jump to navigation

Cardman 4000 with GnuPG October 23, 2007

Posted by Florian in Cryptography, kernel concepts, Linux, Source, World.
trackback

I just received my FSFE Fellowship Smartcard and it took me a while to find out how GnuPG and the Omnikey Cardman 4000 PCMCIA smartcard reader can play together. It looks like there quite some more of thease cheap devices around… so lets write down some lines about how to make it work. The procedure was tested on Ubunty Gutsy but should work on any more or less up to date Debian based system.

You need an up to date kernel 2.6 with the cardman4000_cs driver. Make sure not to have the reader in the PCMCIA slot during boot or suspend – this caused some oopses here.

PC/SC-Lite used by GnuPG does not know how handle the CM4000 directly, but you can use OpenCT as a driver for PC/SC-Lite. So first get root and install the necessary software packges:
apt-get install pcscd pcsc-tools openct
In /etc/openct.conf you need to activate the cm4000 driver – comment in the cm4000 lines to read:
reader cm4000 {
driver = cm4000;
device = pcmcia:/dev/cmm0;
};

After this edit the PC/SC-Lite configuration file /etc/reader.conf.d/openct and activate the OpenCT driver:

FRIENDLYNAME "OpenCT"
DEVICENAME /dev/cmm0
LIBPATH /usr/lib/openct-ifd.so
CHANNELID 0

Start both services:

/etc/init.d/openct start
/etc/init.d/pcscd start

If you insert the reader and a Smartcard pcsc_scan should list a reader and card like this:

fuchs@gibson:~$ pcsc_scan
PC/SC device scanner
V 1.4.9 (c) 2001-2006, Ludovic Rousseau
Compiled with PC/SC lite version: 1.4.2
Scanning present readers
0: OpenCT 00 00


Tue Oct 23 16:35:02 2007
Reader 0: OpenCT 00 00
Card state: Card inserted,
ATR: 3B FA 13 00 FF 81 31 80 45...

Now make it usable as user:

We create a group scard and add the users that should be able to use the card to it.
# addgroup scard
# addgroup <username> scard

Now create a set of udev rules to create the device node with the correct owner and permission settings:

Edit /etc/udev/rules.d/99-gnupg.rules to read:
SUBSYSTEM=="cardman_4000", ACTION=="add", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", SYSFS{idProduct}=="e003", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", SYSFS{idProduct}=="5115", GROUP="scard", MODE="0660"

This should cover the permissions for USB CCID readers as well.

If you insert the reader again you should get a device like this:

crw-rw---- 1 root scard 252, 0 2007-10-23 15:43 /dev/cmm0
Finally log out your user, log in again to make the group changes become active and check if it works. gpg should print out some lcard inflormation like this:
fuchs@gibson:~$ gpg --card-status
gpg: detected reader `OpenCT 00 00'
Application ID ...: D276000124010101000100000D0E0000
Version ..........: 1.1
Manufacturer .....: PPC Card Systems
Serial number ....: 00000D0E
Name of cardholder: Florian Boor
...

If this doesn’t work confgure gpg not to use gpg-agent, I have read some reports that this might cause trouble in combination with Smartcards. This whole text was written from memory, I might have missed some important step – bug reports and additions are very welcome.

Enjoy!

References:

[1] FSFE Cardreader Howto: http://www.fsfe.org/en/card/howto/card_reader_howto_udev

[2] OpenCT Wiki: http://www.opensc-project.org/openct/wiki/cardman

About these ads

Comments»

1. Alessandro Bottoni - December 19, 2007

Hi Florian,
how did you compile the driver? I just downloaded it from http://svn.gnumonks.org/trunk/omnikey_cardman/new/kernel/ and I tried to compile it on Kubuntu 7.10 but it does not work. It looks like the compiler is unable to find a header (maybe cm4000.h). I tried to fix it but… It still does not work.

Any suggestion?

BTW: This driver was expected to be inlcuded in the linux kernel since rel 2.6.15, wasn’t it? Is still required to get and compile it as a separated kernel module?

2. pepe - October 23, 2008

Hello,

i followed your steps and successfully read my new openpgp card with gpg –card-status.
but whenever i want to write something to the card, e.g. my name using gpg –card-edit i get an error. it says ‘permission denied’. i dont get it. i did everything as root so filepermissions shouldnt be the problem.
Do you have any idea what the problem might be? Im running suse11.0 32bit.

thank you

3. pepe - October 23, 2008

ok, i found the solution: i needed to create a ~/.gnupg/scdaemon.conf file and add the line
allow-admin
that did it for me.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: