safenet HSM card not found with gpg 2.2.9

Question

safenet HSM card not found with gpg 2.2.9

Closed this issue 3 years ago · 15 comments

Hi,

Thanks for having option to open issues

we use safenet HSM with gpg 2.0.22 for RPM signing. As part of RHEL OS upgrade to RHEL8, gpg also got upgraded to 2.2.9 and the new gpg version is unable to find smartcard. we kindly request your valuable input to pin point the issue

Hereaby pasting the config files and attaching the debug log

cat /etc/gnupg-pkcs11-scd.conf
# Log file.
log-file /var/log/scd.log

# Default is not verbose.
verbose

# Default is no debugging.
debug-all

providers safenet
provider-safenet-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so

openpgp-sign *************************************************
openpgp-encr *************************************************
openpgp-auth *************************************************

cat gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd-proxy
pinentry-program /home/ITUD/.gnupg/pinentry-file.home

[ITUD@eaasrt ~]$ gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.9)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found

Log file
scd.txt

Answer 1 · 2020-10-31T16:08:02.000Z

Please use latest and follow the instructions in the man page regarding the gnupg-2.2.x integration.

Answer 2 · 2020-11-03T09:58:41.000Z

Thanks Alon for your time, I couldnt locate any particular man page for GPG 2.2 integration

could you please pin point the changes or refer documents if it is handy

Answer 3 · 2020-11-03T10:04:24.000Z

Please read “ Typical steps to set up a card for >=gpg-2.1.19 usage:”

…

On Tue, 3 Nov 2020 at 11:58 shunselva12 ***@***.***> wrote: Thanks Alon for your time, I couldnt locate any particular man page for GPG 2.2 integration could you please pin point the changes or refer documents if it is handy — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#26 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJURLJTGH4AEZOO56Z5VFLSN7H57ANCNFSM4TFDXMYQ> .

Answer 4 · 2020-11-03T10:13:55.000Z

Thanks Alon, I referred this document https://manpages.debian.org/testing/gnupg-pkcs11-scd/gnupg-pkcs11-scd.1.en.html
the first step fails with card not found
[ITUD@eaasrt ~]$ gpg --card-status
gpg: WARNING: server 'scdaemon' is older than us (0.9.2 < 2.2.9)
gpg: Note: Outdated servers may lack important security fixes.
gpg: Note: Use the command "gpgconf --kill all" to restart them.
gpg: OpenPGP card not available: Not found
[ITUD@eaasrt ~]$

please advise

Answer 5 · 2020-11-06T07:37:17.000Z

attaching log and conf files

[root@eaasrt ~]# cat /etc/gnupg-pkcs11-scd.conf
# Log file.
log-file /var/log/scd.log

# Default is not verbose.
verbose

# Default is no debugging.
debug-all

providers safenet
provider-safenet-library /usr/safenet/lunaclient/lib/libCryptoki2_64.so

[ITUD@eaasrt ~]$ cat .gnupg/gpg-agent.conf
scdaemon-program /usr/bin/gnupg-pkcs11-scd-proxy
pinentry-program /home/ITUD/.gnupg/pinentry-file.home
[ITUD@eaasrt ~]$

log
scd.txt

Answer 6 · 2020-11-06T22:01:32.000Z

There are no slots with token

gnupg-pkcs11-scd[100709.2232595904]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=0

Please use opensc pkcs11-tool to list slots, you will probably see the same.

Answer 7 · 2020-11-07T08:40:35.000Z

Yes Alon, No available slots
[ITUD@eaasrt ~]$ pkcs11-tool -L
Available slots:
No slots.
[ITUD@eaasrt ~]$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3

However, even with working gpg also, pkcs11-tool not listing any slots

[ITUD@eaasrt ~]$ pkcs11-tool -L
Available slots:
No slots.
[ITUD@eaasrt ~]$ gpg --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
[ITUD@eaasrt ~]$ gpg --card-status
Application ID ...: D2760001240111503131C2D4773A1111
Version ..........: 11.50
Manufacturer .....: unknown
Serial number ....: C2D4773A
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 1R 1R 1R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 4C23 3EE7 3837 A49F 0540 C67D 5CD1 F0B9 65D2 1C94
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]
[ITUD@eaasrt ~]$ pkcs11-tool -L

Answer 8 · 2020-11-07T09:00:33.000Z

As long as there is no key and certificate within the hsm nothing will work, same as any previous version. Please read the documentation.

…

On Sat, 7 Nov 2020 at 10:40 shunselva12 ***@***.***> wrote: Yes Alon, No available slots ***@***.*** ~]$ pkcs11-tool -L Available slots: No slots. ***@***.*** ~]$ gpg --version gpg (GnuPG) 2.2.9 libgcrypt 1.8.3 ------------------------------ However, even with working gpg also, pkcs11-tool not listing any slots ***@***.*** ~]$ pkcs11-tool -L Available slots: No slots. ***@***.*** ~]$ gpg --version gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 ***@***.*** ~]$ gpg --card-status Application ID ...: D2760001240111503131C2D4773A1111 Version ..........: 11.50 Manufacturer .....: unknown Serial number ....: C2D4773A Name of cardholder: [not set] Language prefs ...: [not set] Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 1R 1R 1R Max. PIN lengths .: 0 0 0 PIN retry counter : 0 0 0 Signature counter : 0 Signature key ....: 4C23 3EE7 3837 A49F 0540 C67D 5CD1 F0B9 65D2 1C94 Encryption key....: [none] Authentication key: [none] General key info..: [none] ***@***.*** ~]$ pkcs11-tool -L — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#26 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJURLKSCH554GBMZ2SOD5LSOUBY7ANCNFSM4TFDXMYQ> .

