Trustica » Cryptoucan™ usage: Command-line setup

Cryptoucan™ usage: Command-line setup

Written by Jiří Keresteš on 2 května, 2019.

In this week’s post we’ll look into setting up your Cryptoucan™ using gpg command-line utility.

Before reading further, make sure you have recent version of GnuPG installed on your computer. If you are unsure, gpg --version can tell you which version you are running.

nephirus@soridormi:~$ gpg --version
gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
...

Let’s begin with a token status information. Your Cryptoucan™ has to be connected to the computer (obviously).

nephirus@soridormi:~$ gpg --card-status
Reader ...........: 1FC9:81E6:35084E45-00206005-1F29003A-13310000:0
Application ID ...: D27600012401030063AF7A2E30390000
Version ..........: 3.0
Manufacturer .....: Trustica
Serial number ....: 7A2E3039
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Now you probably want to fill in user information and generate keys. To do that, run gpg --card-edit.

nephirus@soridormi:~$ gpg --card-edit
Reader ...........: 1FC9:81E6:35084E45-00206005-1F29003A-13310000:0
Application ID ...: D27600012401030063AF7A2E30390000
Version ..........: 3.0
Manufacturer .....: Trustica
Serial number ....: 7A2E3039
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card>

This interface allows you to make changes to your token. Type help to display quick help menu.

gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
fetch          fetch the key specified in the card URL
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code

Most command names are pretty self-documenting. Now enable admin mode with admin command.

gpg/card> admin
Admin commands are allowed

gpg/card> help
quit           quit this menu
admin          show admin commands
help           show this help
list           list all available data
name           change card holder's name
url            change URL to retrieve key
fetch          fetch the key specified in the card URL
login          change the login name
lang           change the language preferences
sex            change card holder's sex
cafpr          change a CA fingerprint
forcesig       toggle the signature force PIN flag
generate       generate new keys
passwd         menu to change or unblock the PIN
verify         verify the PIN and list all data
unblock        unblock the PIN using a Reset Code
factory-reset  destroy all keys and data
kdf-setup      setup KDF for PIN authentication
key-attr       change the key attribute

A whole lot of new commands is now available. Changing user information is pretty straightforward, gpg will provide you with on-screen instructions.
Let’s generate keys. You’ll be asked to enter PIN several times during this process.

gpg/card> generate

...

Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Fred Tangerine
Email address: fred.tangerine@trustica.cz
Comment:
You selected this USER-ID:
    "Fred Tangerine [fred.tangerine@trustica.cz]"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

gpg: key 079D60770B45884A marked as ultimately trusted
gpg: revocation certificate stored as '/home/nephirus/.gnupg/openpgp-revocs.d/FBF3F67BBD86973458A4C85E079D60770B45884A.rev'
public and secret key created and signed.

As you can see, revocation certificate has been auto-generated.

Troubleshooting

OpenPGP card not available

nephirus@soridormi:~$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

Try these steps:

Run gpgconf --kill scdaemon
Reconnect the USB cable.
Replace your USB cable.

Software pinentry pops up

Ensure that scdaemon uses its internal CCID driver. PCSC driver does not support HW keypad very well.

Disable PCSC daemon.
Windows: Verify that you are using the correct device driver. If you see WUDF USB CCID driver in Device Manager, replace it with WinUSB driver. You can use Zadig tool for that.

That’s all for this week, see you next Thursday!