deon/gnuk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Version 1.2.0

Browse Source
This commit is contained in:
NIIBE Yutaka
2016-05-20 12:03:26 +09:00
parent 1e004bec78
commit f86f97cdbe
7 changed files with 60 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@@ -1,3 +1,9 @@
2016-05-20 NIIBE Yutaka <gniibe@fsij.org>
* VERSION: 1.2.0.
* src/usb-ccid.c (ccid_thread): Fix timeout.
(icc_handle_timeout, icc_send_status): Tweak.
2016-05-19 Niibe Yutaka <gniibe@fsij.org> 2016-05-19 Niibe Yutaka <gniibe@fsij.org>
* src/usb_ctrl.c (usb_cb_ctrl_write_finish): Set bDeviceState. * src/usb_ctrl.c (usb_cb_ctrl_write_finish): Set bDeviceState.
@@ -9,9 +15,6 @@
* chopstx: Update to 0.11. * chopstx: Update to 0.11.
* src/gnuk.h (LED_START_COMMAND, LED_FINISH_COMMAND): Change the
values for a case both flags will be handled.
2016-05-18 Niibe Yutaka <gniibe@fsij.org> 2016-05-18 Niibe Yutaka <gniibe@fsij.org>
* src/gnuk.ld.in: Tweak thread size. * src/gnuk.ld.in: Tweak thread size.

9
NEWS
View File

@@ -2,15 +2,18 @@ Gnuk NEWS - User visible changes
* Major changes in Gnuk 1.2.0 * Major changes in Gnuk 1.2.0
Released 2016-02-xx, by NIIBE Yutaka Released 2016-05-20, by NIIBE Yutaka
** Upgrade of Chopstx
We use Chopstx 0.11.
** Support authentication status reset by VERIFY command. ** Support authentication status reset by VERIFY command.
This feature is described in the OpenPGPcard specification V2.2 and This feature is described in the OpenPGPcard specification V2.2 and
V3.1, which allow user to reset authentication status. V3.1, which allow user to reset authentication status.
** S2K algorithm change to defeat "copycat" service of MCU. ** S2K algorithm tweak to defeat "copycat" service of MCU.
Even if the existence of some services copying MCU, your private key Even if the existence of some services copying MCU, your private key
will not be controled by others. will not be controled by others, in some cases.
** Bug fix for secp256k1 and NIST P-256. ** Bug fix for secp256k1 and NIST P-256.
Bugs in basic computation were fixed. Bugs in basic computation were fixed.

