version 1.0.1

ChangeLog

@@ -1,3 +1,14 @@
+2012-08-03  Niibe Yutaka  <gniibe@fsij.org>
+
+	* Version 1.0.1.
+	* src/usb_desc.c (gnukStringSerial): Updated.
+	* src/main.c (ID_OFFSET): Fix.
+
+2012-08-02  Niibe Yutaka  <gniibe@fsij.org>
+
+	* test/gnuk.py (gnuk_token.get_string): New.
+	* test/features/991_version_string.feature: New.
+
 2012-07-21  Niibe Yutaka  <gniibe@fsij.org>
 
 	* Version 1.0.

NEWS

@@ -1,5 +1,14 @@
 Gnuk NEWS - User visible changes
 
+* Major changes in Gnuk 1.0.1
+
+  Released 2012-08-03, by NIIBE Yutaka
+
+** USB SerialNumber String
+In 1.0, it has a bug for USB SerialNumber String.  It has been fixed
+in 1.0.1.
+
+
 * Major changes in Gnuk 1.0
 
   Released 2012-07-21, by NIIBE Yutaka

README

@@ -1,7 +1,7 @@
 Gnuk - An Implementation of USB Cryptographic Token for GnuPG
 
-							    Version 1.0
-							     2012-07-21
+							  Version 1.0.1
+							     2012-08-03
 							   Niibe Yutaka
 				      Free Software Initiative of Japan
 
@@ -14,9 +14,9 @@ STM32F103 processor.
 
 I wish that Gnuk will be a developer's soother who uses GnuPG.  I have
 been nervous of storing secret key(s) on usual secondary storage.
-There is a solution with OpenPGP card, but it is not the choice for me
-to bring a card reader all the time.  With Gnuk, this issue will be
-solved by a USB token which is small enough.
+There is a solution with OpenPGP card, but it is not the choice for
+me, as card reader is not common device.  With Gnuk, this issue will
+be solved by a USB token.
 
 Please look at the graphics of "gnuk.svg" for the software name.  My
 son used to be with his NUK(R), always, everywhere.  Now, I am with a
@@ -35,7 +35,7 @@ A0: Good points of Gnuk are:
       Gnuk Token cheaper (see Q8-A8).
     * You can study Gnuk to modify and to enhance.  For example, you
       can implement your own authentication method with some sensor
-      such as acceleration sensor.
+      such as an acceleration sensor.
     * It is "of Free Software"; Gnuk is distributed under GPLv3+,
 	    "by Free Software"; Gnuk development requires only Free Software
 				(GNU Toolchain, Python, etc.), 
@@ -51,8 +51,8 @@ Q3: What's your recommendation for target board?
 A3: Orthodox choice is Olimex STM32-H103.
     If you have skill of electronics and like DIY, STM32 part of STM8S
     Discovery Kit might be the best choice.
-    Currently FST-01 (Flying Stone Tiny 01) is under development,
-    it will be the best choice, hopefully.
+    FST-01 (Flying Stone Tiny 01) will be soon available for sale,
+    and it will be the best choice, hopefully.
 
 Q4: What's version of GnuPG are you using?
 A4: In Debian GNU/Linux system, I use gnupg 1.4.11-3 and gnupg-agent
@@ -63,12 +63,13 @@ Q5: What's version of pcscd and libccid are you using?
 A5: In Debian GNU/Linux system, I use pcscd 1.5.5-4 and libccid 1.3.11-2,
     which is in squeeze.  Note that you need to edit /etc/libccid_Info.plist
     when using libccid (< 1.4.1).
+    Note that pcscd and libccid are optional, you can use Gnuk without them.
 
 Q6: What kinds of hardware is required for development?
-A6: You need a target board plus a JTAG debugger.  If you just want to
-    test Gnuk for target boards with DfuSe, JTAG debugger is not
-    the requirement.  Note that for real use, you need JTAG debugger
-    to enable flash ROM protection.
+A6: You need a target board plus a JTAG/SWD debugger.  If you just
+    want to test Gnuk for target boards with DfuSe, JTAG debugger is
+    not the requirement.  Note that for real use, you need JTAG/SWD
+    debugger to enable flash ROM protection.
 
 Q7: How much does it cost?
 A7: Olimex STM32-H103 plus ARM-USB-TINY-H cost 70 Euro or so.
@@ -107,17 +108,18 @@ Ab: That's because gnome-keyring-daemon interferes GnuPG.  Type:
     "GPG Password Agent" and "SSH Key Agent".
 
 Qc: Do you know a good SWD debugger to connect FST-01 or something?
-Ac: STLink v2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
-writer program.
+Ac: ST-Link/V2 is cheap one.  We have a tool/stlinkv2.py as flash ROM
+    writer program.
 
 
 Release notes
 =============
 
-This is version 1.0 release of Gnuk, after a year and eleven months
-development.  While it is daily use for a year or so, some newly
-introduced features (including key generation and firmware upgrade)
-should be considered experimental.
+This is a minor release in version 1.0 series of Gnuk.
+
+While it is daily use for more than a year, some newly introduced
+features (including key generation and firmware upgrade) should be
+considered experimental.
 
