openpgp-card

No description

Find a file

Heiko c205917759 Add LICENSE		2022-05-25 15:29:33 +00:00
.reuse	Move example keys/data to openpgp-card-sequoia	2021-10-29 22:38:01 +02:00
card-functionality	Move virtual card CI test configs to card-functionality/ci/ (where configurations for tests on hardware cards already were).	2022-05-19 18:02:37 +02:00
guide	Document that opgpcard needs pcscd; troubleshooting cards being locked by scdaemon.	2022-04-27 13:11:40 +02:00
LICENSES	Initial commit	2021-06-30 22:29:23 +02:00
openpgp-card	Bump versions:	2022-05-24 16:20:59 +02:00
openpgp-card-examples	Don't depend on specific versions	2022-03-30 04:01:39 +02:00
openpgp-card-sequoia	Bump versions:	2022-05-24 16:20:59 +02:00
pcsc	Bump version to 0.2.1 (logging changes only)	2022-03-22 16:56:59 +01:00
scdc	Upgrade to newer tokio and sequoia-ipc versions, bump crate version to 0.2.1.	2022-03-22 16:49:39 +01:00
tools	Add comment about verifying the admin PIN before attempting a PIN-change (and a link to a yubico developer blog article detailing a potential pitfall of not doing that check)	2022-05-24 18:33:46 +02:00
.gitignore	Rename card-functionality example config, and add config/*toml to .gitignore, to adjust to the new option of individual config files per card.	2021-12-26 11:49:51 +01:00
.gitlab-ci.yml	Move virtual card CI test configs to card-functionality/ci/ (where configurations for tests on hardware cards already were).	2022-05-19 18:02:37 +02:00
Cargo.toml	Rename openpgp-card-apps into openpgp-card-examples	2021-10-29 22:38:01 +02:00
deny.toml	Run cargo deny in CI linting stage	2022-03-22 16:49:39 +01:00
LICENSE	Add LICENSE	2022-05-25 15:29:33 +00:00
README.md	Adjust documentation: functionality of opgpcard-pin has been folded into opgpcard.	2022-05-13 19:14:07 +02:00

README.md

This project implements client software for the OpenPGP card standard, in Rust.

Architecture

This project consists of the following library crates:

openpgp-card, which offers a relatively low level OpenPGP card client API. It is PGP implementation agnostic.
openpgp-card-pcsc, a backend to communicate with smartcards via pcsc.
openpgp-card-scdc, a backend to communicate with smartcards via an scdaemon instance.
openpgp-card-sequoia, a higher level API for conveniently using openpgp-card with Sequoia PGP.

This is how the libraries relate to each other (and to applications):

graph BT
    OP["openpgp-card-pcsc <br/> (pcsclite backend)"] --> OC
    OS["openpgp-card-scdc <br/> (scdaemon backend)"] --> OC["openpgp-card <br/> (low level API)"]
    OC --> OCS["openpgp-card-sequoia <br/> (high level Sequoia PGP-based API)"]
    OC -.-> U1[Applications based on low level API]
    OCS -.-> U2[Sequoia PGP-based applications]

classDef userApp fill:#f8f8f8,stroke-dasharray: 5 5;
class U1,U2 userApp;

Additionally, there are the following non-library crates that are built on top of the libraries described above:

openpgp-card-tools, a CLI tool to inspect, manage and use OpenPGP cards, aimed at end users.
openpgp-card-tests, a test-suite that runs OpenPGP card operations on smartcards.
openpgp-card-examples, small example applications that demonstrate how you can use these libraries in your own projects to access OpenPGP card functionality.

The openpgp-card crate

Implements the functionality described in the OpenPGP card specification, offering an API at roughly the level of abstraction of that specification, using Rust data structures. (However, this crate may work around some minor quirks of specific card models, in order to offer clients a somewhat uniform view)

This crate and its API do not depend or rely on any particular OpenPGP implementation.

Backends

Typically, openpgp-card will be used with the openpgp-card-pcsc backend, which uses the standard pcsclite library to communicate with cards.

However, alternative backends can be used and may be useful.
The experimental, alternative openpgp-card-scdc backend uses scdaemon from the GnuPG project as a low-level transport layer to interact with OpenPGP cards.

Backends implement:

functionality to find and connect to a card (these operations may vary significantly between different backends),
transaction management (where applicable), by implementing the CardBackend trait, and
simple communication primitives, by implementing the CardTransaction trait, to send individual APDU commands and receive responses.

All higher level and/or OpenPGP card-specific logic (including command chaining) is handled in the openpgp-card layer.

The openpgp-card-sequoia crate

Offers a higher level interface, based around Sequoia PGP datastructures.

Most client projects will probably want to use only this crate, and ignore the lower level crates as implementation details.

Testing

The subcrate openpgp-card-tests (in the directory card-functionality) contains the beginnings of a framework that tests the openpgp-card library against OpenPGP cards.

However, OpenPGP cards are, usually, physical devices that you plug into your computer, e.g. as USB sticks, or Smart cards (this is, of course, the usual point of these cards: they are independent devices, which are only loosely coupled with your regular computing environment. However, for automated testing, such as CI, this can be a complication.)

There are at least two approaches for running tests against software-based OpenPGP cards:

Virtual JavaCards

It's possible to run simulated JavaCard applets on a host computer, and make those available via the PCSC lite framework.

To simplify testing against such simulated cards, the https://gitlab.com/hkos/openpgp-card-images repository provides Container images for the "SmartPGP" and "YubiKey NEO" OpenPGP card implementations.

These images are used to run card-functionality tests on gitlab's CI. See the GitLab CI config hkos/openpgp-card:.gitlab-ci.yml and the Dockerfiles and run script: hkos/openpgp-card:card-functionality/docker/.

Emulated Gnuk

Gnuk is a free implementation of the OpenPGP card spec by Gniibe, see: http://www.fsij.org/doc-gnuk/.

Gnuk normally runs on STM32-based hardware tokens. However, it's also possible to compile the Gnuk code to run on your host machine. This is useful for testing purposes.

Emulated Gnuk is connected to the system via http://usbip.sourceforge.net/. This means that to use an emulated Gnuk, you need to have both root privileges and be able to load a kernel module (so running an emulated Gnuk is not currently possible in GitLab CI).

See the README of the card-functionality project for more information on this.

Acknowledgements

This project is based on the OpenPGP card spec, version 3.4.1.

Other helpful resources included:

The free Gnuk OpenPGP card implementation by gniibe.
The Rust/Sequoia-based OpenPGP card client code in kushaldas' project johnnycanencrypt.
The scdaemon client implementation by the GnuPG project.
The open-keychain project, which implements an OpenPGP card client for Java/Android.
The Rust/Sequoia-based OpenPGP card client code by Robin Krahl.