OpenGPG smart card, GnuPG and an ACS ACR30U reader. Part Two.

My OpenGPG card arrived, looking very much as it did on the website:

These cards are basically the same as the ones issued to FSFE members, but have a different design printed on them. As far as I can tell, they are produced by the same company that produces the FSFE ones, although the specification for the cards is an open one that anyone can implement. The card was shipped with a printed copy of the GnuPG Smartcard HOWTO:

The printed copy includes instructions like “download the latest version and apply this patch.” Given that underlined words on a sheet of paper are not clickable hyperlinks, this presents a problem for people trying to follow the instructions. Fortunately most people won’t have to worry about compiling their own verison of GnuPG as most modern distros should have a new enough version with the appropriate support.

So, I plugged my new card into the reader, and the card responded to the ATR command from opensc-tool. However, the basic test to check that GPG is talking to the card wouldn’t work: gpg --card-status just returned errors. More googling showed up posts on various mailing lists that showed that GnuPG and OpenCT didn’t work together. Some posts suggested this was due to the OpenCT API changing rapidly and suggested that it might be implemented in the future. I can’t tell whether this situation has changed since the posts were made, but it seemed safer to assume it hadn’t. So although I had the correct card, a supported card reader and some software to query the card, the application I want to actually use with the card wouldn’t work with the software I was using. So I turned my attention to PC/SC.

Whilst looking into PC/SC in more detail, I started to get how the various bits of smartcard software available interacted. PC/SC is a standard originally developed by Microsoft, but now maintained by an external group of interested parties. It defines a standard API for applications to communicate with smartcard readers. Any card reader supporting the PC/SC can be addressed by applications that support PC/SC. At least, that’s the theory. On Linux, PC/SC is implemented by the PCSCLite project, from the MUSCLE (Movement for the Use of SmartCards in a Linux Environment) project.

PCSCLite runs as a daemon process (pcscd) in the background. It detects USB readers as they are connected to the PC, but requires manual configuration in /etc/reader.conf for serial devices. (On Debian and Ubuntu systems, the /etc/reader.conf file is managed by the system using entries in /etc/reader.conf.d, but the principal is the same.) The daemon is contained in the pcscd package, and the userspace tools in the pcsc-tools package.

So, this was roughly the revelation point for me. PCSCLite and OpenCT are roughly equivalent pieces of software. They both provide drivers for smartcard readers and an API through which other applications can talk to the smartcards. Readers supported by one may not be supported by the other, although there seems to be quite a few that are supported by both. The principle difference seems to be that PCSCLite provides a PC/SC interface, whilst OpenCT is designed around a PKCS interface. (Some webpages seems to suggest that OpenCT can be made to provide a PC/SC interface for applications to use, however I couldn’t find any concrete documentation on this.) Another difference is that openct has the drivers for supported readers built into it, whereas pcscd requires an external driver to be loaded for each reader.

I couldn’t use GPG to communicate with my OpenGPG card through OpenCT, because GPG itself couldn’t “talk” to OpenCT. OpenSC, however, can talk to OpenCT. The GnuPG application itself supports OpenGPG cards directly, so doesn’t need an interpreter to talk to them, only the ability to address the card through the reader. GnuPG supports PC/SC, not OpenCT.

As mentioned earlier, OpenSC supports three different backends, including the project’s own backend, OpenCT and the wider-spread PC/SC. The third is CT-API, which seems to be popular in German projects, but hasn’t really featured in my investigations. OpenSC supports PKCS#15 cards (a Public Key Cryptography “standard”), including OpenGPG cards. This means that with a working PC/SC backend, I should be able to use opensc-tool to query the card, and applications written to use the OpenSC interface should be able to do the same.

With the pcscd and pcsc-tools packages installed, I just needed to ensure there was a driver for my card reader available to pcscd. Some poking around showed that there are relatively few drivers available in Debian and Ubuntu, most of which are in their own package. There are quite a few smartcard reader drivers available from the MUSCLE people, including the CCID driver, which seems to be a generic driver for quite a few smartcard readers. libccid doesn’t support the ACR30, but there is a driver for the ACR30 available for download from the manufacturer. I downloaded the USB version, although there is also one for serial devices and a driver for what are labelled as propriatory drivers.

The driver Linux driver as downloaded contains a README crediting David Corcoran from linuxnet.com as the author and pointing people to the LICENCE file for a copy of the licence. This is a method commonly used by people distributing software under the GPL although the LICENCE file is missing from the zip file. The headers of some of the files point to a COPYING file, also missing. None of them include references to the GPL as is usual with GPL software and recommended by the GNU project. This is possibly why the driver hasn’t been redistributed by distros. I’ve e-mailed David Corcoran to see if he can help clear it up.

Fortunately compiling and installing the driver was very simple. I already have a build environment installed on my PC (the build-essential package) so I unpacked the zip file, changed into the newly created directory containing the source code and ran make. I then copied the driver to the correct location (which differs from that in the Makefile), /usr/lib/pcsc/drivers. See the wiki page for more details on the compilation, such as they are.

In order to test the device, I stopped the running pcscd instance with an /etc/init.d/pcscd stop command. I then ran pcscd from a terminal using pcscd --apdu --foreground, which keeps the process active on the terminal and shows lots of debugging information. The output on the console (again, details on the wiki page) showed pcscd starting, the card reader being detected when it was connected and the card ATR being shown when the card was inserted. The ATR of the card matched the ATR of the OpenGPG card type listed in /usr/lib/pcsc/smartcard_list.txt. I was be able to unplug and replug the reader as often as I like, and remove and reinsert the card repeatedly. pcscd coped fine.

So, for the acid test. The command gpg --card-status is used to show basic details about an OpenGPG card and is a recommended way of testing whether GnuPG can talk to your OpenGPG smartcard. I ran it and the output matched the sample output in the HOWTO. Time to finally start doing some GPG stuff with this card!

To be continued…

Be Sociable, Share!
    Pin It

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Comment Spam Protection by WP-SpamFree