 Tested features are:
 

doc/conf.py

@@ -41,7 +41,7 @@ master_doc = 'index'
 
 # General information about the project.
 project = u'Gnuk Documentation'
-copyright = u'2012, Niibe Yutaka'
+copyright = u'2012, NIIBE Yutaka'
 
 # The version info for the project you're documenting, acts as replacement for
 # |version| and |release|, also used in various other places throughout the
@@ -184,7 +184,7 @@ latex_elements = {
 # (source start file, target name, title, author, documentclass [howto/manual]).
 latex_documents = [
   ('index', 'GnukDocumentation.tex', u'Gnuk Documentation Documentation',
-   u'Niibe Yutaka', 'manual'),
+   u'NIIBE Yutaka', 'manual'),
 ]
 
 # The name of an image file (relative to this directory) to place at the top of
@@ -214,7 +214,7 @@ latex_documents = [
 # (source start file, name, description, authors, manual section).
 man_pages = [
     ('index', 'gnukdocumentation', u'Gnuk Documentation Documentation',
-     [u'Niibe Yutaka'], 1)
+     [u'NIIBE Yutaka'], 1)
 ]
 
 # If true, show URL addresses after external links.
@@ -228,7 +228,7 @@ man_pages = [
 #  dir menu entry, description, category)
 texinfo_documents = [
   ('index', 'GnukDocumentation', u'Gnuk Documentation Documentation',
-   u'Niibe Yutaka', 'GnukDocumentation', 'One line description of project.',
+   u'NIIBE Yutaka', 'GnukDocumentation', 'One line description of project.',
    'Miscellaneous'),
 ]
 

doc/development.rst

@@ -5,7 +5,29 @@ Development Environment
 Hardware
 --------
 
-JTAG debugger or SWD debugger is required.
+For development, it is highly recommended to have JTAG debugger or SWD
+debugger.
+
+For boards with DFU (Device Firmware Upgrade) feature, such as DfuSe,
+it is possible to develop with that.  But it should be considered
+*experimental* environment, and it should not be used for usual
+purpose.  That's because it is basically impossible for DfuSe
+implementations to disable reading-out from flash ROM.  It means
+that your secret will be readily extracted by DfuSe.
+
+For JTAG debugger, Olimex JTAG-Tiny is good and supported well.  For
+SWD debugger, ST-Link/V2 would be good, and it is supported by
+the tool of tool/stlinkv2.py.
+
+
+OpenOCD
+-------
+
+For JTAG debugger or SWD debugger, we can use OpenOCD.
+
+Note that ST-Link/V2 is *not* supported by OpenOCD 0.5.0.  It will be
+supported by version 0.6 or later, as current development version
+supports it.
 
