openpgp-card-tools 0.0.4

CLI tools for OpenPGP cards
openpgp-card-tools-0.0.4 is not a library.

OpenPGP card tools

This crate contains two tools for inspecting, configuring and using OpenPGP cards: opgpcard and opgpcard-pin.

Install

One easy way to install this crate is via the "cargo" tool.

The following build dependencies are needed for current Debian:

# apt install rustc cargo clang pkg-config nettle-dev libpcsclite-dev

And for current Fedora:

# dnf install rustc cargo clang nettle-devel pcsc-lite-devel

Afterwards, you can install this crate by running:

$ cargo install openpgp-card-tools

Finally, add $HOME/.cargo/bin to your PATH to be able to run the installed binaries.

opgpcard

A tool to inspect, configure and use OpenPGP cards. All calls of this tool are non-interactive (this tool is designed to be easily usable from shell-scripts).

List and inspect cards

List idents of all currently connected cards:

$ opgpcard list

Print status information about a card. The card is implicitly selected. However, this only works if exactly one card is connected:

$ opgpcard status

Explicitly print the status information for a specific card:

$ opgpcard status -c ABCD:01234567

Add -v for more verbose card status (including the list of supported algorithms of the card, if the card returns that list):

$ opgpcard status -c ABCD:01234567 -v

Using a card for ssh auth

To use an OpenPGP card for ssh login, an authentication key needs to exist on the card.

To allow login, the ssh public key representation of the authentications key needs to be added to .ssh/authorized_keys on the remote machine. opgpcard ssh shows the ssh public key string for the authentication key on the card.

Import keys

Import private key onto a card. This works if at most one (sub)key per role ( sign, decrypt, auth) exists in key.priv:

$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> import key.priv

Import private key onto a card while explicitly selecting subkeys. Explicitly specified fingerprints are necessary if more than one subkey exists in key.priv for any role (note: spaces in fingerprints are ignored).

$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> import key.priv \
 --sig-fp "F290 DBBF 21DB 8634 3C96  157B 87BE 15B7 F548 D97C" \
 --dec-fp "3C6E 08F6 7613 8935 8B8D  7666 73C7 F1A9 EEDA C360" \
 --auth-fp "D6AA 48EF 39A2 6F26 C42D  5BCB AAD2 14D5 5332 C838"

When fingerprints are only specified for a subset of the roles, no keys will be imported for the other roles.

Generate Keys on the card

$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> generate -p <user-pin-file> -o <output-cert-file> 25519

Set card metadata

Set cardholder name:

$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> name "Bar<<Foo"

Set cardholder URL:

$ opgpcard admin -c ABCD:01234567 -P <admin-pin-file> url "https://keyurl.example"

Signing

For now, this tool only supports creating detached signatures, like this (if no input file is set, stdin is read):

$ opgpcard sign --detached -c ABCD:01234567 -p <user-pin-file> -s <cert-file> <input-file>

Decrypting

Decryption using a card (if no input file is set, stdin is read):

$ opgpcard decrypt -c ABCD:01234567 -p <user-pin-file> -r <cert-file> <input-file>

Factory reset

Factory reset:

$ opgpcard factory-reset -c ABCD:01234567

NOTE: you do not need a PIN to reset a card!

Using file-descriptors for PINs

When using a shell like bash , you can pass user and/or admin PINs via file-descriptors:

$ opgpcard sign --detached -c ABCD:01234567 -p /dev/fd/3 -s <cert-file> 3<<<123456

$ opgpcard admin -c ABCD:01234567 -P /dev/fd/3 generate -p /dev/fd/4 -o <output-cert-file> 25519 3<<<12345678 4<<<123456

Directly entering PINs on card readers with pinpad

If your OpenPGP card is inserted in a card reader with a pinpad, this tool offers you the option to use the pinpad to enter the user- or admin-PINs. To do this, you can omit the -p and/or '-P' parameters - then you will be prompted to enter the user or admin PINs where needed.

opgpcard-pin

An interactive tool to set the admin and user PINs, and to reset the user PIN on OpenPGP cards.

Set the user PIN (requires admin PIN):

opgpcard-pin -c ABCD:01234567 set-user-pin

Set new admin PIN (requires admin PIN):

opgpcard-pin -c ABCD:01234567 set-admin-pin

Reset user PIN after it has been blocked (requires admin PIN):

opgpcard-pin -c ABCD:01234567 reset-user-pin -a

Set resetting code (requires admin PIN):

opgpcard-pin -c ABCD:01234567 set-reset-code

Reset user PIN (requires resetting code):

opgpcard-pin -c ABCD:01234567 reset-user-pin

Directly entering PINs on card readers with pinpad

If your OpenPGP card is inserted in a card reader with a pinpad, this tool assumes you will want to enter all PINs via that pinpad. It will prompt you to enter PINs accordingly.