version 1.0.1

Add more doc
Add doc
2012-08-03 11:20:13 +09:00 · 2012-08-03 11:15:26 +09:00 · 2012-08-03 10:53:04 +09:00 · 2012-08-02 17:44:08 +09:00 · 2012-08-02 17:11:42 +09:00 · 2012-07-26 18:53:59 +09:00
58 changed files with 2382 additions and 96 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@ src/*.inc
 regnual/regnual.bin
 regnual/regnual.hex
 regnual/regnual.elf
 doc/_build
--- a/53
+++ b/53
@@ -1,3 +1,56 @@
 2012-08-03  Niibe Yutaka  <gniibe@fsij.org>
 	* Version 1.0.1.
 	* src/usb_desc.c (gnukStringSerial): Updated.
 	* src/main.c (ID_OFFSET): Fix.
 2012-08-02  Niibe Yutaka  <gniibe@fsij.org>
 	* test/gnuk.py (gnuk_token.get_string): New.
 	* test/features/991_version_string.feature: New.
 2012-07-21  Niibe Yutaka  <gniibe@fsij.org>
 	* Version 1.0.
 	* src/usb_desc.c (gnukStringSerial): Updated.
 	Documentation by Sphinx.
 	* doc/Makefile: New.
 	* doc/note: Old notes are moved here.
 2012-07-20  Niibe Yutaka  <gniibe@fsij.org>
 	* test/features/002_get_data_static.feature: Support CERTDO enabled
 	Gnuk for the test of extended capabilities.
 	* test/features/802_get_data_static.feature: Ditto.
 	* test/features/402_get_data_static.feature: Ditto.
 2012-07-10  Niibe Yutaka  <gniibe@fsij.org>
 	* test/features/*: Add test cases for PW1/PW3 of factory settings.
 	* test/features/202_keygen.feature: Add PSO signature test after
 	keygen.
 	* test/features/602_keygen.feature: Ditto.
 	Bug fix.
 	* src/openpgp-do.c (gpg_do_write_prvkey): Don't call ac_reset_*
 	here.
 	(proc_key_import): But call ac_reset_* here.
 	(gpg_do_keygen): Load private key for signing.
 	* tool/stlinkv2.py (stlinkv2.usb_disconnect): New.
 2012-07-09  Niibe Yutaka  <gniibe@fsij.org>
 	* src/openpgp.c (cmd_pso): For decryption, return error sooner for
 	invalid data.
 	* tool/stlinkv2.py (stlinkv2.setup_gpio): Fix GPIOB_CRL.
 	* test/rsa_keys.py (integer_to_bytes_256): Rename from
 	integer_to_bytes and it should be exactly 256-byte long.
 2012-07-06  Niibe Yutaka  <gniibe@fsij.org>
 	* Version 0.21.
--- a/16
+++ b/16
@@ -1,5 +1,21 @@
 Gnuk NEWS - User visible changes
 * Major changes in Gnuk 1.0.1
  Released 2012-08-03, by NIIBE Yutaka
 ** USB SerialNumber String
 In 1.0, it has a bug for USB SerialNumber String.  It has been fixed
 in 1.0.1.
 * Major changes in Gnuk 1.0
  Released 2012-07-21, by NIIBE Yutaka
 This is bug fixes only release.
 * Major changes in Gnuk 0.21
  Released 2012-07-06, by NIIBE Yutaka
--- a/102
+++ b/102
@@ -1,7 +1,7 @@
 Gnuk - An Implementation of USB Cryptographic Token for GnuPG
-							   Version 0.21
+							  Version 1.0.1
-							     2012-07-06
+							     2012-08-03
 							   Niibe Yutaka
 				      Free Software Initiative of Japan
@@ -14,9 +14,9 @@ STM32F103 processor.
 I wish that Gnuk will be a developer's soother who uses GnuPG.  I have
 been nervous of storing secret key(s) on usual secondary storage.
-There is a solution with OpenPGP card, but it is not the choice for me
+There is a solution with OpenPGP card, but it is not the choice for
-to bring a card reader all the time.  With Gnuk, this issue will be
+me, as card reader is not common device.  With Gnuk, this issue will
-solved by a USB token which is small enough.
+be solved by a USB token.
 Please look at the graphics of "gnuk.svg" for the software name.  My
 son used to be with his NUK(R), always, everywhere.  Now, I am with a
@@ -30,16 +30,12 @@ Q0: How Gnuk USB Token is superior than other solutions (OpenPGP
    card 2.0, GPF Crypto Stick, etc.) ?
    http://www.g10code.de/p-card.html
    http://www.privacyfoundation.de/crypto_stick/
-A0: IMRHO, not quite, since there is no ready-to-use out-of-box Gnuk
+A0: Good points of Gnuk are:
    product yet.  (It is welcome for me that some vendor will
    manufacture Gnuk USB Token.  Even I can help design of hardware,
    if needed.)
    Good points for Gnuk are:
    * If you have skill of electronics and like DIY, you can build
      Gnuk Token cheaper (see Q8-A8).
    * You can study Gnuk to modify and to enhance.  For example, you
      can implement your own authentication method with some sensor
-      such as acceleration sensor.
+      such as an acceleration sensor.
    * It is "of Free Software"; Gnuk is distributed under GPLv3+,
 	    "by Free Software"; Gnuk development requires only Free Software
 				(GNU Toolchain, Python, etc.), 
@@ -55,24 +51,25 @@ Q3: What's your recommendation for target board?
 A3: Orthodox choice is Olimex STM32-H103.
    If you have skill of electronics and like DIY, STM32 part of STM8S
    Discovery Kit might be the best choice.
-    Currently FST-01 (Flying Stone Tiny 01) is under development,
+    FST-01 (Flying Stone Tiny 01) will be soon available for sale,
-    it will be the best choice, hopefully.
+    and it will be the best choice, hopefully.
 Q4: What's version of GnuPG are you using?
 A4: In Debian GNU/Linux system, I use gnupg 1.4.11-3 and gnupg-agent
-    2.0.14-2 (in sid).  With older versions, you can only sign with SHA1.
+    2.0.18-2.  With older versions, you can only sign with SHA1.
    See: http://www.fsij.org/gnuk/gnupg2-fixes-needed
 Q5: What's version of pcscd and libccid are you using?
 A5: In Debian GNU/Linux system, I use pcscd 1.5.5-4 and libccid 1.3.11-2,
    which is in squeeze.  Note that you need to edit /etc/libccid_Info.plist
    when using libccid (< 1.4.1).
    Note that pcscd and libccid are optional, you can use Gnuk without them.
 Q6: What kinds of hardware is required for development?
-A6: You need a target board plus a JTAG debugger.  If you just want to
+A6: You need a target board plus a JTAG/SWD debugger.  If you just
-    test Gnuk for target boards with DfuSe, JTAG debugger is not
+    want to test Gnuk for target boards with DfuSe, JTAG debugger is
-    the requirement.  Note that for real use, you need JTAG debugger
+    not the requirement.  Note that for real use, you need JTAG/SWD
-    to enable flash ROM protection.
+    debugger to enable flash ROM protection.
 Q7: How much does it cost?
 A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
@@ -83,13 +80,18 @@ A8: STM8S Discovery Kit costs 750 JPY (< $10 USD) only.  You can build
    http://www.fsij.org/gnuk/jtag_dongle_ftdi2232
 Q9: I got an error like "gpg: selecting openpgp failed: ec=6.108", what's up?
 A9: GnuPG's SCDaemon has problems for handling insertion/removal of
-    card/reader (problems are fixed in trunk).  When your newly
+    card/reader (problems are fixed in trunk, and backported to 2.0
-    inserted token is not found by GnuPG, try killing scdaemon and let
+    branch, it will be 2.0.20).  When your newly inserted token is not
-    it to be invoked again.  I do:
+    found by GnuPG, try killing scdaemon and let it to be invoked
-      $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
+    again.  I do:
 	 $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
    and confirm scdaemon doesn't exist, then,
-      $ gpg-connect-agent learn /bye
+
 	 $ gpg-connect-agent learn /bye
 Qa: With GNOME 2, I can't use Gnuk Token for SSH.  How can we use it for SSH?
 Aa: You need to deactivate seahorse-agent and gnome-keyring, but use
@@ -106,17 +108,18 @@ Ab: That's because gnome-keyring-daemon interferes GnuPG.  Type:
    "GPG Password Agent" and "SSH Key Agent".
 Qc: Do you know a good SWD debugger to connect FST-01 or something?
-Ac: STLink v2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
+Ac: ST-Link/V2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
-writer.
+    writer program.
 Release notes
 =============
-This is another "version 1.0 release candidate" of Gnuk.  In this
+This is a minor release in version 1.0 series of Gnuk.
-release, a test suite is added.  While it is daily use, some features
+
-(including key generation and firmware upgrade) are still considered
+While it is daily use for more than a year, some newly introduced
-experimental.
+features (including key generation and firmware upgrade) should be
 considered experimental.
 Tested features are:
@@ -133,13 +136,16 @@ Tested features are:
 	* Changing value of password status bytes (0x00C4): forcesig
 	* Verify with pin pad
 	* Modify with pin pad
-	* Card holder certificate
+	* Card holder certificate (read)
-	* Removal of keys (Overriding key import is not supported,
+	* Removal of keys
 	  (Overriding key import is not supported,
 	  but you can remove all keys to import again).
 	* Key generation on device side
-Original feature of Gnuk, tested lightly:
+Original features of Gnuk, tested lightly:
 	* OpenPGP card serial number setup
 	* Card holder certificate (write by UPDATE BINARY)
 	* Upgrading with "EXTERNAL AUTHENTICATE" by reGNUal
 It is known not-working well:
@@ -148,11 +154,11 @@ It is known not-working well:
 	  work well.  Please make sure to disable DEBUG option if it
 	  doesn't work well.
-It is known that the combination libccid 1.4.1 (or newer) with libusb
+It is known that the combination of libccid 1.4.1 (or newer) with
-1.0.8 (or older) has a problem.  It is possible for USB communication
+libusb 1.0.8 (or older) has a minor problem.  It is rare but it is
-to be failed, because of a bug in libusb implementation.  Use libusbx
+possible for USB communication to be failed, because of a bug in
-1.0.9 or newer, or don't use PC/SC, but use internal CCID driver of
+libusb implementation.  Use libusbx 1.0.9 or newer, or don't use
-GnuPG.
+PC/SC, but use internal CCID driver of GnuPG.
 Targets
@@ -288,15 +294,16 @@ respect users' freedom for computing.  Please ask FSIJ for the
 license.
 Otherwise, companies which want to distribute Gnuk devices, please use
-your own USB vendor ID and product ID.  Note that please replace
+your own USB vendor ID and product ID.  Please replace "FSIJ" in the
-"FSIJ" in the string gnukStringSerial (usb_desc.c) to yours, when you
+string gnukStringSerial (usb_desc.c) to yours, when you modify Gnuk.
 modify Gnuk.
 Host Requirements
 =================
-For GNU/Linux, libccid version >= 1.3.11 is recommended.
+For GNU/Linux, PC/SC service is an option, you can use GnuPG's
 internal CCID driver instead.  If you chose using PC/SC service,
 libccid version >= 1.3.11 is recommended for GNU/Linux.