 
 GNU Toolchain

doc/generating-2048-RSA-key.rst

@@ -0,0 +1,228 @@
+============================
+Generating 2048-bit RSA keys
+============================
+
+This document describes how I generate 2048-bit RSA keys.
+
+.. BREAK
+
+Here is the log to generate signature key and encryption subkey.
+
+I invoke GnuPG with ``--gen-key`` option. ::
+
+  $ gpg --gen-key
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+
+and GnuPG asks kind of key.  Select ``RSA and RSA``. ::
+
+  Please select what kind of key you want:
+     (1) RSA and RSA (default)
+     (2) DSA and Elgamal
+     (3) DSA (sign only)
+     (4) RSA (sign only)
+  Your selection? 1
+  RSA keys may be between 1024 and 4096 bits long.
+
+and select 2048-bit (as Gnuk Token only suppurt this). ::
+
+  What keysize do you want? (2048) 
+  Requested keysize is 2048 bits
+
+and select expiration of the key. ::
+
+  Please specify how long the key should be valid.
+           0 = key does not expire
+        <n>  = key expires in n days
+        <n>w = key expires in n weeks
+        <n>m = key expires in n months
+        <n>y = key expires in n years
+  Key is valid for? (0) 0
+  Key does not expire at all
+
+Confirm key types, bitsize and expiration. ::
+
+  Is this correct? (y/N) y
+
+Then enter user ID. ::
+
+  You need a user ID to identify your key; the software constructs the user ID
+  from the Real Name, Comment and Email Address in this form:
+      "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
+  
+  Real name: Niibe Yutaka
+  Email address: gniibe@fsij.org
+  Comment: 
+  You selected this USER-ID:
+      "Niibe Yutaka <gniibe@fsij.org>"
+  
+  Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+
+and enter passphrase for this **key on PC**. ::
+
+  You need a Passphrase to protect your secret key.
+  <PASSWORD-KEY-ON-PC>
+
+Then, GnuPG generate keys.  It takes some time.  ::
+
+  We need to generate a lot of random bytes. It is a good idea to perform
+  some other action (type on the keyboard, move the mouse, utilize the
+  disks) during the prime generation; this gives the random number
+  generator a better chance to gain enough entropy.
+  ...+++++
+  +++++
+  We need to generate a lot of random bytes. It is a good idea to perform
+  some other action (type on the keyboard, move the mouse, utilize the
+  disks) during the prime generation; this gives the random number
+  generator a better chance to gain enough entropy.
+  ..+++++
+  
+  Not enough random bytes available.  Please do some other work to give
+  the OS a chance to collect more entropy! (Need 15 more bytes)
+  ...+++++
+  gpg: key 28C0CD7C marked as ultimately trusted
+  public and secret key created and signed.
+  
+  gpg: checking the trustdb
+  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+  gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
+  pub   2048R/28C0CD7C 2011-05-24
+        Key fingerprint = 0B4D C763 D57B ADBB 1870  A978 BDEE 4A35 28C0 CD7C
+  uid                  Niibe Yutaka <gniibe@fsij.org>
+  sub   2048R/F01E19B7 2011-05-24
+  $ 
+
+Done.
+
+Then, I create authentication subkey.  Authentication subkey is not that common, but very useful (say, for SSH authentication).  As it is not that common, we need ``--expert`` option for GnuPG. ::
+
+  $ gpg --expert --edit-key 28C0CD7C
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+  
+  Secret key is available.
+  
+  pub  2048R/28C0CD7C  created: 2011-05-24  expires: never       usage: SC  
+                       trust: ultimate      validity: ultimate
+  sub  2048R/F01E19B7  created: 2011-05-24  expires: never       usage: E   
+  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
+  
+  gpg> 
+
+Here, I enter ``addkey`` command.  Then, I enter the passphrase of **key on PC**, I specified above. ::
+
+  gpg> addkey
+  Key is protected.
+    
+  You need a passphrase to unlock the secret key for
+  user: "Niibe Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 28C0CD7C, created 2011-05-24
+  <PASSWORD-KEY-ON-PC>
+  gpg: gpg-agent is not available in this session
+
+GnuPG askes kind of key.  I select ``RSA (set your own capabilities)``. ::
+
+  Please select what kind of key you want:
+     (3) DSA (sign only)
+     (4) RSA (sign only)
+     (5) Elgamal (encrypt only)
+     (6) RSA (encrypt only)
+     (7) DSA (set your own capabilities)
+     (8) RSA (set your own capabilities)
+  Your selection? 8
+
+And select ``Authenticate`` for the capabilities for this key.   Initially, it's ``Sign`` and  ``Encrypt``.  I need to deselect ``Sign`` and ``Encryp``, and select ``Authenticate``.  To do that, I enter ``s``, ``a``, and ``e``.  ::
+
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Sign Encrypt 
+  
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? s
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Encrypt 
+  
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? a
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Encrypt Authenticate 
+
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+  
+  Your selection? e
+  
+  Possible actions for a RSA key: Sign Encrypt Authenticate 
+  Current allowed actions: Authenticate 
+
+     (S) Toggle the sign capability
+     (E) Toggle the encrypt capability
+     (A) Toggle the authenticate capability
+     (Q) Finished
+
+OK, I set the capability of ``Authenticate``.  I enter ``q`` to finish setting capabilities. ::
+
+  Your selection? q
+
+GnuPG asks bitsize and expiration, I enter 2048 for bitsize and no expiration.  Then, I confirm that I really create the key. ::
+
+  RSA keys may be between 1024 and 4096 bits long.
+  What keysize do you want? (2048) 
+  Requested keysize is 2048 bits
+  Please specify how long the key should be valid.
+           0 = key does not expire
+        <n>  = key expires in n days
+        <n>w = key expires in n weeks
+        <n>m = key expires in n months
+        <n>y = key expires in n years
+  Key is valid for? (0) 0
+  Key does not expire at all
+  Is this correct? (y/N) y
+  Really create? (y/N) y
+
+Then, GnuPG generate the key. ::
+
+  We need to generate a lot of random bytes. It is a good idea to perform
+  some other action (type on the keyboard, move the mouse, utilize the
+  disks) during the prime generation; this gives the random number
+  generator a better chance to gain enough entropy.
+  .......+++++
+  +++++
+
+  pub  2048R/28C0CD7C  created: 2011-05-24  expires: never       usage: SC  
+                       trust: ultimate      validity: ultimate
+  sub  2048R/F01E19B7  created: 2011-05-24  expires: never       usage: E   
+  sub  2048R/B8929606  created: 2011-05-24  expires: never       usage: A   
+  [ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
+
+  gpg> 
+
+I save the key. ::
+
+  gpg> save
+  $ 
+
+Now, we have three keys (one primary key for signature and certification, subkey for encryption, and another subkey for authentication).
+
+
+Publishing public key
+=====================
+
+I make a file for my public key by ``--export`` option of GnuPG. ::
+
+  $ gpg --armor --output gniibe.asc --export 4CA7BABE
+
+and put it at: http://www.gniibe.org/gniibe.asc

doc/gnome3-gpg-settings.rst

@@ -0,0 +1,30 @@
+==========================
+GnuPG settings for GNOME 3
+==========================
+
+In the article `GnuPG settings`_, I wrote how I disable GNOME-keyrings for SSH.
+
+It was for GNOME 2.  The old days was good, we just disabled GNOME-keyrings interference to SSH and customizing our desktop was easy for GNU and UNIX users.
+
+.. _GnuPG settings: gpg-settings
+
+
+GNOME keyrings in GNOME 3
+=========================
+
+It seems that it is more integrated into the desktop.  It is difficult to kill it.  It would be possible to kill it simply, but then, I can't use, say, wi-fi access (which needs to access "secrets") any more.
+
+We can't use GNOME configuration tool to disable interference by GNOME keyrings any more.  It seems that desktop should not have customization these days.
+
+
+GNOME-SESSION-PROPERTIES
+========================
+
+After struggling some ours, I figured out it is GNOME-SESSION-PROPERTIES to disable the interference.  Invoking::
+
+ $ gnome-session-properties
+
+and at the tab of "Startup Programs", I removed radio check buttons for "GPG Password Agent" and "SSH Key Agent".
+
+
+Now, I use gpg-agent for GnuPG Agent and SSH agent with Gnuk Token.

