return self.cmd_get_response(sw[1])
|
||||
|
||||
def cmd_external_authenticate(self):
|
||||
cmd_data = iso7816_compose(0x82, 0x00, 0x00, b"", cls=0x10)
|
||||
cmd_data = iso7816_compose(0x82, 0x00, 0x00, b"")
|
||||
sw = self.icc_send_cmd(cmd_data)
|
||||
if len(sw) != 2:
|
||||
raise ValueError(sw)
|
||||
|
Loading…
Reference in New Issue
Block a user