 I think that it should not be requirment but the kernel version of my use is:
 Linux version 2.6.32-5-686 (Debian 2.6.32-18) (ben@decadent.org.uk) (gcc version 4.3.5 (Debian 4.3.5-2) ) #1 SMP Sat Jul 24 02:27:10 UTC 2010
@@ -312,7 +319,7 @@ You need GNU toolchain and newlib for 'arm-none-eabi' target.
 See http://github.com/esden/summon-arm-toolchain/ (which includes fix
 of binutils-2.21.1) for preparation of GNU Toolchain for
-'arm-none-eabi' target.
+'arm-none-eabi' target.  This is for GCC 4.5.
 # Note that we need to link correct C library (for string functions).
 # For this purpose, Makefile.in contains following line:
@@ -328,6 +335,13 @@ of binutils-2.21.1) for preparation of GNU Toolchain for
 # -mno-thumb-interwork option.  This means that you should not
 # link C library which contains ARM (not Thumb) code.
 Recently, there is "gcc-arm-embedded" project.  See:
    https://launchpad.net/gcc-arm-embedded/
 It is based on GCC 4.6.   For version 4.6-2012-q2-update, you'd
 need "-O3 -Os" instead of "-O2" and it will be slightly better.
 Change directory to `src':
@@ -582,7 +596,7 @@ RSA), you can import them.
 Gnuk supports key generation, but this feature is young and should be
 considered experimental.
-For detail, please see doc/DEMO and doc/DEMO-2.
+For detail, please see doc/note/DEMO and doc/note/DEMO-2.
 Note that it make sense to preserve your keys on your computer so that
 you can import the keys (again) to (possibly another) Gnuk Token.  In
@@ -644,7 +658,7 @@ linux/Documentation/usb/usbmon.txt
 Firmware update
 ===============
-See doc/firmware-update.
+See doc/note/firmware-update.
 Read-only Git Repository
--- a/boards/FST_01/board.h
+++ b/boards/FST_01/board.h
@@ -101,10 +101,9 @@
 * PA5  - Alternate Push pull output (SPI1_SCK)
 * PA6  - Alternate Push pull output (SPI1_MISO)
 * PA7  - Alternate Push pull output (SPI1_MOSI)
 * PA10 - Push pull output   (USB 1:ON 0:OFF)
 * PA11 - input with pull-up (USBDM)
 * PA12 - input with pull-up (USBDP)
 * Everything input with pull-up except:
 * PA10 - Push pull output   (USB 1:ON 0:OFF)
 */
 #define VAL_GPIOACRL            0xBBB38888      /*  PA7...PA0 */
 #define VAL_GPIOACRH            0x88888388      /* PA15...PA8 */
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -0,0 +1,153 @@
 # Makefile for Sphinx documentation
 #
 # You can set these variables from the command line.
 SPHINXOPTS    =
 SPHINXBUILD   = sphinx-build
 PAPER         = a4
 BUILDDIR      = _build
 # Internal variables.
 PAPEROPT_a4     = -D latex_paper_size=a4
 PAPEROPT_letter = -D latex_paper_size=letter
 ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
 # the i18n builder cannot share the environment and doctrees with the others
 I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
 .PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
 help:
 	@echo "Please use \`make <target>' where <target> is one of"
 	@echo "  html       to make standalone HTML files"
 	@echo "  dirhtml    to make HTML files named index.html in directories"
 	@echo "  singlehtml to make a single large HTML file"
 	@echo "  pickle     to make pickle files"
 	@echo "  json       to make JSON files"
 	@echo "  htmlhelp   to make HTML files and a HTML help project"
 	@echo "  qthelp     to make HTML files and a qthelp project"
 	@echo "  devhelp    to make HTML files and a Devhelp project"
 	@echo "  epub       to make an epub"
 	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
 	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
 	@echo "  text       to make text files"
 	@echo "  man        to make manual pages"
 	@echo "  texinfo    to make Texinfo files"
 	@echo "  info       to make Texinfo files and run them through makeinfo"
 	@echo "  gettext    to make PO message catalogs"
 	@echo "  changes    to make an overview of all changed/added/deprecated items"
 	@echo "  linkcheck  to check all external links for integrity"
 	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
 clean:
 	-rm -rf $(BUILDDIR)/*
 html:
 	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
 dirhtml:
 	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
 	@echo
 	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
 singlehtml:
 	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
 	@echo
 	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
 pickle:
 	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
 	@echo
 	@echo "Build finished; now you can process the pickle files."
 json:
 	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
 	@echo
 	@echo "Build finished; now you can process the JSON files."
 htmlhelp:
 	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
 	@echo
 	@echo "Build finished; now you can run HTML Help Workshop with the" \
 	      ".hhp project file in $(BUILDDIR)/htmlhelp."
 qthelp:
 	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
 	@echo
 	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
 	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
 	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/GnukDocumentation.qhcp"
 	@echo "To view the help file:"
 	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/GnukDocumentation.qhc"
 devhelp:
 	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
 	@echo
 	@echo "Build finished."
 	@echo "To view the help file:"
 	@echo "# mkdir -p $$HOME/.local/share/devhelp/GnukDocumentation"
 	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/GnukDocumentation"
 	@echo "# devhelp"
 epub:
 	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
 	@echo
 	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
 latex:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo
 	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
 	@echo "Run \`make' in that directory to run these through (pdf)latex" \
 	      "(use \`make latexpdf' here to do that automatically)."
 latexpdf:
 	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
 	@echo "Running LaTeX files through pdflatex..."
 	$(MAKE) -C $(BUILDDIR)/latex all-pdf
 	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
 text:
 	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
 	@echo
 	@echo "Build finished. The text files are in $(BUILDDIR)/text."
 man:
 	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
 	@echo
 	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
 texinfo:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo
 	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
 	@echo "Run \`make' in that directory to run these through makeinfo" \
 	      "(use \`make info' here to do that automatically)."
 info:
 	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
 	@echo "Running Texinfo files through makeinfo..."
 	make -C $(BUILDDIR)/texinfo info
 	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
 gettext:
 	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
 	@echo
 	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
 changes:
 	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
 	@echo
 	@echo "The overview file is in $(BUILDDIR)/changes."
 linkcheck:
 	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
 	@echo
 	@echo "Link check complete; look for any errors in the above output " \
 	      "or in $(BUILDDIR)/linkcheck/output.txt."
 doctest:
 	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
 	@echo "Testing of doctests in the sources finished, look at the " \
 	      "results in $(BUILDDIR)/doctest/output.txt."
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -0,0 +1,246 @@
 # -*- coding: utf-8 -*-
 #
 # Gnuk Documentation documentation build configuration file, created by
 # sphinx-quickstart on Wed Jul  4 15:29:05 2012.
 #
 # This file is execfile()d with the current directory set to its containing dir.
 #
 # Note that not all possible configuration values are present in this
 # autogenerated file.
 #
 # All configuration values have a default; values that are commented out
 # serve to show the default.
 import sys, os
 # If extensions (or modules to document with autodoc) are in another directory,
 # add these directories to sys.path here. If the directory is relative to the
 # documentation root, use os.path.abspath to make it absolute, like shown here.
 #sys.path.insert(0, os.path.abspath('.'))
 # -- General configuration -----------------------------------------------------
 # If your documentation needs a minimal Sphinx version, state it here.
 #needs_sphinx = '1.0'
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
 extensions = ['sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.pngmath', 'sphinx.ext.mathjax', 'sphinx.ext.viewcode']
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 # The suffix of source filenames.
 source_suffix = '.rst'
 # The encoding of source files.
 #source_encoding = 'utf-8-sig'
 # The master toctree document.
 master_doc = 'index'
 # General information about the project.
 project = u'Gnuk Documentation'
 copyright = u'2012, NIIBE Yutaka'
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
 # built documents.
 #
 # The short X.Y version.
 version = '1.0'
 # The full version, including alpha/beta/rc tags.
 release = '1.0'
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
 #language = None
 # There are two options for replacing |today|: either, you set today to some
 # non-false value, then it is used:
 #today = ''
 # Else, today_fmt is used as the format for a strftime call.
 #today_fmt = '%B %d, %Y'
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
 exclude_patterns = ['_build']
 # The reST default role (used for this markup: `text`) to use for all documents.
 #default_role = None
 # If true, '()' will be appended to :func: etc. cross-reference text.
 #add_function_parentheses = True
 # If true, the current module name will be prepended to all description
 # unit titles (such as .. function::).
 #add_module_names = True
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
 #show_authors = False
 # The name of the Pygments (syntax highlighting) style to use.
 pygments_style = 'sphinx'
 # A list of ignored prefixes for module index sorting.
 #modindex_common_prefix = []
 # -- Options for HTML output ---------------------------------------------------
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 html_theme = 'default'
 # Theme options are theme-specific and customize the look and feel of a theme
 # further.  For a list of options available for each theme, see the
 # documentation.
 #html_theme_options = {}
 # Add any paths that contain custom themes here, relative to this directory.
 #html_theme_path = []
 # The name for this set of Sphinx documents.  If None, it defaults to
 # "<project> v<release> documentation".
 #html_title = None
 # A shorter title for the navigation bar.  Default is the same as html_title.
 #html_short_title = None
 # The name of an image file (relative to this directory) to place at the top
 # of the sidebar.
 #html_logo = None
 # The name of an image file (within the static path) to use as favicon of the
 # docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
 # pixels large.
 #html_favicon = None
 # Add any paths that contain custom static files (such as style sheets) here,
 # relative to this directory. They are copied after the builtin static files,
 # so a file named "default.css" will overwrite the builtin "default.css".
 html_static_path = ['_static']
 # If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
 # using the given strftime format.
 #html_last_updated_fmt = '%b %d, %Y'
 # If true, SmartyPants will be used to convert quotes and dashes to
 # typographically correct entities.
 #html_use_smartypants = True
 # Custom sidebar templates, maps document names to template names.
 #html_sidebars = {}
 # Additional templates that should be rendered to pages, maps page names to
 # template names.
 #html_additional_pages = {}
 # If false, no module index is generated.
 #html_domain_indices = True
 # If false, no index is generated.
 #html_use_index = True
 # If true, the index is split into individual pages for each letter.
 #html_split_index = False
 # If true, links to the reST sources are added to the pages.
 #html_show_sourcelink = True
 # If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
 #html_show_sphinx = True
 # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
 #html_show_copyright = True
 # If true, an OpenSearch description file will be output, and all pages will
 # contain a <link> tag referring to it.  The value of this option must be the
 # base URL from which the finished HTML is served.
 #html_use_opensearch = ''
 # This is the file name suffix for HTML files (e.g. ".xhtml").
 #html_file_suffix = None
 # Output file base name for HTML help builder.
 htmlhelp_basename = 'GnukDocumentationdoc'
 # -- Options for LaTeX output --------------------------------------------------
 latex_elements = {
 # The paper size ('letterpaper' or 'a4paper').
 #'papersize': 'letterpaper',
 # The font size ('10pt', '11pt' or '12pt').
 #'pointsize': '10pt',
 # Additional stuff for the LaTeX preamble.
 #'preamble': '',
 }
 # Grouping the document tree into LaTeX files. List of tuples
 # (source start file, target name, title, author, documentclass [howto/manual]).
 latex_documents = [
  ('index', 'GnukDocumentation.tex', u'Gnuk Documentation Documentation',
   u'NIIBE Yutaka', 'manual'),
 ]