doc/gnuk-keytocard-noremoval.rst

@@ -0,0 +1,177 @@
+=============================================
+Key import from PC to Gnuk Token (no removal)
+=============================================
+
+This document describes how I put my **keys on PC** to the Token without removing keys from PC.
+
+The difference is just not-to-save changes after key imports.
+
+.. BREAK
+
+After personalization, I put my keys into the Token.
+
+Here is the log.
+
+I invoke GnuPG with my key (4ca7babe) and with ``--homedir`` option to specify the directory which contains my secret keys.  ::
+
+  $ gpg --homedir=/home/gniibe/tmp/gnuk-testing-dir --edit-key 4ca7babe 
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+  
+  Secret key is available.
+  
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: ultimate      validity: ultimate
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+
+
+Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
+To enable ``keytocard`` command, I type ``toggle`` command.  ::
+
+  gpg> toggle
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+Firstly, I import my primary key into Gnuk Token.
+I type ``keytocard`` command, answer ``y`` to confirm keyimport,
+and type ``1`` to say it's signature key. ::
+
+  gpg> keytocard
+  Really move the primary key? (y/N) y
+  gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00'
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (1) Signature key
+     (3) Authentication key
+  Your selection? 1
+
+Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**.  Note that the password of the token and the password of the keys on PC are different things, although they can be same.
+
+I enter these passwords. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  gpg: 3 Admin PIN attempts remaining before card is permanently locked
+  
+  Please enter the Admin PIN
+  Enter Admin PIN: <PASSWORD-GNUK>
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ.
+
+Secondly, I import my subkey of encryption.  I select key number '1'. ::
+
+  gpg> key 1
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+You can see that the subkey is marked by '*'.
+I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``2`` as it's encryption key. ::
+
+  gpg> keytocard
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (2) Encryption key
+  Your selection? 2
+
+Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 084239CF, created 2010-10-15
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The sub key is now on the Token and GnuPG says its card-no for it.
+  
+I type ``key 1`` to deselect key number '1'. ::
+
+  gpg> key 1
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+Thirdly, I select sub key of suthentication which has key number '2'. ::
+
+  gpg> key 2
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+You can see that the subkey number '2' is marked by '*'.
+I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``3`` as it's authentication key. ::
+
+  gpg> keytocard
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (3) Authentication key
+  Your selection? 3
+
+Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
+                       card-no: F517 00000001
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The sub key is now on the Token and GnuPG says its card-no for it.
+
+Lastly, I quit GnuPG.  Note that I **don't** save changes. ::
+
+  gpg> quit
+  Save changes? (y/N) n
+  Quit without saving? (y/N) y
+  $ 
+
+All keys are imported to Gnuk Token now.

doc/gnuk-keytocard.rst

@@ -0,0 +1,183 @@
+================================
+Key import from PC to Gnuk Token
+================================
+
+This document describes how I put my **keys on PC** to the Token, and remove keys from PC.
+
+Note that there is **no ways** to export keys from the Token, so please be careful.
+
+.. BREAK
+
+If you want to import same keys to multiple Tokens, please copy ``.gnupg`` directory before.  In my case, I do something like following:  ::
+
+  $ cp -a .gnupg tmp/gnuk-testing-dir
+
+See `another document`_ to import keys to the Token from copied directory.
+
+.. _another document: gnuk-keytocard-noremoval
+
+After personalization, I put my keys into the Token.
+
+Here is the log.
+
+I invoke GnuPG with my key (4ca7babe).  ::
+
+  $ gpg --edit-key 4ca7babe 
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+  
+  Secret key is available.
+  
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: ultimate      validity: ultimate
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+
+
+Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg>``.
+To enable ``keytocard`` command, I type ``toggle`` command.  ::
+
+  gpg> toggle
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+Firstly, I import my primary key into Gnuk Token.
+I type ``keytocard`` command, answer ``y`` to confirm keyimport,
+and type ``1`` to say it's signature key. ::
+
+  gpg> keytocard
+  Really move the primary key? (y/N) y
+  gpg: detected reader `FSIJ Gnuk (0.12-38FF6A06) 00 00'
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (1) Signature key
+     (3) Authentication key
+  Your selection? 1
+
+Then, GnuPG asks two passwords.  One is the passphrase of **keys on PC** and another is the password of **Gnuk Token**.  Note that the password of the token and the password of the keys on PC are different things, although they can be same.
+
+I enter these passwords. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 4CA7BABE, created 2010-10-15
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  gpg: 3 Admin PIN attempts remaining before card is permanently locked
+  
+  Please enter the Admin PIN
+  Enter Admin PIN: <PASSWORD-GNUK>
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The primary key is now on the Token and GnuPG says its card-no (F517 00000001) , where F517 is the vendor ID of FSIJ.
+
+Secondly, I import my subkey of encryption.  I select key number '1'. ::
+
+  gpg> key 1
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+You can see that the subkey is marked by '*'.
+I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``2`` as it's encryption key. ::
+
+  gpg> keytocard
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (2) Encryption key
+  Your selection? 2
+
+Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 084239CF, created 2010-10-15
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The sub key is now on the Token and GnuPG says its card-no for it.
+  
+I type ``key 1`` to deselect key number '1'. ::
+
+  gpg> key 1
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+Thirdly, I select sub key of suthentication which has key number '2'. ::
+
+  gpg> key 2
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+You can see that the subkey number '2' is marked by '*'.
+I type ``keytocard`` command to import this subkey to Gnuk Token.  I select ``3`` as it's authentication key. ::
+
+  gpg> keytocard
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  
+  Please select where to store the key:
+     (3) Authentication key
+  Your selection? 3
+
+Then, GnuPG asks the passphrase of **keys on PC** again.  I enter. ::
+
+  You need a passphrase to unlock the secret key for
+  user: "NIIBE Yutaka <gniibe@fsij.org>"
+  2048-bit RSA key, ID 5BB065DC, created 2010-10-22
+  <PASSWORD-KEY-4CA7BABE>
+  gpg: writing new key
+  
+  sec  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb  2048R/084239CF  created: 2010-10-15  expires: never     
+                       card-no: F517 00000001
+  ssb* 2048R/5BB065DC  created: 2010-10-22  expires: never     
+                       card-no: F517 00000001
+  (1)  NIIBE Yutaka <gniibe@fsij.org>
+
+The sub key is now on the Token and GnuPG says its card-no for it.
+
+Lastly, I save changes of **keys on PC** and quit GnuPG. ::
+
+  gpg> save
+  $ 
+
+All secret keys are imported to Gnuk Token now.  On PC, only references (card-no) to the Token remain.

