Resetting OpenPGP SmartCard

After my private key expired a few days ago I extended the lifetime of the key for another two years. Since I am using an OpenPGP SmartCard for storing the keys I had to edit card as well. After a few tries I gave up because gpg was always telling me that the keys exist on the card and was not willing to replace them.

Now I found a hint on how to reset the card to factory defaults [1] [2]. It is basically feeding the gpg-connect-agent with some hex stuff:

$ cat <<EOF > reset.txt
======
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo card has been reset to factory defaults
=====
EOF

$ gpg-connect-agent < reset.txt

After this you can go on an re-set the pin and admin pin. The default values are: 123456 and 12345678.

Adding SSH Key for Authentication

Within this update of keys I also wanted to replace the SSH authentication key. The procedure is described in [3] and basically as follows. I created a 4096bit subkey for authentication purposes:

$ gpg2 --export --edit-key <YOURKEYIDHERE>

[...]

gpg> addkey

[...]

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S E A Q

gpg> save

After that you can read the public key part using ssh-add:

$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqUnNZKpy+7h6j7G/iou02jfg9edf0e09/7wzO2C1ajIquJOUU4qbq+KT5PByHW4ydeV074IjHxi6/+ojiafoiashfoljaoifu923u9fcu87o98dsg98ggz5908hf89teg89gf9f093hg6hg09fw80g329ggfw98ge9g8wf9wehweifuwheiufweihui+Ce1nvbO788steHmhtFXf3adxXe1kRulWd2XMKHsl2XI0szu3DxvAdDW067RXWf4yGlWQT1vv7bk1UKzR+h9rNJ0SYnFEk59cy/wapckhb6c6uE76+eBeYflGnYAlPdbhaGD3bPxVwH43ub98pfRkQ2fdaHLGhyr23Ozlt9vKI9Z6KMVGow8Rksved2QYeBM7vNYvjDLgTZy7LeE9R8exxLpN0TYmDlJHf3ZP0cPwq4Pqnu8aCUKpeggEnA4qURdKOtteBaMUYXVygnteQIOTZ5bdtGsqbr+gpAc7Yq6a4xrUU8b3iqYNNj39LWkq5pX2Wvo44IyhmcLJMS23OoOwlWBC/C/6MSOd+zNsE+In9LKSf3QZIOvp0I1Td4QbH4+bVqe3Gf9C4w/6GWPyZNUfiHqiVIvExm4QnuHGxAVtrTE2NS5pkFeGCYxnpStCbW8tB2+3CFvhJ6Mc+/N0Kv9n2KJnlyJLqOl6x7i97r4I8Aq1eRQ== cardno:000800007FC1

Selecting the Active Card Reader

Using a Gemalto Shell Token on my Dell Laptop requires to expicitely select the card reader because otherwise ssh-agent would only prompt the internal card reader for an authentication key and that fails. According to [4] you can set the selected card reader in ~/.gnupg/scdaemon.conf. In my case I just uncomment the needed reader and restart the agent. The file content is:

reader-port "Gemalto USB Shell Token V2 (776E5E22) 01 00"
#reader-port "Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00"

References

[1] https://lists.gnupg.org/pipermail/gnupg-users/2009-September/037414.html
[2] http://www.rainydayz.org/content/1233-openpgp-card
[3] https://incenp.org/notes/2014/gnupg-for-ssh-authentication.html
[4] http://www.gossamer-threads.com/lists/gnupg/users/51569