 # The name of an image file (relative to this directory) to place at the top of
 # the title page.
 #latex_logo = None
 # For "manual" documents, if this is true, then toplevel headings are parts,
 # not chapters.
 #latex_use_parts = False
 # If true, show page references after internal links.
 #latex_show_pagerefs = False
 # If true, show URL addresses after external links.
 #latex_show_urls = False
 # Documents to append as an appendix to all manuals.
 #latex_appendices = []
 # If false, no module index is generated.
 #latex_domain_indices = True
 # -- Options for manual page output --------------------------------------------
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
    ('index', 'gnukdocumentation', u'Gnuk Documentation Documentation',
     [u'NIIBE Yutaka'], 1)
 ]
 # If true, show URL addresses after external links.
 #man_show_urls = False
 # -- Options for Texinfo output ------------------------------------------------
 # Grouping the document tree into Texinfo files. List of tuples
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
  ('index', 'GnukDocumentation', u'Gnuk Documentation Documentation',
   u'NIIBE Yutaka', 'GnukDocumentation', 'One line description of project.',
   'Miscellaneous'),
 ]
 # Documents to append as an appendix to all manuals.
 #texinfo_appendices = []
 # If false, no module index is generated.
 #texinfo_domain_indices = True
 # How to display URL addresses: 'footnote', 'no', or 'inline'.
 #texinfo_show_urls = 'footnote'
 # Example configuration for intersphinx: refer to the Python standard library.
 intersphinx_mapping = {'http://docs.python.org/': None}
--- a/doc/development.rst
+++ b/doc/development.rst
@@ -0,0 +1,82 @@
 Development Environment
 =======================
 Hardware
 --------
 For development, it is highly recommended to have JTAG debugger or SWD
 debugger.
 For boards with DFU (Device Firmware Upgrade) feature, such as DfuSe,
 it is possible to develop with that.  But it should be considered
 *experimental* environment, and it should not be used for usual
 purpose.  That's because it is basically impossible for DfuSe
 implementations to disable reading-out from flash ROM.  It means
 that your secret will be readily extracted by DfuSe.
 For JTAG debugger, Olimex JTAG-Tiny is good and supported well.  For
 SWD debugger, ST-Link/V2 would be good, and it is supported by
 the tool of tool/stlinkv2.py.
 OpenOCD
 -------
 For JTAG debugger or SWD debugger, we can use OpenOCD.
 Note that ST-Link/V2 is *not* supported by OpenOCD 0.5.0.  It will be
 supported by version 0.6 or later, as current development version
 supports it.
 GNU Toolchain
 -------------
 You need GNU toolchain and newlib for 'arm-none-eabi' target.
 See http://github.com/esden/summon-arm-toolchain/ (which includes fix
 of binutils-2.21.1) for preparation of GNU Toolchain for
 'arm-none-eabi' target.  This is for GCC 4.5.
 Note that we need to link correct C library (for string functions).
 For this purpose, our src/Makefile.in contains following line:
 	MCFLAGS= -mcpu=$(MCU) -mfix-cortex-m3-ldrd
 This should not be needed (as -mcpu=cortex-m3 means
 -mfix-cortex-m3-ldrd), but it is needed for the configuration of
 patch-gcc-config-arm-t-arm-elf.diff in summon-arm-toolchain in practice.
 In ChibiOS_2.0.8/os/ports/GCC/ARM/rules.mk, it specifies
 -mno-thumb-interwork option.  This means that you should not link C
 library which contains ARM (not Thumb) code.
 Recently, there is "gcc-arm-embedded" project.  See:
 https://launchpad.net/gcc-arm-embedded/
 It is based on GCC 4.6.   For version 4.6-2012-q2-update, you'd
 need "-O3 -s" instead of "-O2" and it will be slightly better.
 Building Gnuk
 -------------
 Change directory to ``src``:
  $ cd gnuk-VERSION/src
 Then, run ``configure``:
  $ ./configure --vidpid=<VID:PID>
 Here, you need to specify USB vendor ID and product ID.  For FSIJ's,
 it's: --vidpid=234b:0000 .  Please read section 'USB vendor ID and
 product ID' above.
 Type:
  $ make
 Then, we will have "gnuk.elf".
--- a/doc/generating-2048-RSA-key.rst
+++ b/doc/generating-2048-RSA-key.rst
@@ -0,0 +1,228 @@
 ============================
 Generating 2048-bit RSA keys
 ============================
 This document describes how I generate 2048-bit RSA keys.
 .. BREAK
 Here is the log to generate signature key and encryption subkey.
 I invoke GnuPG with ``--gen-key`` option. ::
  $ gpg --gen-key
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
 and GnuPG asks kind of key.  Select ``RSA and RSA``. ::
  Please select what kind of key you want:
     (1) RSA and RSA (default)
     (2) DSA and Elgamal
     (3) DSA (sign only)
     (4) RSA (sign only)
  Your selection? 1
  RSA keys may be between 1024 and 4096 bits long.
 and select 2048-bit (as Gnuk Token only suppurt this). ::
  What keysize do you want? (2048) 
  Requested keysize is 2048 bits
 and select expiration of the key. ::
  Please specify how long the key should be valid.
           0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
  Key is valid for? (0) 0
  Key does not expire at all
 Confirm key types, bitsize and expiration. ::
  Is this correct? (y/N) y
 Then enter user ID. ::
  You need a user ID to identify your key; the software constructs the user ID
  from the Real Name, Comment and Email Address in this form:
      "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
  Real name: Niibe Yutaka
  Email address: gniibe@fsij.org
  Comment: 
  You selected this USER-ID:
      "Niibe Yutaka <gniibe@fsij.org>"
  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 and enter passphrase for this **key on PC**. ::
  You need a Passphrase to protect your secret key.
  <PASSWORD-KEY-ON-PC>
 Then, GnuPG generate keys.  It takes some time.  ::
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  ...+++++
  +++++
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  ..+++++
  Not enough random bytes available.  Please do some other work to give
  the OS a chance to collect more entropy! (Need 15 more bytes)
  ...+++++
  gpg: key 28C0CD7C marked as ultimately trusted
  public and secret key created and signed.
  gpg: checking the trustdb
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
  pub   2048R/28C0CD7C 2011-05-24
        Key fingerprint = 0B4D C763 D57B ADBB 1870  A978 BDEE 4A35 28C0 CD7C
  uid                  Niibe Yutaka <gniibe@fsij.org>
  sub   2048R/F01E19B7 2011-05-24
  $ 
 Done.
 Then, I create authentication subkey.  Authentication subkey is not that common, but very useful (say, for SSH authentication).  As it is not that common, we need ``--expert`` option for GnuPG. ::
  $ gpg --expert --edit-key 28C0CD7C
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Secret key is available.
  pub  2048R/28C0CD7C  created: 2011-05-24  expires: never       usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/F01E19B7  created: 2011-05-24  expires: never       usage: E   
  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
  gpg> 
 Here, I enter ``addkey`` command.  Then, I enter the passphrase of **key on PC**, I specified above. ::
  gpg> addkey
  Key is protected.
  You need a passphrase to unlock the secret key for
  user: "Niibe Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 28C0CD7C, created 2011-05-24
  <PASSWORD-KEY-ON-PC>
  gpg: gpg-agent is not available in this session
 GnuPG askes kind of key.  I select ``RSA (set your own capabilities)``. ::
  Please select what kind of key you want:
     (3) DSA (sign only)
     (4) RSA (sign only)
     (5) Elgamal (encrypt only)
     (6) RSA (encrypt only)
     (7) DSA (set your own capabilities)
     (8) RSA (set your own capabilities)
  Your selection? 8
 And select ``Authenticate`` for the capabilities for this key.   Initially, it's ``Sign`` and  ``Encrypt``.  I need to deselect ``Sign`` and ``Encryp``, and select ``Authenticate``.  To do that, I enter ``s``, ``a``, and ``e``.  ::
  Possible actions for a RSA key: Sign Encrypt Authenticate 
  Current allowed actions: Sign Encrypt 
     (S) Toggle the sign capability
     (E) Toggle the encrypt capability
     (A) Toggle the authenticate capability
     (Q) Finished
  Your selection? s
  Possible actions for a RSA key: Sign Encrypt Authenticate 
  Current allowed actions: Encrypt 
     (S) Toggle the sign capability
     (E) Toggle the encrypt capability
     (A) Toggle the authenticate capability
     (Q) Finished
  Your selection? a
  Possible actions for a RSA key: Sign Encrypt Authenticate 
  Current allowed actions: Encrypt Authenticate 
     (S) Toggle the sign capability
     (E) Toggle the encrypt capability
     (A) Toggle the authenticate capability
     (Q) Finished
  Your selection? e
  Possible actions for a RSA key: Sign Encrypt Authenticate 
  Current allowed actions: Authenticate 
     (S) Toggle the sign capability
     (E) Toggle the encrypt capability
     (A) Toggle the authenticate capability
     (Q) Finished
 OK, I set the capability of ``Authenticate``.  I enter ``q`` to finish setting capabilities. ::
  Your selection? q
 GnuPG asks bitsize and expiration, I enter 2048 for bitsize and no expiration.  Then, I confirm that I really create the key. ::
  RSA keys may be between 1024 and 4096 bits long.
  What keysize do you want? (2048) 
  Requested keysize is 2048 bits
  Please specify how long the key should be valid.
           0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
  Key is valid for? (0) 0
  Key does not expire at all
  Is this correct? (y/N) y
  Really create? (y/N) y
 Then, GnuPG generate the key. ::
  We need to generate a lot of random bytes. It is a good idea to perform
  some other action (type on the keyboard, move the mouse, utilize the
  disks) during the prime generation; this gives the random number
  generator a better chance to gain enough entropy.
  .......+++++
  +++++
  pub  2048R/28C0CD7C  created: 2011-05-24  expires: never       usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/F01E19B7  created: 2011-05-24  expires: never       usage: E   
  sub  2048R/B8929606  created: 2011-05-24  expires: never       usage: A   
  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
  gpg> 
 I save the key. ::
  gpg> save
  $ 
 Now, we have three keys (one primary key for signature and certification, subkey for encryption, and another subkey for authentication).
 Publishing public key
 =====================
 I make a file for my public key by ``--export`` option of GnuPG. ::
  $ gpg --armor --output gniibe.asc --export 4CA7BABE
 and put it at: http://www.gniibe.org/gniibe.asc
--- a/doc/gnome3-gpg-settings.rst
+++ b/doc/gnome3-gpg-settings.rst
@@ -0,0 +1,30 @@
 ==========================
 GnuPG settings for GNOME 3
 ==========================
 In the article `GnuPG settings`_, I wrote how I disable GNOME-keyrings for SSH.
 It was for GNOME 2.  The old days was good, we just disabled GNOME-keyrings interference to SSH and customizing our desktop was easy for GNU and UNIX users.
 .. _GnuPG settings: gpg-settings
 GNOME keyrings in GNOME 3
 =========================
 It seems that it is more integrated into the desktop.  It is difficult to kill it.  It would be possible to kill it simply, but then, I can't use, say, wi-fi access (which needs to access "secrets") any more.