88
README
View File

@@ -1,28 +1,27 @@
Gnuk - An Implementation of USB Cryptographic Token for GnuPG Gnuk - An Implementation of USB Cryptographic Token for GnuPG
Version 1.1.9 Version 1.2.0
2015-09-18 2016-05-20
Niibe Yutaka Niibe Yutaka
Free Software Initiative of Japan Free Software Initiative of Japan
Warning Release Notes
======= =============
This is another experimental release of Gnuk, version 1.1.9, which has This is new release of Gnuk, version 1.2.0, which has major
incompatible changes to Gnuk 1.0.x. Specifically, it now supports incompatible changes to Gnuk 1.0.x. Specifically, it now supports
overriding key import, but importing keys (or generating keys) results overriding key import, but importing keys (or generating keys) results
password reset. Please update your documentation for Gnuk Token, so password reset. Please update your documentation for Gnuk Token, so
that the instruction of importing keys won't cause any confusion. It that the instruction of importing keys won't cause any confusion.
has supports of ECDSA (with NIST P256 and secp256k1), EdDSA, and ECDH
(with NIST P256, secp256k1, and Curve25519), but this ECC feature is
pretty much experimental, and it requires modern GnuPG with
development version of libgcrypt.
It also supports RSA-4096 experimentally, but users should know that It has supports of EdDSA, ECDSA (with NIST P256 and secp256k1), and
it takes more than 8 second to sign/decrypt. ECDH (with NIST P256, secp256k1, and X25519), but this ECC feature is
somehow experimental, and it requires modern GnuPG 2.1.x with
libgcrypt 1.7.0 or later.
You will not able to keep using Curve25519 keys, as the key format is It also supports RSA-4096, but users should know that it takes more
subject to change. than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails,
because the device doesn't have enough memory.
What's Gnuk? What's Gnuk?
@@ -63,11 +62,12 @@ A0: Good points of Gnuk are:
Q1: What kind of key algorithm is supported? Q1: What kind of key algorithm is supported?
A1: Gnuk version 1.0 only supports RSA-2048. A1: Gnuk version 1.0 only supports RSA-2048.
Development version of Gnuk (1.1.x) supports 256-bit ECDSA and EdDSA, Gnuk version 1.2.x supports 256-bit EdDSA and ECDSA, as well as
as well as RSA 4096-bit. But it takes long time to sign with RSA-4096. RSA-4096. But it takes long time to sign with RSA-4096.
Q2: How long does it take for digital signing? Q2: How long does it take for digital signing?
A2: It takes a second and a half or so for RSA-2048. A2: It takes a second and a half or so for RSA-2048.
It takes more than 8 secondd for RSA-4096.
Q3: What's your recommendation for target board? Q3: What's your recommendation for target board?
A3: Orthodox choice is Olimex STM32-H103. A3: Orthodox choice is Olimex STM32-H103.
@@ -77,7 +77,7 @@ A3: Orthodox choice is Olimex STM32-H103.
choice for experiment. choice for experiment.
Q4: What's version of GnuPG are you using? Q4: What's version of GnuPG are you using?
A4: In Debian GNU/Linux system, I use GnuPG modern 2.1.x in A4: In Debian GNU/Linux system, I use GnuPG modern 2.1.12 in
experimental. experimental.
Q5: What's version of pcscd and libccid are you using? Q5: What's version of pcscd and libccid are you using?
@@ -139,22 +139,14 @@ Ac: That's because gnome-keyring-daemon interferes GnuPG. Please
Qd: Do you know a good SWD debugger to connect FST-01 or something? Qd: Do you know a good SWD debugger to connect FST-01 or something?
Ad: ST-Link/V2 is cheap one. We have a tool/stlinkv2.py as flash ROM Ad: ST-Link/V2 is cheap one. We have a tool/stlinkv2.py as flash ROM
writer program. STM32 Nucleo F103 comes with the valiant of writer program. STM32 Nucleo F103 comes with the valiant of
ST-Link/V2. ST-Link/V2. However, the firmware of ST-Link/V2 is proprietary.
Now, I develop BBG-SWD, SWD debugger by BeagleBone Green.
Release notes Tested features
============= ===============
This is ninth experimental release in version 1.1 series of Gnuk. Gnuk is tested by test suite. Please see the test directory.
While it is daily use by its developer, some newly introduced features
(including ECDSA/EdDSA/ECDH, key generation and firmware upgrade)
should be considered experimental. ECDSA/EdDSA/ECDH is really
experimental. Further, ECDH on Curve25519 is much experimental. You
won't be able to keep using the key, since the key format of GnuPG is
not defined and it's subject to change.
Tested features are:
* Personalization of the card * Personalization of the card
* Changing Login name, URL, Name, Sex, Language, etc. * Changing Login name, URL, Name, Sex, Language, etc.
@@ -171,10 +163,10 @@ Tested features are:
* Modify with pin pad * Modify with pin pad
* Card holder certificate (read) * Card holder certificate (read)
* Removal of keys * Removal of keys
* Key generation on device side * Key generation on device side for RSA-2048
* Overriding key import * Overriding key import
Original features of Gnuk, tested lightly: Original features of Gnuk, tested manually lightly:
* OpenPGP card serial number setup * OpenPGP card serial number setup
* Card holder certificate (write by UPDATE BINARY) * Card holder certificate (write by UPDATE BINARY)
@@ -182,12 +174,12 @@ Original features of Gnuk, tested lightly:
It is known not-working well: It is known not-working well:
* It is known that the combination of libccid 1.4.1 (or newer) * It is known that the specific combination of libccid 1.4.1
with libusb 1.0.8 (or older) has a minor problem. It is (or newer) with libusb 1.0.8 (or older) had a minor problem.
rare but it is possible for USB communication to be failed, It is rare but it is possible for USB communication to be
because of a bug in libusb implementation. Use libusbx failed, because of a bug in libusb implementation. Use
1.0.9 or newer, or don't use PC/SC, but use internal CCID libusbx 1.0.9 or newer, or don't use PC/SC, but use internal
driver of GnuPG. CCID driver of GnuPG.
Targets Targets
@@ -256,7 +248,7 @@ External source code
Gnuk is distributed with external source code. Gnuk is distributed with external source code.
* chopstx/ -- Chopstx 0.10 * chopstx/ -- Chopstx 0.11
We use Chopstx as the kernel for Gnuk. We use Chopstx as the kernel for Gnuk.
@@ -369,9 +361,9 @@ You need GNU toolchain and newlib for 'arm-none-eabi' target.
On Debian we can install the packages of gcc-arm-none-eabi, On Debian we can install the packages of gcc-arm-none-eabi,
gdb-arm-none-eabi and its friends. I'm using: gdb-arm-none-eabi and its friends. I'm using:
binutils-arm-none-eabi 2.25-5+5+b1 binutils-arm-none-eabi 2.26-4+8
gcc-arm-none-eabi 15:4.9.3+svn227297-1 gcc-arm-none-eabi 15:4.9.3+svn231177-1
gdb-arm-none-eabi 7.7.1+dfsg-5+8 gdb-arm-none-eabi 7.10-1+9
libnewlib-arm-none-eabi 2.2.0+git20150830.5a3d536-1 libnewlib-arm-none-eabi 2.2.0+git20150830.5a3d536-1
Or else, see https://launchpad.net/gcc-arm-embedded for preparation of Or else, see https://launchpad.net/gcc-arm-embedded for preparation of
@@ -459,11 +451,13 @@ to access the contents. If you want to protect, killing DfuSe and
accessing by JTAG debugger is recommended. accessing by JTAG debugger is recommended.
How to configure (Optional) Configure serial number and X.509 certificate
================ ========================================================
You need python and pyscard (python-pyscard package in Debian) or This is completely optional.
PyUSB 0.4.3 (python-usb package in Debian).
For this procedure, you need python and pyscard (python-pyscard
package in Debian) or PyUSB 0.4.3 (python-usb package in Debian).
(1) [pyscard] Stop scdaemon (1) [pyscard] Stop scdaemon
[PyUSB] Stop the pcsc daemon. [PyUSB] Stop the pcsc daemon.
@@ -616,7 +610,7 @@ Your Contributions
================== ==================
FSIJ welcomes your contributions. Please assign your copyright FSIJ welcomes your contributions. Please assign your copyright
to FSIJ (if possible). to FSIJ (if possible), as I do.
Foot note Foot note

2
VERSION
View File

@@ -1 +1 @@
release/1.1.9 release/1.2.0

4
src/gnuk.h
View File

@@ -421,8 +421,8 @@ extern const uint8_t gnuk_string_serial[];
#define LED_ONESHOT 1 #define LED_ONESHOT 1
#define LED_TWOSHOTS 2 #define LED_TWOSHOTS 2
#define LED_SHOW_STATUS 4 #define LED_SHOW_STATUS 4
#define LED_FINISH_COMMAND 8 #define LED_START_COMMAND 8
#define LED_START_COMMAND 16 #define LED_FINISH_COMMAND 16
#define LED_FATAL 32 #define LED_FATAL 32
#define LED_GNUK_EXEC 64 #define LED_GNUK_EXEC 64
void led_blink (int spec); void led_blink (int spec);

2
src/main.c
View File

@@ -259,9 +259,9 @@ main (int argc, char *argv[])
case LED_START_COMMAND: case LED_START_COMMAND:
set_led (1); set_led (1);
led_inverted = 1; led_inverted = 1;
chopstx_usec_wait (LED_TIMEOUT_STOP);
break; break;
case LED_FINISH_COMMAND: case LED_FINISH_COMMAND:
chopstx_usec_wait (LED_TIMEOUT_STOP);
led_inverted = 0; led_inverted = 0;
set_led (0); set_led (0);
break; break;

4
src/usb-ccid.c
View File

@@ -847,6 +847,7 @@ icc_send_status (struct ccid *c)
c->epi->tx_done = 1; c->epi->tx_done = 1;
usb_lld_write (c->epi->ep_num, icc_reply, ICC_MSG_HEADER_SIZE); usb_lld_write (c->epi->ep_num, icc_reply, ICC_MSG_HEADER_SIZE);
led_blink (LED_SHOW_STATUS);
#ifdef DEBUG_MORE #ifdef DEBUG_MORE
DEBUG_INFO ("St\r\n"); DEBUG_INFO ("St\r\n");
#endif #endif
@@ -1333,7 +1334,7 @@ icc_handle_timeout (struct ccid *c)
break; break;
} }
led_blink (LED_SHOW_STATUS); led_blink (LED_ONESHOT);
return next_state; return next_state;
} }
@@ -1394,6 +1395,7 @@ ccid_thread (void *arg)
apdu_init (a); apdu_init (a);
ccid_init (c, epi, epo, a); ccid_init (c, epi, epo, a);
timeout = USB_ICC_TIMEOUT;
icc_prepare_receive (c); icc_prepare_receive (c);
while (1) while (1)
{ {