7 files changed, 60 insertions, 58 deletions
@@ -1,3 +1,9 @@
+2016-05-20 NIIBE Yutaka <firstname.lastname@example.org>
+ * VERSION: 1.2.0.
+ * src/usb-ccid.c (ccid_thread): Fix timeout.
+ (icc_handle_timeout, icc_send_status): Tweak.
2016-05-19 Niibe Yutaka <email@example.com>
* src/usb_ctrl.c (usb_cb_ctrl_write_finish): Set bDeviceState.
@@ -9,9 +15,6 @@
* chopstx: Update to 0.11.
- * src/gnuk.h (LED_START_COMMAND, LED_FINISH_COMMAND): Change the
- values for a case both flags will be handled.
2016-05-18 Niibe Yutaka <firstname.lastname@example.org>
* src/gnuk.ld.in: Tweak thread size.
@@ -2,15 +2,18 @@ Gnuk NEWS - User visible changes
* Major changes in Gnuk 1.2.0
- Released 2016-02-xx, by NIIBE Yutaka
+ Released 2016-05-20, by NIIBE Yutaka
+** Upgrade of Chopstx
+We use Chopstx 0.11.
** Support authentication status reset by VERIFY command.
This feature is described in the OpenPGPcard specification V2.2 and
V3.1, which allow user to reset authentication status.
-** S2K algorithm change to defeat "copycat" service of MCU.
+** S2K algorithm tweak to defeat "copycat" service of MCU.
Even if the existence of some services copying MCU, your private key
-will not be controled by others.
+will not be controled by others, in some cases.
** Bug fix for secp256k1 and NIST P-256.
Bugs in basic computation were fixed.
@@ -1,28 +1,27 @@
Gnuk - An Implementation of USB Cryptographic Token for GnuPG
- Version 1.1.9
+ Version 1.2.0
Free Software Initiative of Japan
-This is another experimental release of Gnuk, version 1.1.9, which has
+This is new release of Gnuk, version 1.2.0, which has major
incompatible changes to Gnuk 1.0.x. Specifically, it now supports
overriding key import, but importing keys (or generating keys) results
password reset. Please update your documentation for Gnuk Token, so
-that the instruction of importing keys won't cause any confusion. It
-has supports of ECDSA (with NIST P256 and secp256k1), EdDSA, and ECDH
-(with NIST P256, secp256k1, and Curve25519), but this ECC feature is
-pretty much experimental, and it requires modern GnuPG with
-development version of libgcrypt.
+that the instruction of importing keys won't cause any confusion.
-It also supports RSA-4096 experimentally, but users should know that
-it takes more than 8 second to sign/decrypt.
+It has supports of EdDSA, ECDSA (with NIST P256 and secp256k1), and
+ECDH (with NIST P256, secp256k1, and X25519), but this ECC feature is
+somehow experimental, and it requires modern GnuPG 2.1.x with
+libgcrypt 1.7.0 or later.
-You will not able to keep using Curve25519 keys, as the key format is
-subject to change.
+It also supports RSA-4096, but users should know that it takes more
+than 8 seconds to sign/decrypt. Key generation of RSA-4096 just fails,
+because the device doesn't have enough memory.
@@ -63,11 +62,12 @@ A0: Good points of Gnuk are:
Q1: What kind of key algorithm is supported?
A1: Gnuk version 1.0 only supports RSA-2048.
- Development version of Gnuk (1.1.x) supports 256-bit ECDSA and EdDSA,
- as well as RSA 4096-bit. But it takes long time to sign with RSA-4096.
+ Gnuk version 1.2.x supports 256-bit EdDSA and ECDSA, as well as
+ RSA-4096. But it takes long time to sign with RSA-4096.
Q2: How long does it take for digital signing?
A2: It takes a second and a half or so for RSA-2048.
+ It takes more than 8 secondd for RSA-4096.
Q3: What's your recommendation for target board?
A3: Orthodox choice is Olimex STM32-H103.
@@ -77,7 +77,7 @@ A3: Orthodox choice is Olimex STM32-H103.
choice for experiment.
Q4: What's version of GnuPG are you using?
-A4: In Debian GNU/Linux system, I use GnuPG modern 2.1.x in
+A4: In Debian GNU/Linux system, I use GnuPG modern 2.1.12 in
Q5: What's version of pcscd and libccid are you using?
@@ -139,22 +139,14 @@ Ac: That's because gnome-keyring-daemon interferes GnuPG. Please
Qd: Do you know a good SWD debugger to connect FST-01 or something?
Ad: ST-Link/V2 is cheap one. We have a tool/stlinkv2.py as flash ROM
writer program. STM32 Nucleo F103 comes with the valiant of
+ ST-Link/V2. However, the firmware of ST-Link/V2 is proprietary.
+ Now, I develop BBG-SWD, SWD debugger by BeagleBone Green.
-This is ninth experimental release in version 1.1 series of Gnuk.