 We can't use GNOME configuration tool to disable interference by GNOME keyrings any more.  It seems that desktop should not have customization these days.
 GNOME-SESSION-PROPERTIES
 ========================
 After struggling some ours, I figured out it is GNOME-SESSION-PROPERTIES to disable the interference.  Invoking::
 $ gnome-session-properties
 and at the tab of "Startup Programs", I removed radio check buttons for "GPG Password Agent" and "SSH Key Agent".
 Now, I use gpg-agent for GnuPG Agent and SSH agent with Gnuk Token.
--- a/doc/gnuk-keytocard-noremoval.rst
+++ b/doc/gnuk-keytocard-noremoval.rst
@@ -0,0 +1,177 @@
 =============================================
 Key import from PC to Gnuk Token (no removal)
 =============================================
 This document describes how I put my **keys on PC** to the Token without removing keys from PC.
 The difference is just not-to-save changes after key imports.
 .. BREAK
 After personalization, I put my keys into the Token.
 Here is the log.
 I invoke GnuPG with my key (4ca7babe) and with ``--homedir`` option to specify the directory which contains my secret keys.  ::
  $ gpg --homedir=/home/gniibe/tmp/gnuk-testing-dir --edit-key 4ca7babe 
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Secret key is available.
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
 Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
 To enable ``keytocard`` command, I type ``toggle`` command.  ::
  gpg> toggle
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 Firstly, I import my primary key into Gnuk Token.
 I type ``keytocard`` command, answer ``y`` to confirm keyimport,
 and type ``1`` to say it's signature key. ::
  gpg> keytocard
  Really move the primary key? (y/N) y
  gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00'
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (1) Signature key
     (3) Authentication key
  Your selection? 1
 Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**.  Note that the password of the token and the password of the keys on PC are different things, although they can be same.
 I enter these passwords. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  gpg: 3 Admin PIN attempts remaining before card is permanently locked
  Please enter the Admin PIN
  Enter Admin PIN: <PASSWORD-GNUK>
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ.
 Secondly, I import my subkey of encryption.  I select key number '1'. ::
  gpg> key 1
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 You can see that the subkey is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``2`` as it's encryption key. ::
  gpg> keytocard
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (2) Encryption key
  Your selection? 2
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 084239CF, created 2010-10-15
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The sub key is now on the Token and GnuPG says its card-no for it.
 I type ``key 1`` to deselect key number '1'. ::
  gpg> key 1
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 Thirdly, I select sub key of suthentication which has key number '2'. ::
  gpg> key 2
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 You can see that the subkey number '2' is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``3`` as it's authentication key. ::
  gpg> keytocard
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (3) Authentication key
  Your selection? 3
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
                       card-no: F517 00000001
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The sub key is now on the Token and GnuPG says its card-no for it.
 Lastly, I quit GnuPG.  Note that I **don't** save changes. ::
  gpg> quit
  Save changes? (y/N) n
  Quit without saving? (y/N) y
  $ 
 All keys are imported to Gnuk Token now.
--- a/doc/gnuk-keytocard.rst
+++ b/doc/gnuk-keytocard.rst
@@ -0,0 +1,183 @@
 ================================
 Key import from PC to Gnuk Token
 ================================
 This document describes how I put my **keys on PC** to the Token, and remove keys from PC.
 Note that there is **no ways** to export keys from the Token, so please be careful.
 .. BREAK
 If you want to import same keys to multiple Tokens, please copy ``.gnupg`` directory before.  In my case, I do something like following:  ::
  $ cp -a .gnupg tmp/gnuk-testing-dir
 See `another document`_ to import keys to the Token from copied directory.
 .. _another document: gnuk-keytocard-noremoval
 After personalization, I put my keys into the Token.
 Here is the log.
 I invoke GnuPG with my key (4ca7babe).  ::
  $ gpg --edit-key 4ca7babe 
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Secret key is available.
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
 Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
 To enable ``keytocard`` command, I type ``toggle`` command.  ::
  gpg> toggle
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 Firstly, I import my primary key into Gnuk Token.
 I type ``keytocard`` command, answer ``y`` to confirm keyimport,
 and type ``1`` to say it's signature key. ::
  gpg> keytocard
  Really move the primary key? (y/N) y
  gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00'
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (1) Signature key
     (3) Authentication key
  Your selection? 1
 Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**.  Note that the password of the token and the password of the keys on PC are different things, although they can be same.
 I enter these passwords. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  gpg: 3 Admin PIN attempts remaining before card is permanently locked
  Please enter the Admin PIN
  Enter Admin PIN: <PASSWORD-GNUK>
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ.
 Secondly, I import my subkey of encryption.  I select key number '1'. ::
  gpg> key 1
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 You can see that the subkey is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``2`` as it's encryption key. ::
  gpg> keytocard
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (2) Encryption key
  Your selection? 2
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 084239CF, created 2010-10-15
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The sub key is now on the Token and GnuPG says its card-no for it.
 I type ``key 1`` to deselect key number '1'. ::
  gpg> key 1
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 Thirdly, I select sub key of suthentication which has key number '2'. ::
  gpg> key 2
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 You can see that the subkey number '2' is marked by '*'.
 I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``3`` as it's authentication key. ::
  gpg> keytocard
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  Please select where to store the key:
     (3) Authentication key
  Your selection? 3
 Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
  You need a passphrase to unlock the secret key for
  user: "NIIBE Yutaka <gniibe@fsij.org>"
  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
  <PASSWORD-KEY-4CA7BABE>
  gpg: writing new key
  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
                       card-no: F517 00000001
  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
                       card-no: F517 00000001
  (1)  NIIBE Yutaka <gniibe@fsij.org>
 The sub key is now on the Token and GnuPG says its card-no for it.
 Lastly, I save changes of **keys on PC** and quit GnuPG. ::
  gpg> save
  $ 
 All secret keys are imported to Gnuk Token now.  On PC, only references (card-no) to the Token remain.
--- a/doc/gnuk-personalization.rst
+++ b/doc/gnuk-personalization.rst
@@ -0,0 +1,118 @@
 =============================
 Personalization of Gnuk Token
 =============================
 Personalize your Gnuk Token
 ===========================
 Invoke GnuPG with the option ``--card-edit``.  ::
  $ gpg --card-edit
  gpg: detected reader `FSIJ Gnuk (0.12-34006E06) 00 00'
  Application ID ...: D276000124010200F517000000010000
  Version ..........: 2.0
  Manufacturer .....: FSIJ
  Serial number ....: 00000001
  Name of cardholder: [not set]
  Language prefs ...: [not set]
  Sex ..............: unspecified
  URL of public key : [not set]
  Login data .......: [not set]
  Signature PIN ....: forced
  Key attributes ...: 2048R 2048R 2048R
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 3 3
  Signature counter : 0
  Signature key ....: [none]
  Encryption key....: [none]
  Authentication key: [none]
  General key info..: [none]
 It shows the status of the card (as same as the output of ``gpg --card-status``).  It shows token's name and its USB serial string (0.12-34006E06) from PC/SC-lite.
 Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg/card>``.
 Firstly, I change PIN of card user from factory setting (of "123456").  Note that, only changing PIN of user enables "admin less mode" of Gnuk.  Admin password will become same one of user's. ::
  gpg/card> passwd
  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
  Please enter the PIN
  Enter PIN: 123456
  New PIN
  Enter New PIN: <PASSWORD-OF-GNUK>
  New PIN
  Repeat this PIN: <PASSWORD-OF-GNUK>
  PIN changed.
 Secondly, enabling admin command, I put name of mine.  Note that I input user's PIN (which I set above) here, because it is "admin less mode". ::
  gpg/card> admin
  Admin commands are allowed
  gpg/card> name
  Cardholder's surname: Niibe
  Cardholder's given name: Yutaka
  gpg: 3 Admin PIN attempts remaining before card is permanently locked
  Please enter the Admin PIN
  Enter Admin PIN: <PASSWORD-OF-GNUK>
 Thirdly, I put some other informations, such as language, sex, login, and URL.  URL specifies the place where I put my public keys. ::
  gpg/card> lang
  Language preferences: ja
  gpg/card> sex
  Sex ((M)ale, (F)emale or space): m
  gpg/card> url
  URL to retrieve public key: http://www.gniibe.org/gniibe.asc
  gpg/card> login
  Login data (account name): gniibe
 Since I don't force PIN input everytime, toggle it to non-force-pin-for-signature. ::
  gpg/card> forcesig
 Lastly, I setup reset code.  This is optional. ::
  gpg/card> passwd
  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
  1 - change PIN
  2 - unblock PIN
  3 - change Admin PIN
  4 - set the Reset Code
  Q - quit
  Your selection? 4
  gpg: 3 Admin PIN attempts remaining before card is permanently locked
  Please enter the Admin PIN
  Enter Admin PIN: <PASSWORD-OF-GNUK>
  New Reset Code
  Enter New PIN: <RESETCODE-OF-GNUK>
  New Reset Code
  Repeat this PIN: <RESETCODE-OF-GNUK>
  Reset Code set.
  1 - change PIN
  2 - unblock PIN
  3 - change Admin PIN
  4 - set the Reset Code
  Q - quit
  Your selection? q
 Then, I quit. ::
  gpg/card> quit
 That's all.
--- a/doc/gnuk-token-initial-configuration.rst
+++ b/doc/gnuk-token-initial-configuration.rst
@@ -0,0 +1,34 @@
 ===================================
 Initial Configuration of Gnuk Token
 ===================================
 Conditions
 ==========
 I assume you are using GNU/Linux.
 Preparation
 ===========
 We need to kill ``scdaemon`` before configuring Gnuk Token. ::
  $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
 Serial Number (optional)
 ========================
 In the file ``GNUK_SERIAL_NUMBER``, each line has email and 6-byte serial number.
 The tool ``../tool/gnuk_put_binary.py`` examines  environment variable of ``EMAIL``, and writes serial number to Gnuk Token. ::
  $ ../tool/gnuk_put_binary.py -s ../GNUK_SERIAL_NUMBER 
  Writing serial number
  Token: FSIJ Gnuk (0.12-38FF6A06) 00 00
  ATR: 3B DA 11 FF 81 B1 FE 55 1F 03 00 31 84 73 80 01 40 00 90 00 24
 The tool ``../tool/gnuk_put_binary.py`` is for PC/SC Lite.  Use
 ``../tool/gnuk_put_binary_libusb.py`` instead, if you don't use
 PC/SC Lite but use libusb directly.
--- a/doc/gpg-settings.rst
+++ b/doc/gpg-settings.rst
@@ -0,0 +1,41 @@
 .. -*- coding: utf-8 -*-
 ==============
 GnuPG settings
 ==============
 Here is my GnuPG settings.
 .gnupg/gpg.conf
 ===============
 I create ``.gnupg/gpg.conf`` file with the following content. ::
  use-agent
  personal-digest-preferences SHA256
  cert-digest-algo SHA256
  default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  default-key 0x4ca7babe
 Let gpg-agent manage SSH key
 ============================
 I deactivate seahose-agent.  Also, I deactivate gnome-keyring managing SSH key. ::
  $ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
 Then, I create ``.gnupg/gpg-agent.conf`` file with the following content. ::
  enable-ssh-support
 References
 ==========
 * `Creating a new GPG key`_
 * `Use OpenPGP Keys for OpenSSH, how to use gpg with ssh`_
 .. _Creating a new GPG key: http://keyring.debian.org/creating-key.html
 .. _Use OpenPGP Keys for OpenSSH, how to use gpg with ssh: http://www.programmierecke.net/howto/gpg-ssh.html
--- a/doc/images/gnuk-sticker.png
+++ b/doc/images/gnuk-sticker.png
--- a/doc/index.rst
+++ b/doc/index.rst
@@ -0,0 +1,37 @@
 .. Gnuk Documentation documentation master file, created by
   sphinx-quickstart on Wed Jul  4 15:29:05 2012.
   You can adapt this file completely to your liking, but it should at least
   contain the root `toctree` directive.
   Copyright (C) 2012  NIIBE Yutaka
   Copyright (C) 2012  Free Software Initiative of Japan
   This document is licensed under a CC-BY-SA 3.0 Unported License
 Gnuk Documentation
 ==================
 Contents:
 .. toctree::
   :maxdepth: 2
   intro.rst
   development.rst
   stop-scdaemon.rst
   udev-rules.rst
   generating-2048-RSA-key.rst
   gnuk-token-initial-configuration.rst
   gnuk-personalization.rst
   gnuk-keytocard.rst
   gnuk-keytocard-noremoval.rst
   using-gnuk-token-with-another-computer.rst
   gpg-settings.rst
   gnome3-gpg-settings.rst
 Indices and tables
 ==================
 * :ref:`genindex`
 * :ref:`modindex`
 * :ref:`search`
--- a/doc/intro.rst
+++ b/doc/intro.rst
@@ -0,0 +1,69 @@
 Introduction
 ============
 What's Gnuk?
 ------------
 Gnuk is an implementation of USB cryptographic token for GNU Privacy
 Guard.  Gnuk supports OpenPGP card protocol version 2, and it runs on
 STM32F103 processor.
 Cryptographic token and feature of Gnuk
 ---------------------------------------
 Cryptographic token is a store of private keys and it computes cryptographic
 functions on the device.
 The idea is to separate important secrets to independent device, 
 from where nobody can extract them.
 Development Environment
 -----------------------
 See :doc:`development` for development environment for Gnuk.
 Gnuk is developed on the environment where there are only Free Software.
 Target boards for running Gnuk
 ------------------------------
 Hardware requirement for Gnuk is the micro controller STM32F103.
 In version 1.0, Gnuk supports following boards.
 * FST-01 (Flying Stone Tiny ZERO-ONE)
 * Olimex STM32-H103
 * CQ STARM
 * STBee
 * STBee Mini
 * STM32 part of STM8S Discovery Kit
 Host prerequisites for using Gnuk Token
 ---------------------------------------
 * GNU Privacy Guard (GnuPG)
 * libusb
 * [Optional] PC/SC lite (pcscd, libccid)
 * SSH: openssh
 * Web: scute, firefox
 Usages
 ------
 * Sign with GnuPG
 * Decrypt with GnuPG
 * Use with OpenSSH
 * Use with Firefox for X.509 client certificate authentication
--- a/doc/note/DEMO
+++ b/doc/note/DEMO
--- a/doc/note/DEMO-2
+++ b/doc/note/DEMO-2
--- a/doc/note/HACKING
+++ b/doc/note/HACKING
@@ -1,4 +1,4 @@
-* Random Number Generator
+* [DONE] Random Number Generator
 RNG is needed for Data Encryption Key to encrypt private key (P and Q).
 It is important to collect enough entropy.  Perhaps, it would
--- a/doc/note/NOTES
+++ b/doc/note/NOTES
@@ -77,7 +77,8 @@ KEYPTR
               <---encrypted----><---  plain  ---->
 key_addr                       4-byte
-additional_data_encrypted      16-byte
+initial_vector (random)        16-byte
 checksum_encrypted             16-byte
 dek_encrypted_by_keystring_pw1 16-byte
 dek_encrypted_by_keystring_rc  16-byte
 dek_encrypted_by_keystring_pw3 16-byte
@@ -85,6 +86,4 @@ dek_encrypted_by_keystring_pw3 16-byte
 ... decrypted to
 [   P   ][   Q   ]
-check   4-byte
+checksum 16-byte
 random  4-byte
 magic[] 8-byte
--- a/doc/note/firmware-update
+++ b/doc/note/firmware-update
--- a/doc/note/settings-for-DnDpinentry
+++ b/doc/note/settings-for-DnDpinentry
--- a/doc/stop-scdaemon.rst
+++ b/doc/stop-scdaemon.rst
@@ -0,0 +1,37 @@
 ===========================
 Stopping/Resetting SCDAEMON
 ===========================
 There is a daemon named ``scdaemon`` behind gpg-agent, which handles
 communication to smartcard/token.
 Ideally, we don't need to care about ``scdaemon``, and it should
 everything automatically.  But, there are some cases (because of
 bugs), where we need to talk to the daemon directly, in practice.
 How to communicate SCDAEMON
 ===========================
 We have a utility to communicate with a running gpg-agent, that's
 gpg-connect-agent.  We can use it to communicate with scdaemon,
 as it supports sub-command "SCD", exactly for this purpose. 
 Stopping SCDAEMON
 =================
 To stop SCDAEMON and let it exit, type::
 	$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
 Then, you can confirm that there is no SCDAEMON any more by ``ps``
 command.
 Let GPG-AGENT/SCDAEMON learn
 ============================
 To let gpg-agent/scdaemon learn, type::
 	$ gpg-connect-agent learn /bye
--- a/doc/udev-rules.rst
+++ b/doc/udev-rules.rst
@@ -0,0 +1,48 @@
 ===============================================
 Device Configuration for Gnuk Token with libusb
 ===============================================
 In order to use Gnuk Token with libusb, configuration of device is
 needed for permissions.  Note that this is not needed for the case of
 PC/SC Lite, as it has its own device configuration.
 Patching 60-gnupg.rules
 =======================
 In case of Debian, there is a file /lib/udev/rules.d/60-gnupg.rules.
 This would be the place we need to change::
    --- /lib/udev/rules.d/60-gnupg.rules.orig	2012-06-24 21:51:26.000000000 +0900
    +++ /lib/udev/rules.d/60-gnupg.rules	2012-07-13 17:18:55.149587687 +0900
    @@ -10,4 +10,7 @@
     ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
     ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
    +# Gnuk
    +ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
    +
     LABEL="gnupg_rules_end"
 Have a another configuration for reGNUal
 ========================================
 For reGNUal (upgrade feature of Gnuk),
 I also have a file /etc/udev/rules.d/92-gnuk.rules::
   # For updating firmware, permission settings are needed.
   SUBSYSTEMS=="usb", ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000", \
       ENV{ID_USB_INTERFACES}=="*:ff0000:*", GROUP="pcscd"
 Configuration for ST-Link/V2
 ============================
 This is for development, but I also have a file
 /etc/udev/rules.d/10-stlink.rules::
    ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="3748", GROUP="tape", MODE="664", SYMLINK+="stlink"
--- a/doc/using-gnuk-token-with-another-computer.rst
+++ b/doc/using-gnuk-token-with-another-computer.rst
@@ -0,0 +1,173 @@
 ======================================
 Using Gnuk Token with another computer
 ======================================
 This document describes how you can use Gnuk Token on another PC (which is not the one you generate your keys).
 Note that the Token only brings your secret keys, while ``.gnupg`` directory contains keyrings and trustdb, too.
 .. BREAK
 Fetch the public key and connect it to the Token
 ================================================
 Using the Token, we need to put the public key and the secret key reference (to the token) in ``.gnupg``.
 To do that, invoke GnuPG with ``--card-edit`` option. ::
  $ gpg --card-edit
  gpg: detected reader `FSIJ Gnuk (0.12-37006A06) 00 00'
  Application ID ...: D276000124010200F517000000010000
  Version ..........: 2.0
  Manufacturer .....: FSIJ
  Serial number ....: 00000001
  Name of cardholder: Yutaka Niibe
  Language prefs ...: ja
  Sex ..............: male
  URL of public key : http://www.gniibe.org/gniibe.asc
  Login data .......: gniibe
  Signature PIN ....: not forced
  Key attributes ...: 2048R 2048R 2048R
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 3 3
  Signature counter : 6
  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
        created ....: 2010-10-15 06:46:33
  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
        created ....: 2010-10-15 06:46:33
  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
        created ....: 2010-10-22 06:06:36
  General key info..: [none]
  gpg/card> 
 It says, there is no key info related to this token on your PC (``[none]``).
 Fetch the public key from URL specified in the Token. ::
  gpg/card> fetch
  gpg: requesting key 4CA7BABE from http server www.gniibe.org
  gpg: key 4CA7BABE: public key "NIIBE Yutaka <gniibe@fsij.org>" imported
  gpg: no ultimately trusted keys found
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)
  gpg/card> 
 Good.  The public key is now in ``.gnupg``.  We can examine by ``gpg --list-keys``.
 However, the secret key reference (to the token) is not in ``.gnupg`` yet.
 It will be generated when I do ``--card-status`` by GnuPG with correspoinding public key in ``.gnupg``, or just type return at the ``gpg/card>`` prompt. ::
  gpg/card> 
  Application ID ...: D276000124010200F517000000010000
  Version ..........: 2.0
  Manufacturer .....: FSIJ
  Serial number ....: 00000001
  Name of cardholder: Yutaka Niibe
  Language prefs ...: ja
  Sex ..............: male
  URL of public key : http://www.gniibe.org/gniibe.asc
  Login data .......: gniibe
  Signature PIN ....: not forced
  Key attributes ...: 2048R 2048R 2048R
  Max. PIN lengths .: 127 127 127
  PIN retry counter : 3 3 3
  Signature counter : 6
  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
        created ....: 2010-10-15 06:46:33
  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
        created ....: 2010-10-15 06:46:33
  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
        created ....: 2010-10-22 06:06:36
  General key info..: 
  pub  2048R/4CA7BABE 2010-10-15 NIIBE Yutaka <gniibe@fsij.org>
  sec>  2048R/4CA7BABE  created: 2010-10-15  expires: never     
                        card-no: F517 00000001
  ssb>  2048R/084239CF  created: 2010-10-15  expires: never     
                        card-no: F517 00000001
  ssb>  2048R/5BB065DC  created: 2010-10-22  expires: never     
                        card-no: F517 00000001
  gpg/card> 
 OK, now I can use the Token on this computer.
 Update trustdb for the key on Gnuk Token
 ========================================
 Yes, I can use the Token by the public key and the secret key reference to the card.  More, I need to update the trustdb.
 To do that I do: ::
  $ gpg --edit-key 4ca7babe
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Secret key is available.
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: unknown       validity: unknown
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
  gpg> 
 See, the key is ``unknown`` state.  Add trust for that. ::
  gpg> trust
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: unknown       validity: unknown
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
  Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)
    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu
  Your decision? 5
  Do you really want to set this key to ultimate trust? (y/N) y
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: ultimate      validity: unknown
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
  Please note that the shown key validity is not necessarily correct
  unless you restart the program.
  $ 
 Next time I invoke GnuPG, it will be ``ultimate`` key.  Let's see: ::
  $ gpg --edit-key 4ca7babe
  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.
  Secret key is available.