doc/gnuk-personalization.rst

@@ -0,0 +1,118 @@
+=============================
+Personalization of Gnuk Token
+=============================
+
+
+Personalize your Gnuk Token
+===========================
+
+Invoke GnuPG with the option ``--card-edit``.  ::
+
+  $ gpg --card-edit
+  gpg: detected reader `FSIJ Gnuk (0.12-34006E06) 00 00'
+  Application ID ...: D276000124010200F517000000010000
+  Version ..........: 2.0
+  Manufacturer .....: FSIJ
+  Serial number ....: 00000001
+  Name of cardholder: [not set]
+  Language prefs ...: [not set]
+  Sex ..............: unspecified
+  URL of public key : [not set]
+  Login data .......: [not set]
+  Signature PIN ....: forced
+  Key attributes ...: 2048R 2048R 2048R
+  Max. PIN lengths .: 127 127 127
+  PIN retry counter : 3 3 3
+  Signature counter : 0
+  Signature key ....: [none]
+  Encryption key....: [none]
+  Authentication key: [none]
+  General key info..: [none]
+
+It shows the status of the card (as same as the output of ``gpg --card-status``).  It shows token's name and its USB serial string (0.12-34006E06) from PC/SC-lite.
+
+Then, GnuPG enters its own command interaction mode.  The prompt is ``gpg/card>``.
+
+Firstly, I change PIN of card user from factory setting (of "123456").  Note that, only changing PIN of user enables "admin less mode" of Gnuk.  Admin password will become same one of user's. ::
+
+  gpg/card> passwd
+  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
+  
+  Please enter the PIN
+  Enter PIN: 123456
+             
+  New PIN
+  Enter New PIN: <PASSWORD-OF-GNUK>
+                 
+  New PIN
+  Repeat this PIN: <PASSWORD-OF-GNUK>
+  PIN changed.
+
+Secondly, enabling admin command, I put name of mine.  Note that I input user's PIN (which I set above) here, because it is "admin less mode". ::
+
+  gpg/card> admin
+  Admin commands are allowed
+  
+  gpg/card> name
+  Cardholder's surname: Niibe
+  Cardholder's given name: Yutaka
+  gpg: 3 Admin PIN attempts remaining before card is permanently locked
+  
+  Please enter the Admin PIN
+  Enter Admin PIN: <PASSWORD-OF-GNUK>
+
+Thirdly, I put some other informations, such as language, sex, login, and URL.  URL specifies the place where I put my public keys. ::
+
+  gpg/card> lang
+  Language preferences: ja
+  
+  gpg/card> sex
+  Sex ((M)ale, (F)emale or space): m
+  
+  gpg/card> url
+  URL to retrieve public key: http://www.gniibe.org/gniibe.asc
+  
+  gpg/card> login
+  Login data (account name): gniibe
+
+Since I don't force PIN input everytime, toggle it to non-force-pin-for-signature. ::
+
+  gpg/card> forcesig
+
+Lastly, I setup reset code.  This is optional. ::
+
+  gpg/card> passwd
+  gpg: OpenPGP card no. D276000124010200F517000000010000 detected
+  
+  1 - change PIN
+  2 - unblock PIN
+  3 - change Admin PIN
+  4 - set the Reset Code
+  Q - quit
+  
+  Your selection? 4
+  gpg: 3 Admin PIN attempts remaining before card is permanently locked
+  
+  Please enter the Admin PIN
+  Enter Admin PIN: <PASSWORD-OF-GNUK>
+  
+  New Reset Code
+  Enter New PIN: <RESETCODE-OF-GNUK>
+  
+  New Reset Code
+  Repeat this PIN: <RESETCODE-OF-GNUK>
+  Reset Code set.
+  
+  1 - change PIN
+  2 - unblock PIN
+  3 - change Admin PIN
+  4 - set the Reset Code
+  Q - quit
+  
+  Your selection? q
+
+Then, I quit. ::
+  
+  gpg/card> quit
+
+That's all.