Answer 9 · 2020-11-07T10:17:12.000Z

Hi Alon,

We use HSM card just for RPM signing, the HSM card contains key and certificates. gpg 2.0 is able to fetch the key whereas gpg 2.2 is unable to fetch the key from the same HSM

gpg 2.0

[ITUD@eaasrt ~]$ gpg-agent --server gpg-connect-agent
OK Pleased to meet you
SCD LEARN
S SERIALNO D2760001240111503131C2D4773A1111
S APPTYPE PKCS11
S KEY-FRIEDNLY 4C233EE73837A49F0540C67D5CD1F0B965D21C94 /CN=Dummy 1 on par1
S KEY-FPR 1 4C233EE73837A49F0540C67D5CD1F0B965D21C94
S CERTINFO 101 Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E2/543519014/par1/01
S KEYPAIRINFO 4C233EE73837A49F0540C67D5CD1F0B965D21C94 Safenet\x2C\x20Inc\x2E/LunaSA\x206\x2E2\x2E2/543519014/par1/01
OK

gpg2.2

[ITUD@eaasrt ~]$ gpg-agent --server gpg-connect-agent
OK Pleased to meet you
SCD LEARN
S SERIALNO
S APPTYPE PKCS11
OK

Not sure what we miss here

Answer 10 · 2020-11-07T10:38:28.000Z

Is it the same machine? Same credentials? You already stated that the pkcs11-tool does not see any tokens as well, it is very difficult to gather relevant information from your description. Please send pkcs11-tool output to show slot state and make sure this is done on the same machine you experience the issue with the same settings. Only after we see correct output we can proceed.

Answer 11 · 2020-11-07T12:06:58.000Z

Server-client architecture is implemented for HSM. Whichever machine needs to sign the RPM, HSM client will be installed on the machine and trust link will be made with HSM server

Machines with GPG 2.0 are able to sign RPM properly whereas machines with GPG 2.2 are unable to fetch the keys

As per your guidance, I installed opensc on both machines(gpg2.0 and gpg2,2) and checked the slot, both machines outputted no slot available. Since the properly working gpg 2.0 machine also outputted the same result, I got confused with the approach

GPG 2.0 machine O/P

[ITUD@eaasrt ~]$ pkcs11-tool -L
Available slots:
No slots.
[ITUD@eaasrt ~]$ gpg --version
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3

GPG 2.2 machine O/P

[ITUD@eaasrt ~]$ pkcs11-tool -L
Available slots:
No slots.
[ITUD@eaasrt ~]$ gpg --version
gpg (GnuPG) 2.2.9
libgcrypt 1.8.3

is our situation clear? do you need any more info

Answer 12 · 2020-11-07T12:18:41.000Z

You should specify the module name when using pkcs11-tool to get valid results.

Answer 13 · 2020-11-07T12:39:09.000Z

Thanks for your time and input

this is the output of pkcs11-tool from problematic machine

[root@eaasrt ~]# pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L
Available slots:
Slot 0 (0x0): LunaNet Slot
token label : par1
token manufacturer : Safenet, Inc.
token model : LunaSA 6.2.2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 0.0
firmware version : 6.10
serial num : 543519014
pin min/max : 7/255
Slot 1 (0x1): Luna UHD Slot
(empty)
Slot 2 (0x2): Luna UHD Slot
(empty)
Slot 3 (0x3): Luna UHD Slot
(empty)
Slot 4 (0x4): Luna G7 Slot
(empty)
Slot 5 (0x5): Luna G7 Slot
(empty)
Slot 6 (0x6): Luna G7 Slot
(empty)

Answer 14 · 2020-11-07T12:56:01.000Z

I notice another behavior on the machine, Slot has output on root user but not on other (ITUD) user

Does it explain something?

other user (ITUD)

[ITUD@eaasrt ~]$ pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L
Available slots:
Slot 0 (0x0): Luna UHD Slot
(empty)
Slot 1 (0x1): Luna UHD Slot
(empty)
Slot 2 (0x2): Luna UHD Slot
(empty)
Slot 3 (0x3): Luna G7 Slot
(empty)
Slot 4 (0x4): Luna G7 Slot
(empty)
Slot 5 (0x5): Luna G7 Slot
(empty)
[ITUD@eaasrt ~]$ exit
logout

root user

[root@eaasrt ~]# pkcs11-tool --module /usr/safenet/lunaclient/lib/libCryptoki2_64.so -L
Available slots:
Slot 0 (0x0): LunaNet Slot
token label : par1
token manufacturer : Safenet, Inc.
token model : LunaSA 6.2.2
token flags : login required, rng, token initialized, PIN initialized, other flags=0x20
hardware version : 0.0
firmware version : 6.10
serial num : 543519014
pin min/max : 7/255
Slot 1 (0x1): Luna UHD Slot
(empty)
Slot 2 (0x2): Luna UHD Slot
(empty)
Slot 3 (0x3): Luna UHD Slot
(empty)
Slot 4 (0x4): Luna G7 Slot
(empty)
Slot 5 (0x5): Luna G7 Slot
(empty)
Slot 6 (0x6): Luna G7 Slot
(empty)
[root@eaasrt ~]#

Answer 15 · 2020-11-07T16:07:41.000Z

Sure... please fix so that you have the right configuration, this is not a Luna support forum.