  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
                       trust: ultimate      validity: ultimate
  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
  gpg> quit
  $ 
--- a/src/main.c
+++ b/src/main.c
@@ -178,7 +178,7 @@ extern msg_t USBthread (void *arg);
 #define LED_TIMEOUT_STOP	MS2ST(200)
-#define ID_OFFSET 22
+#define ID_OFFSET 24
 static void
 device_initialize_once (void)
 {
--- a/src/openpgp-do.c
+++ b/src/openpgp-do.c
@@ -793,11 +793,6 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
  memcpy (pd->iv, iv, INITIAL_VECTOR_SIZE);
  memcpy (pd->checksum_encrypted, kdi.checksum, DATA_ENCRYPTION_KEY_SIZE);
  if (kk == GPG_KEY_FOR_SIGNING)
    ac_reset_pso_cds ();
  else
    ac_reset_other ();
  if (ks_pw1)
    {
      ks_pw1_len = ks_pw1[0];
@@ -805,12 +800,11 @@ gpg_do_write_prvkey (enum kind_of_key kk, const uint8_t *key_data, int key_len,
    }
  else
    {
-      uint8_t ks123_pw1[KEYSTRING_SIZE_PW1];
+      uint8_t ks[KEYSTRING_MD_SIZE];
-      ks123_pw1[0] = strlen (OPENPGP_CARD_INITIAL_PW1);
+      s2k (BY_USER, (const uint8_t *)OPENPGP_CARD_INITIAL_PW1,
-      s2k (BY_USER, (uint8_t *)OPENPGP_CARD_INITIAL_PW1,
+	   strlen (OPENPGP_CARD_INITIAL_PW1), ks);
-	   strlen (OPENPGP_CARD_INITIAL_PW1), ks123_pw1+1);
+      encrypt_dek (ks, pd->dek_encrypted_1);
      encrypt_dek (ks123_pw1+1, pd->dek_encrypted_1);
    }
  if (ks_rc)
@@ -1572,26 +1566,27 @@ gpg_do_keygen (uint8_t kk_byte)
  if (kk == GPG_KEY_FOR_SIGNING)
    {
      /* Authintication has been reset within gpg_do_write_prvkey. */
      /* But GnuPG expects it's ready for signing. */
      /* Thus, we call verify_pso_cds here. */
      const uint8_t *ks_pw1 = gpg_do_read_simple (NR_DO_KEYSTRING_PW1);
-      const uint8_t *pw;
+      uint8_t keystring[KEYSTRING_MD_SIZE];
-      int pw_len;
+      const uint8_t *ks;
      /* GnuPG expects it's ready for signing. */
      /* Don't call ac_reset_pso_cds here, but load the private key */
      if (ks_pw1)
-	{
+	ks = ks_pw1+1;
 	  pw = ks_pw1+1;
 	  pw_len = ks_pw1[0];
 	}
      else
 	{
-	  pw = (const uint8_t *)OPENPGP_CARD_INITIAL_PW1;
+	  const uint8_t * pw = (const uint8_t *)OPENPGP_CARD_INITIAL_PW1;
-	  pw_len = strlen (OPENPGP_CARD_INITIAL_PW3);
+
 	  s2k (BY_USER, pw, strlen (OPENPGP_CARD_INITIAL_PW1), keystring);
 	  ks = keystring;
 	}
-      verify_pso_cds (pw, pw_len);
+      gpg_do_load_prvkey (GPG_KEY_FOR_SIGNING, BY_USER, ks);
    }
  else
    ac_reset_other ();
  gpg_do_public_key (kk_byte);
 }
--- a/src/openpgp.c
+++ b/src/openpgp.c
@@ -776,10 +776,15 @@ cmd_pso (void)
      /* Skip padding 0x00 */
      len--;
-      r = rsa_decrypt (apdu.cmd_apdu_data+1, res_APDU, len,
+      if (len != KEY_CONTENT_LEN)
-		       &kd[GPG_KEY_FOR_DECRYPTION]);
+	GPG_CONDITION_NOT_SATISFIED ();
-      if (r < 0)
+      else
-	GPG_ERROR ();
+	{
 	  r = rsa_decrypt (apdu.cmd_apdu_data+1, res_APDU, len,
 			   &kd[GPG_KEY_FOR_DECRYPTION]);
 	  if (r < 0)
 	    GPG_ERROR ();
 	}
    }
  else
    {
--- a/src/usb_desc.c
+++ b/src/usb_desc.c
@@ -258,11 +258,11 @@ static const uint8_t gnukStringLangID[] = {
 #include "usb-strings.c.inc"
 const uint8_t gnukStringSerial[] = {
-  18*2+2,			/* bLength */
+  19*2+2,			/* bLength */
  USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */
-  /* FSIJ-0.19 */
+  /* FSIJ-1.0 */
  'F', 0, 'S', 0, 'I', 0, 'J', 0, '-', 0,
-  '0', 0, '.', 0, '2', 0, '1', 0, /* Version number of Gnuk */
+  '1', 0, '.', 0, '0', 0, '.', 0, '1', 0, /* Version number of Gnuk */
  '-', 0,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
--- a/test/features/002_get_data_static.feature
+++ b/test/features/002_get_data_static.feature
@@ -8,7 +8,7 @@ Feature: command GET DATA
  Scenario: data object extended capabilities
     When requesting extended capabilities: c0
-     Then you should get: \x30\x00\x00\x00\x00\x00\x00\xff\x01\x00
+     Then data should match: \x30\x00\x00\x00[\x00\x08]\x00\x00\xff\x01\x00
  Scenario: data object algorithm attributes 1
     When requesting algorithm attributes 1: c1
--- a/test/features/202_keygen.feature
+++ b/test/features/202_keygen.feature
@@ -21,6 +21,13 @@ Feature: key generation
     And put the second data to d0
     Then it should get success
  Scenario: compute digital signature by OPENPGP.1 key (1)
     Given a message "GnuPG assumes that PW1 keeps valid after keygen."
     And a public key from token for OPENPGP.1
     And let a token compute digital signature
     And verify signature
     Then it should get success
  Scenario: verify PW1 (1) after keygen
     Given cmd_verify with 1 and "another user pass phrase"
     Then it should get success
--- a/test/features/210_compute_signature.feature
+++ b/test/features/210_compute_signature.feature
@@ -33,4 +33,4 @@ Feature: compute digital signature
  Scenario: data object ds counter
     When requesting ds counter: 93
-     Then you should get: \x00\x00\x02
+     Then data should match: \x00\x00(\x02|\x03)
--- a/test/features/402_get_data_static.feature
+++ b/test/features/402_get_data_static.feature
@@ -8,7 +8,7 @@ Feature: command GET DATA
  Scenario: data object extended capabilities
     When requesting extended capabilities: c0
-     Then you should get: \x30\x00\x00\x00\x00\x00\x00\xff\x01\x00
+     Then data should match: \x30\x00\x00\x00[\x00\x08]\x00\x00\xff\x01\x00
  Scenario: data object algorithm attributes 1
     When requesting algorithm attributes 1: c1
--- a/test/features/602_keygen.feature
+++ b/test/features/602_keygen.feature
@@ -21,6 +21,13 @@ Feature: key generation
     And put the second data to d0
     Then it should get success
  Scenario: compute digital signature by OPENPGP.1 key (1)
     Given a message "GnuPG assumes that PW1 keeps valid after keygen."
     And a public key from token for OPENPGP.1
     And let a token compute digital signature
     And verify signature
     Then it should get success
  Scenario: verify PW1 (1) after keygen
     Given cmd_verify with 1 and "another user pass phrase"
     Then it should get success
--- a/test/features/610_compute_signature.feature
+++ b/test/features/610_compute_signature.feature
@@ -33,4 +33,4 @@ Feature: compute digital signature
  Scenario: data object ds counter
     When requesting ds counter: 93
-     Then you should get: \x00\x00\x02
+     Then data should match: \x00\x00(\x02|\x03)
--- a/test/features/770_key_removal.feature
+++ b/test/features/770_key_removal.feature
@@ -0,0 +1,43 @@
 Feature: key removal
  In order to use a token
  A token should have keys
  Scenario: remove OPENPGP.1 key (sign)
     When removing a key OPENPGP.1
     Then it should get success
  Scenario: remove OPENPGP.2 key (decrypt)
     When removing a key OPENPGP.2
     Then it should get success
  Scenario: remove OPENPGP.3 key (authentication)
     When removing a key OPENPGP.3
     Then it should get success
  Scenario: verify PW3 (admin-less mode)
     Given cmd_verify with 3 and "12345678"
     Then it should get success
  Scenario: remove data object Finger print sig
     Given cmd_put_data with c7 and ""
     Then it should get success
  Scenario: remove data object Finger print dec
     Given cmd_put_data with c8 and ""
     Then it should get success
  Scenario: remove data object Finger print aut
     Given cmd_put_data with c9 and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time sig
     Given cmd_put_data with ce and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time dec
     Given cmd_put_data with cf and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time aut
     Given cmd_put_data with d0 and ""
     Then it should get success
--- a/test/features/780_personalization_reset.feature
+++ b/test/features/780_personalization_reset.feature
@@ -0,0 +1,27 @@
 Feature: removal of data objects
  In order to use a token
  A token should have personalized data
  Scenario: remove data object Login
     Given cmd_put_data with 5e and ""
     Then it should get success
  Scenario: remove data object Name
     Given cmd_put_data with 5b and ""
     Then it should get success
  Scenario: remove data object Language preference
     Given cmd_put_data with 5f2d and ""
     Then it should get success
  Scenario: remove data object Sex
     Given cmd_put_data with 5f35 and ""
     Then it should get success
  Scenario: remove data object URL
     Given cmd_put_data with 5f50 and ""
     Then it should get success
  Scenario: remove data object pw1 status bytes
     Given cmd_put_data with c4 and "\x00"
     Then it should get success
--- a/test/features/790_reset_passphrase.feature
+++ b/test/features/790_reset_passphrase.feature
@@ -0,0 +1,7 @@
 Feature: confirm factory setting pass phrase
  In order to conform OpenPGP card 2.0 specification
  A token should support pass phrase: PW1, PW3 and reset code
  Scenario: verify PW3 (admin-less mode)
     Given cmd_verify with 3 and "12345678"
     Then it should get success
--- a/test/features/800_empty_check.feature
+++ b/test/features/800_empty_check.feature
@@ -0,0 +1,79 @@
 Feature: confirm empty token
  In order to start tests
  A token should be empty (no data, no keys)
  Scenario: data object Login
     When requesting login data: 5e
     Then you should get NULL
  Scenario: data object Name
     When requesting name: 5b
     Then you should get NULL
  Scenario: data object Language preference
     When requesting anguage preference: 5f2d
     Then you should get NULL
  Scenario: data object Sex
     When requesting sex: 5f35
     Then you should get NULL
  Scenario: data object URL
     When requesting URL: 5f50
     Then you should get NULL
  Scenario: data object ds counter
     When requesting ds counter: 93
     Then you should get: \x00\x00\x00
  Scenario: data object pw1 status bytes
     When requesting pw1 status bytes: c4
     Then you should get: \x00\x7f\x7f\x7f\x03\x03\x03
  Scenario: data object finger print 0
     When requesting finger print: c5
     Then you should get: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  Scenario: data object finger print 1
     When requesting finger print: c7
     Then you should get NULL
  Scenario: data object finger print 2
     When requesting finger print: c8
     Then you should get NULL
  Scenario: data object finger print 3
     When requesting finger print: c9
     Then you should get NULL
  Scenario: data object CA finger print 0
     When requesting finger print: c6
     Then you should get: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  Scenario: data object CA finger print 1
     When requesting finger print: ca
     Then you should get NULL
  Scenario: data object CA finger print 2
     When requesting finger print: cb
     Then you should get NULL
  Scenario: data object CA finger print 3
     When requesting finger print: cc
     Then you should get NULL
  Scenario: data object date/time of key pair 0
     When requesting date/time of key pair: cd
     Then you should get: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  Scenario: data object date/time of key pair 1
     When requesting date/time of key pair: ce
     Then you should get NULL
  Scenario: data object date/time of key pair 2