doc/gnuk-token-initial-configuration.rst

@@ -0,0 +1,34 @@
+===================================
+Initial Configuration of Gnuk Token
+===================================
+
+Conditions
+==========
+
+I assume you are using GNU/Linux.
+
+
+Preparation
+===========
+
+We need to kill ``scdaemon`` before configuring Gnuk Token. ::
+
+  $ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
+
+
+Serial Number (optional)
+========================
+
+In the file ``GNUK_SERIAL_NUMBER``, each line has email and 6-byte serial number.
+
+The tool ``../tool/gnuk_put_binary.py`` examines  environment variable of ``EMAIL``, and writes serial number to Gnuk Token. ::
+
+  $ ../tool/gnuk_put_binary.py -s ../GNUK_SERIAL_NUMBER 
+  Writing serial number
+  Token: FSIJ Gnuk (0.12-38FF6A06) 00 00
+  ATR: 3B DA 11 FF 81 B1 FE 55 1F 03 00 31 84 73 80 01 40 00 90 00 24
+
+
+The tool ``../tool/gnuk_put_binary.py`` is for PC/SC Lite.  Use
+``../tool/gnuk_put_binary_libusb.py`` instead, if you don't use
+PC/SC Lite but use libusb directly.

doc/gpg-settings.rst

@@ -0,0 +1,41 @@
+.. -*- coding: utf-8 -*-
+
+==============
+GnuPG settings
+==============
+
+Here is my GnuPG settings.
+
+.gnupg/gpg.conf
+===============
+
+I create ``.gnupg/gpg.conf`` file with the following content. ::
+
+  use-agent
+  personal-digest-preferences SHA256
+  cert-digest-algo SHA256
+  default-preference-list SHA512 SHA384 SHA256 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+  
+  default-key 0x4ca7babe
+
+
+Let gpg-agent manage SSH key
+============================
+
+I deactivate seahose-agent.  Also, I deactivate gnome-keyring managing SSH key. ::
+
+  $ gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
+
+Then, I create ``.gnupg/gpg-agent.conf`` file with the following content. ::
+
+  enable-ssh-support
+
+
+References
+==========
+
+* `Creating a new GPG key`_
+* `Use OpenPGP Keys for OpenSSH, how to use gpg with ssh`_
+
+.. _Creating a new GPG key: http://keyring.debian.org/creating-key.html
+.. _Use OpenPGP Keys for OpenSSH, how to use gpg with ssh: http://www.programmierecke.net/howto/gpg-ssh.html

doc/index.rst

@@ -2,6 +2,9 @@
    sphinx-quickstart on Wed Jul  4 15:29:05 2012.
    You can adapt this file completely to your liking, but it should at least
    contain the root `toctree` directive.
+   Copyright (C) 2012  NIIBE Yutaka
+   Copyright (C) 2012  Free Software Initiative of Japan
+   This document is licensed under a CC-BY-SA 3.0 Unported License
 
 Gnuk Documentation
 ==================
@@ -13,6 +16,16 @@ Contents:
 
    intro.rst
    development.rst
+   stop-scdaemon.rst
+   udev-rules.rst
+   generating-2048-RSA-key.rst
+   gnuk-token-initial-configuration.rst
+   gnuk-personalization.rst
+   gnuk-keytocard.rst
+   gnuk-keytocard-noremoval.rst
+   using-gnuk-token-with-another-computer.rst
+   gpg-settings.rst
+   gnome3-gpg-settings.rst
 
 
 Indices and tables

doc/intro.rst

@@ -13,17 +13,41 @@ STM32F103 processor.
 Cryptographic token and feature of Gnuk
 ---------------------------------------
 
-Cryptographic token is a store of private keys and it computes cryptographic functions on the device.
+Cryptographic token is a store of private keys and it computes cryptographic
+functions on the device.
+
+The idea is to separate important secrets to independent device, 
+from where nobody can extract them.
 
 
 Development Environment
 -----------------------
 
-See :doc:`development` for development environment for Gnuk.  It builds on Free Software.
+See :doc:`development` for development environment for Gnuk.
+Gnuk is developed on the environment where there are only Free Software.
 
 
-Prerequisites
--------------
+Target boards for running Gnuk
+------------------------------
+
+Hardware requirement for Gnuk is the micro controller STM32F103.
+In version 1.0, Gnuk supports following boards.
+
+* FST-01 (Flying Stone Tiny ZERO-ONE)
+
+* Olimex STM32-H103
+
+* CQ STARM
+
+* STBee
+
+* STBee Mini
+
+* STM32 part of STM8S Discovery Kit
+
+
+Host prerequisites for using Gnuk Token
+---------------------------------------
 
 * GNU Privacy Guard (GnuPG)
 