-While it is daily use by its developer, some newly introduced features
-(including ECDSA/EdDSA/ECDH, key generation and firmware upgrade)
-should be considered experimental. ECDSA/EdDSA/ECDH is really
-experimental. Further, ECDH on Curve25519 is much experimental. You
-won't be able to keep using the key, since the key format of GnuPG is
-not defined and it's subject to change.
-Tested features are:
+Gnuk is tested by test suite. Please see the test directory.
* Personalization of the card
* Changing Login name, URL, Name, Sex, Language, etc.
@@ -171,10 +163,10 @@ Tested features are:
* Modify with pin pad
* Card holder certificate (read)
* Removal of keys
- * Key generation on device side
+ * Key generation on device side for RSA-2048
* Overriding key import
-Original features of Gnuk, tested lightly:
+Original features of Gnuk, tested manually lightly:
* OpenPGP card serial number setup
* Card holder certificate (write by UPDATE BINARY)
@@ -182,12 +174,12 @@ Original features of Gnuk, tested lightly:
It is known not-working well:
- * It is known that the combination of libccid 1.4.1 (or newer)
- with libusb 1.0.8 (or older) has a minor problem. It is
- rare but it is possible for USB communication to be failed,
- because of a bug in libusb implementation. Use libusbx
- 1.0.9 or newer, or don't use PC/SC, but use internal CCID
- driver of GnuPG.
+ * It is known that the specific combination of libccid 1.4.1
+ (or newer) with libusb 1.0.8 (or older) had a minor problem.
+ It is rare but it is possible for USB communication to be
+ failed, because of a bug in libusb implementation. Use
+ libusbx 1.0.9 or newer, or don't use PC/SC, but use internal
+ CCID driver of GnuPG.
@@ -256,7 +248,7 @@ External source code
Gnuk is distributed with external source code.
-* chopstx/ -- Chopstx 0.10
+* chopstx/ -- Chopstx 0.11
We use Chopstx as the kernel for Gnuk.
@@ -369,9 +361,9 @@ You need GNU toolchain and newlib for 'arm-none-eabi' target.
On Debian we can install the packages of gcc-arm-none-eabi,
gdb-arm-none-eabi and its friends. I'm using:
- binutils-arm-none-eabi 2.25-5+5+b1
- gcc-arm-none-eabi 15:4.9.3+svn227297-1
- gdb-arm-none-eabi 7.7.1+dfsg-5+8
+ binutils-arm-none-eabi 2.26-4+8
+ gcc-arm-none-eabi 15:4.9.3+svn231177-1
+ gdb-arm-none-eabi 7.10-1+9
Or else, see https://launchpad.net/gcc-arm-embedded for preparation of
@@ -459,11 +451,13 @@ to access the contents. If you want to protect, killing DfuSe and
accessing by JTAG debugger is recommended.
-How to configure
+(Optional) Configure serial number and X.509 certificate
+This is completely optional.
-You need python and pyscard (python-pyscard package in Debian) or
-PyUSB 0.4.3 (python-usb package in Debian).
+For this procedure, you need python and pyscard (python-pyscard
+package in Debian) or PyUSB 0.4.3 (python-usb package in Debian).
(1) [pyscard] Stop scdaemon
[PyUSB] Stop the pcsc daemon.
@@ -616,7 +610,7 @@ Your Contributions
FSIJ welcomes your contributions. Please assign your copyright
-to FSIJ (if possible).
+to FSIJ (if possible), as I do.
@@ -1 +1 @@
@@ -421,8 +421,8 @@ extern const uint8_t gnuk_string_serial;
#define LED_ONESHOT 1
#define LED_TWOSHOTS 2
#define LED_SHOW_STATUS 4
-#define LED_FINISH_COMMAND 8
-#define LED_START_COMMAND 16
+#define LED_START_COMMAND 8
+#define LED_FINISH_COMMAND 16
#define LED_FATAL 32
#define LED_GNUK_EXEC 64
void led_blink (int spec);
@@ -259,9 +259,9 @@ main (int argc, char *argv)
led_inverted = 1;
+ chopstx_usec_wait (LED_TIMEOUT_STOP);
- chopstx_usec_wait (LED_TIMEOUT_STOP);
led_inverted = 0;
diff --git a/src/usb-ccid.c b/src/usb-ccid.c
index 16e2849..1dc2562 100644
@@ -847,6 +847,7 @@ icc_send_status (struct ccid *c)
c->epi->tx_done = 1;
usb_lld_write (c->epi->ep_num, icc_reply, ICC_MSG_HEADER_SIZE);
+ led_blink (LED_SHOW_STATUS);
@@ -1333,7 +1334,7 @@ icc_handle_timeout (struct ccid *c)
- led_blink (LED_SHOW_STATUS);
+ led_blink (LED_ONESHOT);
@@ -1394,6 +1395,7 @@ ccid_thread (void *arg)
ccid_init (c, epi, epo, a);
+ timeout = USB_ICC_TIMEOUT;