     When requesting date/time of key pair: cf
     Then you should get NULL
  Scenario: data object date/time of key pair 3
     When requesting date/time of key pair: d0
     Then you should get NULL
--- a/test/features/801_empty_check_passphrase.feature
+++ b/test/features/801_empty_check_passphrase.feature
@@ -0,0 +1,15 @@
 Feature: confirm empty token
  In order to start tests
  A token should be empty (no pass phrase)
  Scenario: verify PW1 factory setting (1)
     Given cmd_verify with 1 and "123456"
     Then it should get success
  Scenario: verify PW1 factory setting (2)
     Given cmd_verify with 2 and "123456"
     Then it should get success
  Scenario: verify PW3 factory setting
     Given cmd_verify with 3 and "12345678"
     Then it should get success
--- a/test/features/802_get_data_static.feature
+++ b/test/features/802_get_data_static.feature
@@ -0,0 +1,27 @@
 Feature: command GET DATA
  In order to conform OpenPGP card 2.0 specification
  A token should support all mandatory features of the specification
  Scenario: data object historical bytes
     When requesting historical bytes: 5f52
     Then you should get: \x00\x31\x84\x73\x80\x01\x80\x00\x90\x00
  Scenario: data object extended capabilities
     When requesting extended capabilities: c0
     Then data should match: \x30\x00\x00\x00[\x00\x08]\x00\x00\xff\x01\x00
  Scenario: data object algorithm attributes 1
     When requesting algorithm attributes 1: c1
     Then you should get: \x01\x08\x00\x00\x20\x00
  Scenario: data object algorithm attributes 2
     When requesting algorithm attributes 2: c2
     Then you should get: \x01\x08\x00\x00\x20\x00
  Scenario: data object algorithm attributes 3
     When requesting algorighm attributes 3: c3
     Then you should get: \x01\x08\x00\x00\x20\x00
  Scenario: data object AID
     When requesting AID: 4f
     Then data should match: \xd2\x76\x00\x01\x24\x01\x02\x00......\x00\x00
--- a/test/features/810_setup_passphrase.feature
+++ b/test/features/810_setup_passphrase.feature
@@ -0,0 +1,15 @@
 Feature: check pass phrase
  In order to conform OpenPGP card 2.0 specification
  A token should support pass phrase: PW1, PW3 and reset code
  Scenario: verify PW1 (1)
     Given cmd_verify with 1 and "123456"
     Then it should get success
  Scenario: verify PW1 (2)
     Given cmd_verify with 2 and "123456"
     Then it should get success
  Scenario: verify PW3
     Given cmd_verify with 3 and "12345678"
     Then it should get success
--- a/test/features/820_personalization_write.feature
+++ b/test/features/820_personalization_write.feature
@@ -0,0 +1,27 @@
 Feature: personalize token write
  In order to use a token
  A token should be personalized with name, sex, url, etc.
  Scenario: data object Login
     Given cmd_put_data with 5e and "gpg_user"
     Then it should get success
  Scenario: data object Name
     Given cmd_put_data with 5b and "GnuPG User"
     Then it should get success
  Scenario: data object Language preference
     Given cmd_put_data with 5f2d and "ja"
     Then it should get success
  Scenario: data object Sex
     Given cmd_put_data with 5f35 and "1"
     Then it should get success
  Scenario: data object URL
     Given cmd_put_data with 5f50 and "http://www.fsij.org/gnuk/"
     Then it should get success
  Scenario: data object pw1 status bytes
     Given cmd_put_data with c4 and "\x01"
     Then it should get success
--- a/test/features/821_personalization_read.feature
+++ b/test/features/821_personalization_read.feature
@@ -0,0 +1,27 @@
 Feature: personalize token read
  In order to use a token
  A token should be personalized with name, sex, url, etc.
  Scenario: data object Login
     When requesting login data: 5e
     Then you should get: gpg_user
  Scenario: data object Name
     When requesting name: 5b
     Then you should get: GnuPG User
  Scenario: data object Language preference
     When requesting anguage preference: 5f2d
     Then you should get: ja
  Scenario: data object Sex
     When requesting sex: 5f35
     Then you should get: 1
  Scenario: data object URL
     When requesting URL: 5f50
     Then you should get: http://www.fsij.org/gnuk/
  Scenario: data object pw1 status bytes
     When requesting pw1 status bytes: c4
     Then you should get: \x01\x7f\x7f\x7f\x03\x03\x03
--- a/test/features/830_key_registration.feature
+++ b/test/features/830_key_registration.feature
@@ -0,0 +1,56 @@
 Feature: import keys to token 
  In order to use a token
  A token should have keys
  Scenario: importing OPENPGP.1 key (sign)
     Given a RSA key pair 0
     And importing it to the token as OPENPGP.1
     Then it should get success
  Scenario: importing OPENPGP.2 key (decrypt)
     Given a RSA key pair 1
     And importing it to the token as OPENPGP.2
     Then it should get success
  Scenario: importing OPENPGP.3 key (authentication)
     Given a RSA key pair 2
     And importing it to the token as OPENPGP.3
     Then it should get success
  Scenario: setup data object Finger print sig
     Given a fingerprint of OPENPGP.1 key
     And put the data to c7
     Then it should get success
  Scenario: setup data object Finger print dec
     Given a fingerprint of OPENPGP.2 key
     And put the data to c8
     Then it should get success
  Scenario: setup data object Finger print aut
     Given a fingerprint of OPENPGP.3 key
     And put the data to c9
     Then it should get success
  Scenario: setup data object keygeneration data/time sig
     Given a timestamp of OPENPGP.1 key
     And put the data to ce
     Then it should get success
  Scenario: setup data object keygeneration data/time dec
     Given a timestamp of OPENPGP.2 key
     And put the data to cf
     Then it should get success
  Scenario: setup data object keygeneration data/time aut
     Given a timestamp of OPENPGP.3 key
     And put the data to d0
     Then it should get success
  Scenario: verify PW1 (1) again
     Given cmd_verify with 1 and "123456"
     Then it should get success
  Scenario: verify PW1 (2) again
     Given cmd_verify with 2 and "123456"
     Then it should get success
--- a/test/features/850_compute_signature.feature
+++ b/test/features/850_compute_signature.feature
@@ -0,0 +1,31 @@
 Feature: compute digital signature
  In order to use a token
  A token should compute digital signature properly
  Scenario: compute digital signature by OPENPGP.1 key (1)
     Given a message "This is a test message."
     And let a token compute digital signature
     And compute digital signature on host with RSA key pair 0
     Then results should be same
  Scenario: compute digital signature by OPENPGP.1 key (2)
     Given a message "This is another test message.\nMultiple lines.\n"
     And let a token compute digital signature
     And compute digital signature on host with RSA key pair 0
     Then results should be same
  Scenario: compute digital signature by OPENPGP.3 key (1)
     Given a message "This is a test message."
     And let a token authenticate
     And compute digital signature on host with RSA key pair 2
     Then results should be same
  Scenario: compute digital signature by OPENPGP.3 key (2)
     Given a message "This is another test message.\nMultiple lines.\n"
     And let a token authenticate
     And compute digital signature on host with RSA key pair 2
     Then results should be same
  Scenario: data object ds counter
     When requesting ds counter: 93
     Then you should get: \x00\x00\x02
--- a/test/features/851_decryption.feature
+++ b/test/features/851_decryption.feature
@@ -0,0 +1,16 @@
 Feature: decryption 
  In order to use a token
  A token should decrypt encrypted data
  Scenario: decrypt by OPENPGP.2 key (1)
     Given a plain text "This is a test message."
     And encrypt it on host with RSA key pair 1
     And let a token decrypt encrypted data
     Then decrypted data should be same as a plain text
  Scenario: decrypt by OPENPGP.2 key (2)
     Given a plain text "RSA decryption is as easy as pie."
     And encrypt it on host with RSA key pair 1
     And let a token decrypt encrypted data
     Then decrypted data should be same as a plain text
--- a/test/features/860_key_removal.feature
+++ b/test/features/860_key_removal.feature
@@ -0,0 +1,48 @@
@keygen
 Feature: key removal
  In order to use a token
  A token should have keys
  Scenario: remove OPENPGP.1 key (sign)
     When removing a key OPENPGP.1
     Then it should get success
  Scenario: remove OPENPGP.2 key (decrypt)
     When removing a key OPENPGP.2
     Then it should get success
  Scenario: remove OPENPGP.3 key (authentication)
     When removing a key OPENPGP.3
     Then it should get success
  Scenario: remove data object Finger print sig
     Given cmd_put_data with c7 and ""
     Then it should get success
  Scenario: remove data object Finger print dec
     Given cmd_put_data with c8 and ""
     Then it should get success
  Scenario: remove data object Finger print aut
     Given cmd_put_data with c9 and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time sig
     Given cmd_put_data with ce and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time dec
     Given cmd_put_data with cf and ""
     Then it should get success
  Scenario: remove data object keygeneration data/time aut
     Given cmd_put_data with d0 and ""
     Then it should get success
  Scenario: verify PW1
     Given cmd_verify with 1 and "123456"
     Then it should get success
  Scenario: verify PW2
     Given cmd_verify with 2 and "123456"
     Then it should get success
--- a/test/features/862_keygen.feature
+++ b/test/features/862_keygen.feature
@@ -0,0 +1,37 @@
@keygen
 Feature: key generation
  In order to use a token
  A token should have keys
  Scenario: generate OPENPGP.1 key (sign)
     When generating a key of OPENPGP.1
     And put the first data to c7
     And put the second data to ce
     Then it should get success
  Scenario: generate OPENPGP.2 key (decrypt)
     When generating a key of OPENPGP.2
     And put the first data to c8
     And put the second data to cf
     Then it should get success
  Scenario: generate OPENPGP.3 key (authentication)
     When generating a key of OPENPGP.3
     And put the first data to c9
     And put the second data to d0
     Then it should get success
  Scenario: compute digital signature by OPENPGP.1 key
     Given a message "GnuPG assumes that PW1 keeps valid after keygen."
     And a public key from token for OPENPGP.1
     And let a token compute digital signature
     And verify signature
     Then it should get success
  Scenario: verify PW1 (1) after keygen
     Given cmd_verify with 1 and "123456"
     Then it should get success
  Scenario: verify PW1 (2) after keygen
     Given cmd_verify with 2 and "123456"
     Then it should get success
--- a/test/features/870_compute_signature.feature
+++ b/test/features/870_compute_signature.feature
@@ -0,0 +1,36 @@
@keygen
 Feature: compute digital signature
  In order to use a token
  A token should compute digital signature properly
  Scenario: compute digital signature by OPENPGP.1 key (1)
     Given a message "This is a test message."