@@ -36,8 +60,8 @@ Prerequisites
 * Web: scute, firefox
 
 
-Usage
------
+Usages
+------
 
 * Sign with GnuPG
 * Decrypt with GnuPG

doc/stop-scdaemon.rst

@@ -0,0 +1,37 @@
+===========================
+Stopping/Resetting SCDAEMON
+===========================
+
+There is a daemon named ``scdaemon`` behind gpg-agent, which handles
+communication to smartcard/token.
+
+Ideally, we don't need to care about ``scdaemon``, and it should
+everything automatically.  But, there are some cases (because of
+bugs), where we need to talk to the daemon directly, in practice.
+
+
+How to communicate SCDAEMON
+===========================
+
+We have a utility to communicate with a running gpg-agent, that's
+gpg-connect-agent.  We can use it to communicate with scdaemon,
+as it supports sub-command "SCD", exactly for this purpose. 
+
+
+Stopping SCDAEMON
+=================
+
+To stop SCDAEMON and let it exit, type::
+
+	$ gpg-connect-agent "SCD KILLSCD" "SCD BYE" /bye
+
+Then, you can confirm that there is no SCDAEMON any more by ``ps``
+command.
+
+
+Let GPG-AGENT/SCDAEMON learn
+============================
+
+To let gpg-agent/scdaemon learn, type::
+
+	$ gpg-connect-agent learn /bye

doc/udev-rules.rst

@@ -0,0 +1,48 @@
+===============================================
+Device Configuration for Gnuk Token with libusb
+===============================================
+
+In order to use Gnuk Token with libusb, configuration of device is
+needed for permissions.  Note that this is not needed for the case of
+PC/SC Lite, as it has its own device configuration.
+
+
+Patching 60-gnupg.rules
+=======================
+
+In case of Debian, there is a file /lib/udev/rules.d/60-gnupg.rules.
+This would be the place we need to change::
+
+    --- /lib/udev/rules.d/60-gnupg.rules.orig	2012-06-24 21:51:26.000000000 +0900
+    +++ /lib/udev/rules.d/60-gnupg.rules	2012-07-13 17:18:55.149587687 +0900
+    @@ -10,4 +10,7 @@
+     ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+     ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+     
+    +# Gnuk
+    +ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+    +
+     LABEL="gnupg_rules_end"
+
+
+
+Have a another configuration for reGNUal
+========================================
+
+For reGNUal (upgrade feature of Gnuk),
+I also have a file /etc/udev/rules.d/92-gnuk.rules::
+
+   # For updating firmware, permission settings are needed.
+   
+   SUBSYSTEMS=="usb", ATTRS{idVendor}=="234b", ATTRS{idProduct}=="0000", \
+       ENV{ID_USB_INTERFACES}=="*:ff0000:*", GROUP="pcscd"
+
+
+Configuration for ST-Link/V2
+============================
+
+This is for development, but I also have a file
+/etc/udev/rules.d/10-stlink.rules::
+
+    ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="3748", GROUP="tape", MODE="664", SYMLINK+="stlink"
+