     And a public key from token for OPENPGP.1
     And let a token compute digital signature
     And verify signature
     Then it should get success
  Scenario: compute digital signature by OPENPGP.1 key (2)
     Given a message "This is another test message.\nMultiple lines.\n"
     And a public key from token for OPENPGP.1
     And let a token compute digital signature
     And verify signature
     Then it should get success
  Scenario: compute digital signature by OPENPGP.3 key (1)
     Given a message "This is a test message."
     And a public key from token for OPENPGP.3
     And let a token authenticate
     And verify signature
     Then it should get success
  Scenario: compute digital signature by OPENPGP.3 key (2)
     Given a message "This is another test message.\nMultiple lines.\n"
     And a public key from token for OPENPGP.3
     And let a token authenticate
     And verify signature
     Then it should get success
  Scenario: data object ds counter
     When requesting ds counter: 93
     Then data should match: \x00\x00(\x02|\x03)
--- a/test/features/871_decryption.feature
+++ b/test/features/871_decryption.feature
@@ -0,0 +1,19 @@
@keygen
 Feature: decryption 
  In order to use a token
  A token should decrypt encrypted data
  Scenario: decrypt by OPENPGP.2 key (1)
     Given a plain text "This is a test message."
     And a public key from token for OPENPGP.2
     And encrypt it on host
     And let a token decrypt encrypted data
     Then decrypted data should be same as a plain text
  Scenario: decrypt by OPENPGP.2 key (2)
     Given a plain text "RSA decryption is as easy as pie."
     And a public key from token for OPENPGP.2
     And encrypt it on host
     And let a token decrypt encrypted data
     Then decrypted data should be same as a plain text
--- a/test/features/991_version_string.feature
+++ b/test/features/991_version_string.feature
@@ -0,0 +1,8 @@
@usb
 Feature: examine USB version string
  In order to work as Gnuk Token
  A token should support version string
  Scenario: USB version string
     Given USB version string of the token
     Then data should match: ([a-zA-Z0-9]*)-([.0-9]+)-[0-9A-F]+
--- a/test/features/steps.py
+++ b/test/features/steps.py
@@ -108,6 +108,9 @@ def encrypt_on_host_public_key():
 def decrypt():
    scc.result = ftc.token.cmd_pso_longdata(0x80, 0x86, scc.ciphertext)
@Given("USB version string of the token")
 def usb_version_string():
    scc.result = ftc.token.get_string(3)
@When("requesting (.+): ([0-9a-fA-F]+)")
 def get_data(name, tag_str):
--- a/test/gnuk.py
+++ b/test/gnuk.py
@@ -77,6 +77,9 @@ class gnuk_token(object):
        self.__timeout = 10000
        self.__seq = 0
    def get_string(self, num):
        return self.__devhandle.getString(num, 512)
    def increment_seq(self):
        self.__seq = (self.__seq + 1) & 0xff
--- a/test/rsa_keys.py
+++ b/test/rsa_keys.py
@@ -125,24 +125,24 @@ def compute_signature(keyno, digestinfo):
    sig = t2 + t * q
    return sig
-def integer_to_bytes(i):
+def integer_to_bytes_256(i):
    s = hex(i)[2:]
    s = s.rstrip('L')
    if len(s) & 1:
        s = '0' + s
-    return unhexlify(s)
+    return string.rjust(unhexlify(s), 256, '\x00')
 def encrypt(keyno, plaintext):
    e = key[keyno][4]
    n = key[keyno][7]
    m = pkcs1_pad_for_crypt(plaintext)
-    return '\x00' + integer_to_bytes(pow(m, e, n))
+    return '\x00' + integer_to_bytes_256(pow(m, e, n))
 def encrypt_with_pubkey(pubkey_info, plaintext):
    n = int(hexlify(pubkey_info[0]), 16)
    e = int(hexlify(pubkey_info[1]), 16)
    m = pkcs1_pad_for_crypt(plaintext)
-    return '\x00' + integer_to_bytes(pow(m, e, n))
+    return '\x00' + integer_to_bytes_256(pow(m, e, n))
 def verify_signature(pubkey_info, digestinfo, sig):
    n = int(hexlify(pubkey_info[0]), 16)
--- a/tool/stlinkv2.py
+++ b/tool/stlinkv2.py
@@ -216,27 +216,31 @@ class stlinkv2(object):
        v = self.execute_get("\xf2\x22\x00", 4)
        return v[0] + (v[1]<<8) + (v[2]<<16) + (v[3]<<24)
-    # For FST-01-00 and FST-01: LED on, USB off
+    # For FST-01-00 and FST-01: LED on, USB connect
    def setup_gpio(self):
        apb2enr = self.read_memory_u32(0x40021018)
        apb2enr = apb2enr | 4 | 8 | 0x1000 # Enable port A, port B, and SPI1
        self.write_memory_u32(0x40021018, apb2enr)    # RCC->APB2ENR
        self.write_memory_u32(0x4002100c, 4|8|0x1000) # RCC->APB2RSTR
        self.write_memory_u32(0x4002100c, 0)
-        self.write_memory_u32(GPIOA+0x0c, 0xfffffbff) # ODR
+        self.write_memory_u32(GPIOA+0x0c, 0xffffffff) # ODR
        self.write_memory_u32(GPIOA+0x04, 0x88888383) # CRH
        self.write_memory_u32(GPIOA+0x00, 0xBBB38888) # CRL
        self.write_memory_u32(GPIOB+0x0c, 0xffffffff) # ODR
-        self.write_memory_u32(GPIOB+0x04, 0x88888883) # CRH
+        self.write_memory_u32(GPIOB+0x04, 0x88888888) # CRH
-        self.write_memory_u32(GPIOB+0x00, 0x88888888) # CRL
+        self.write_memory_u32(GPIOB+0x00, 0x88888883) # CRL
-    # For FST-01-00 and FST-01: LED off, USB off
+    # For FST-01-00 and FST-01: LED on, USB disconnect
    def usb_disconnect(self):
        self.write_memory_u32(GPIOA+0x0c, 0xfffffbff) # ODR
    # For FST-01-00 and FST-01: LED off, USB connect
    def finish_gpio(self):
        self.write_memory_u32(GPIOA+0x0c, 0xfffffeff) # ODR
        self.write_memory_u32(GPIOB+0x0c, 0xfffffffe) # ODR
        apb2enr = self.read_memory_u32(0x40021018)
        apb2enr = apb2enr &  ~(4 | 8 | 0x1000)
        self.write_memory_u32(0x40021018, apb2enr)    # RCC->APB2ENR
        self.write_memory_u32(GPIOA+0x0c, 0xfffffaff) # ODR
        self.write_memory_u32(GPIOB+0x0c, 0xfffffffe) # ODR
    def spi_flash_init(self):
        self.write_memory_u32(SPI1+0x00, 0x0004); # CR1 <= MSTR
@@ -562,6 +566,9 @@ def main(show_help, erase_only, no_protect, spi_flash_check,
    if unlock:
        stl.reset_sys()
        stl.option_bytes_write(OPTION_BYTES_ADDR,RDP_KEY)
        stl.usb_disconnect()
        time.sleep(0.100)
        stl.finish_gpio()
        print "Flash ROM read protection disabled.  Reset the board, now."
        return 0
@@ -578,6 +585,8 @@ def main(show_help, erase_only, no_protect, spi_flash_check,
        stl.flash_erase_all()
    if erase_only:
        stl.usb_disconnect()
        time.sleep(0.100)
        stl.finish_gpio()
        return 0
@@ -606,6 +615,7 @@ def main(show_help, erase_only, no_protect, spi_flash_check,
        print "Flash ROM read protection enabled.  Reset the board to enable protection."
    if reset_after_successful_write:
        stl.usb_disconnect()
        stl.reset_sys()
        stl.run()
        stl.exit_debug()
Author	SHA1	Message	Date
NIIBE Yutaka	f39380d3aa	version 1.0.1	2012-08-03 11:20:13 +09:00
NIIBE Yutaka	0d36a58804	Add more doc	2012-08-03 11:15:26 +09:00
NIIBE Yutaka	eb0e913eee	Add doc	2012-08-03 10:53:04 +09:00
NIIBE Yutaka	7575dda42a	Add test for USB version string	2012-08-02 17:44:08 +09:00
NIIBE Yutaka	61ec9b7ed7	add doc	2012-08-02 17:11:42 +09:00
NIIBE Yutaka	b49390de7a	add an entry in NEWS	2012-07-26 18:53:59 +09:00
NIIBE Yutaka	71eaffc0ee	version 1.0	2012-07-21 09:36:25 +09:00
NIIBE Yutaka	5e9a35c881	doc	2012-07-21 09:27:08 +09:00
NIIBE Yutaka	df5b7f31a3	doc	2012-07-21 09:26:51 +09:00
NIIBE Yutaka	add6fa8b67	add document in Sphinx	2012-07-21 08:33:31 +09:00
NIIBE Yutaka	c488bed215	move old documents to doc/note	2012-07-21 08:32:53 +09:00
NIIBE Yutaka	63979416f6	fix tests for CERTDO	2012-07-20 16:00:41 +09:00
NIIBE Yutaka	92be182e8a	update README for gcc-arm-embedded toolchain	2012-07-20 13:24:15 +09:00
NIIBE Yutaka	9ffa68355d	update README for gcc-arm-embedded toolchain	2012-07-20 13:12:51 +09:00
NIIBE Yutaka	814f6b6329	update README	2012-07-20 13:04:39 +09:00
NIIBE Yutaka	1927f8a1ec	update doc/	2012-07-10 17:04:14 +09:00
NIIBE Yutaka	d3fb62b437	no keygen test cases	2012-07-10 17:03:50 +09:00
NIIBE Yutaka	5d3e6c2b29	initial PW1 123456 test cases	2012-07-10 14:16:53 +09:00
NIIBE Yutaka	8be278be17	not PW3 but PW1	2012-07-10 13:21:27 +09:00
NIIBE Yutaka	6de9c11329	test: fix signature counter	2012-07-10 10:36:15 +09:00
NIIBE Yutaka	63df97a2e0	Add tests	2012-07-10 08:55:48 +09:00
NIIBE Yutaka	144dd88a07	Bug fix for keygen	2012-07-10 08:51:38 +09:00
NIIBE Yutaka	e80c8f1e8e	USB disconnect tool/stlinkv2.py	2012-07-10 08:50:32 +09:00
NIIBE Yutaka	99d7e8d396	reset is not needed as writ_prvkey does so	2012-07-09 15:16:56 +09:00
NIIBE Yutaka	f38f33dade	bug fix for finish_gpio	2012-07-09 12:58:03 +09:00
NIIBE Yutaka	cbed6b49c7	LED off for -u	2012-07-09 10:19:01 +09:00
NIIBE Yutaka	51435e7dba	return error sooner for decryption	2012-07-09 09:29:00 +09:00
NIIBE Yutaka	29b68186bf	fix stlinkv2 for FST-01's LED	2012-07-09 09:27:38 +09:00
NIIBE Yutaka	a5fddc691d	fix decryption test case	2012-07-09 09:26:10 +09:00