doc/using-gnuk-token-with-another-computer.rst

@@ -0,0 +1,173 @@
+======================================
+Using Gnuk Token with another computer
+======================================
+
+This document describes how you can use Gnuk Token on another PC (which is not the one you generate your keys).
+
+Note that the Token only brings your secret keys, while ``.gnupg`` directory contains keyrings and trustdb, too.
+
+.. BREAK
+
+Fetch the public key and connect it to the Token
+================================================
+
+Using the Token, we need to put the public key and the secret key reference (to the token) in ``.gnupg``.
+
+To do that, invoke GnuPG with ``--card-edit`` option. ::
+
+  $ gpg --card-edit
+  gpg: detected reader `FSIJ Gnuk (0.12-37006A06) 00 00'
+  Application ID ...: D276000124010200F517000000010000
+  Version ..........: 2.0
+  Manufacturer .....: FSIJ
+  Serial number ....: 00000001
+  Name of cardholder: Yutaka Niibe
+  Language prefs ...: ja
+  Sex ..............: male
+  URL of public key : http://www.gniibe.org/gniibe.asc
+  Login data .......: gniibe
+  Signature PIN ....: not forced
+  Key attributes ...: 2048R 2048R 2048R
+  Max. PIN lengths .: 127 127 127
+  PIN retry counter : 3 3 3
+  Signature counter : 6
+  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
+        created ....: 2010-10-15 06:46:33
+  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
+        created ....: 2010-10-15 06:46:33
+  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
+        created ....: 2010-10-22 06:06:36
+  General key info..: [none]
+  
+  gpg/card> 
+
+It says, there is no key info related to this token on your PC (``[none]``).
+
+Fetch the public key from URL specified in the Token. ::
+
+  gpg/card> fetch
+  gpg: requesting key 4CA7BABE from http server www.gniibe.org
+  gpg: key 4CA7BABE: public key "NIIBE Yutaka <gniibe@fsij.org>" imported
+  gpg: no ultimately trusted keys found
+  gpg: Total number processed: 1
+  gpg:               imported: 1  (RSA: 1)
+  
+  gpg/card> 
+
+Good.  The public key is now in ``.gnupg``.  We can examine by ``gpg --list-keys``.
+
+However, the secret key reference (to the token) is not in ``.gnupg`` yet.
+
+It will be generated when I do ``--card-status`` by GnuPG with correspoinding public key in ``.gnupg``, or just type return at the ``gpg/card>`` prompt. ::
+
+  gpg/card> 
+  
+  Application ID ...: D276000124010200F517000000010000
+  Version ..........: 2.0
+  Manufacturer .....: FSIJ
+  Serial number ....: 00000001
+  Name of cardholder: Yutaka Niibe
+  Language prefs ...: ja
+  Sex ..............: male
+  URL of public key : http://www.gniibe.org/gniibe.asc
+  Login data .......: gniibe
+  Signature PIN ....: not forced
+  Key attributes ...: 2048R 2048R 2048R
+  Max. PIN lengths .: 127 127 127
+  PIN retry counter : 3 3 3
+  Signature counter : 6
+  Signature key ....: 1241 24BD 3B48 62AF 7A0A  42F1 00B4 5EBD 4CA7 BABE
+        created ....: 2010-10-15 06:46:33
+  Encryption key....: 42E1 E805 4E6F 1F30 26F2  DC79 79A7 9093 0842 39CF
+        created ....: 2010-10-15 06:46:33
+  Authentication key: B4D9 7142 C42D 6802 F5F7  4E70 9C33 B6BA 5BB0 65DC
+        created ....: 2010-10-22 06:06:36
+  General key info..: 
+  pub  2048R/4CA7BABE 2010-10-15 NIIBE Yutaka <gniibe@fsij.org>
+  sec>  2048R/4CA7BABE  created: 2010-10-15  expires: never     
+                        card-no: F517 00000001
+  ssb>  2048R/084239CF  created: 2010-10-15  expires: never     
+                        card-no: F517 00000001
+  ssb>  2048R/5BB065DC  created: 2010-10-22  expires: never     
+                        card-no: F517 00000001
+  
+  gpg/card> 
+
+OK, now I can use the Token on this computer.
+
+
+Update trustdb for the key on Gnuk Token
+========================================
+
+Yes, I can use the Token by the public key and the secret key reference to the card.  More, I need to update the trustdb.
+
+To do that I do: ::
+
+  $ gpg --edit-key 4ca7babe
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+  
+  Secret key is available.
+  
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: unknown       validity: unknown
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
+  
+  gpg> 
+
+See, the key is ``unknown`` state.  Add trust for that. ::
+
+  gpg> trust
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: unknown       validity: unknown
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
+  
+  Please decide how far you trust this user to correctly verify other users' keys
+  (by looking at passports, checking fingerprints from different sources, etc.)
+
+    1 = I don't know or won't say
+    2 = I do NOT trust
+    3 = I trust marginally
+    4 = I trust fully
+    5 = I trust ultimately
+    m = back to the main menu
+  
+  Your decision? 5
+  Do you really want to set this key to ultimate trust? (y/N) y
+  
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: ultimate      validity: unknown
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ unknown] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ unknown] (2)  NIIBE Yutaka <gniibe@debian.org>
+  Please note that the shown key validity is not necessarily correct
+  unless you restart the program.
+  
+  $ 
+
+Next time I invoke GnuPG, it will be ``ultimate`` key.  Let's see: ::
+
+  $ gpg --edit-key 4ca7babe
+  gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
+  This is free software: you are free to change and redistribute it.
+  There is NO WARRANTY, to the extent permitted by law.
+  
+  Secret key is available.
+  
+  pub  2048R/4CA7BABE  created: 2010-10-15  expires: never       usage: SC  
+                       trust: ultimate      validity: ultimate
+  sub  2048R/084239CF  created: 2010-10-15  expires: never       usage: E   
+  sub  2048R/5BB065DC  created: 2010-10-22  expires: never       usage: A   
+  [ultimate] (1). NIIBE Yutaka <gniibe@fsij.org>
+  [ultimate] (2)  NIIBE Yutaka <gniibe@debian.org>
+  
+  gpg> quit
+  $ 

src/main.c

@@ -178,7 +178,7 @@ extern msg_t USBthread (void *arg);
 #define LED_TIMEOUT_STOP	MS2ST(200)
 
 
-#define ID_OFFSET 22
+#define ID_OFFSET 24
 static void
 device_initialize_once (void)
 {

src/usb_desc.c

@@ -258,11 +258,11 @@ static const uint8_t gnukStringLangID[] = {
 #include "usb-strings.c.inc"
 
 const uint8_t gnukStringSerial[] = {
-  17*2+2,			/* bLength */
+  19*2+2,			/* bLength */
   USB_STRING_DESCRIPTOR_TYPE,	/* bDescriptorType */
   /* FSIJ-1.0 */
   'F', 0, 'S', 0, 'I', 0, 'J', 0, '-', 0,
-  '1', 0, '.', 0, '0', 0, /* Version number of Gnuk */
+  '1', 0, '.', 0, '0', 0, '.', 0, '1', 0, /* Version number of Gnuk */
   '-', 0,
   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
   0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,

test/features/991_version_string.feature

@@ -0,0 +1,8 @@
+@usb
+Feature: examine USB version string
+  In order to work as Gnuk Token
+  A token should support version string
+
+  Scenario: USB version string
+     Given USB version string of the token
+     Then data should match: ([a-zA-Z0-9]*)-([.0-9]+)-[0-9A-F]+

test/features/steps.py

@@ -108,6 +108,9 @@ def encrypt_on_host_public_key():
 def decrypt():
     scc.result = ftc.token.cmd_pso_longdata(0x80, 0x86, scc.ciphertext)
 
+@Given("USB version string of the token")
+def usb_version_string():
+    scc.result = ftc.token.get_string(3)
 
 @When("requesting (.+): ([0-9a-fA-F]+)")
 def get_data(name, tag_str):

test/gnuk.py

@@ -77,6 +77,9 @@ class gnuk_token(object):
         self.__timeout = 10000
         self.__seq = 0
 
+    def get_string(self, num):
+        return self.__devhandle.getString(num, 512)
+
     def increment_seq(self):
         self.__seq = (self.__seq + 1) & 0xff