gnupg-pkcs11-scd
gnupg-pkcs11-scd copied to clipboard
alonbl
ERR 41 Wrong public key algorithm <Unspecified source>
Ehlo.
I'm getting the following error in my logs and my attempts to use my smart card fails:
gnupg-pkcs11-scd[3885]: chan_0 <- KEYINFO --list
gnupg-pkcs11-scd[3885]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>
I'm using libcryptoki.so provider as described here, so there are quite a lot of variables in this setup.
The error seems to happen with all the KEYINFO commands. My setup was working previously, but clearly some underlying component has updated down the road and now it's broken.
Any advice on where to look to get this sorted out? I'm happy to provide any additional information.
Versions
| Software | Version |
|---|---|
| gpg | 2.4.3 |
| libgcrypt | 1.10.3 |
| gnupg-pkcs11-scd | 3b84225 |
Hello, Please test latest release and not a random point in time. Please provide debug log after you have done so. Thanks,
Got it. You probably want the logs with debug-all & verbose. If it's ok, I'll send it via email.
I've narrowed this down a bit. So something has changed between GnuPG versions 2.2 and 2.3 that makes this happen. With GnuPG version 2.2.42 everything works perfectly. I started to go back from version 2.3.0 and got as far as 2.3.0-beta1109 (3c4ab53) where this is already happening and was unable to compile earlier versions/commits.
Here are some log extracts from a decryption operation:
2.2.42 - smart card working
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:38 gpg-agent[26041] gpg-agent (GnuPG) 2.2.42 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:31:38 gpgsm[26038] encrypted to rsa3072 key ...
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047.1563801920]: Listening to socket '/tmp/gnupg-pkcs11-scd.1FaTNv/agent.S'
gnupg-pkcs11-scd[26047.1563801920]: accepting connection
gnupg-pkcs11-scd[26047]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26047.1563801920]: processing connection
gnupg-pkcs11-scd[26047]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26047]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1FaTNv/agent.S
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- SERIALNO --demand=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
gnupg-pkcs11-scd[26047]: chan_0 -> S SERIALNO YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 0
gnupg-pkcs11-scd[26047]: chan_0 -> OK
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:39 gpg-agent[26041] detected card with S/N YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047]: chan_0 <- SETDATA ...
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- PKDECRYPT ...
gnupg-pkcs11-scd[26047]: chan_0 -> S PADDING 0
gnupg-pkcs11-scd[26047]: chan_0 -> [ xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ...(2 byte(s) skipped) ]
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- RESTART
gnupg-pkcs11-scd[26047]: chan_0 -> OK
2.3.0-beta1109 - smart card NOT working
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:38 gpg-agent[26925] gpg-agent (GnuPG) 2.3.0-beta1109 started
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:38 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - issuer: '...'
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - serial: XXXXXXXX
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930.3407657280]: Listening to socket '/tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S'
gnupg-pkcs11-scd[26930.3407657280]: accepting connection
gnupg-pkcs11-scd[26930]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26930.3407657280]: processing connection
gnupg-pkcs11-scd[26930]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26930]: chan_0 -> D /tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- SERIALNO --all
gnupg-pkcs11-scd[26930]: chan_0 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- KEYINFO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gnupg-pkcs11-scd[26930]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>
At this point GnuPG asks me to insert a smart card, even though it's already inserted.
==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:58 gpg-agent[26925] smartcard decryption failed: Operation cancelled
2024-01-16 21:48:58 gpg-agent[26925] command 'PKDECRYPT' failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:58 gpgsm[26923] error decrypting session key: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] decrypting session key failed: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] message decryption failed: Operation cancelled <Pinentry>
==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930]: chan_0 <- RESTART
gnupg-pkcs11-scd[26930]: chan_0 -> OK
I would really appreciate if we can first confirm gpg is working before we go to gpgsm. But maybe this is a hint:
non-critical certificate policy not allowed
But maybe this is a hint: non-critical certificate policy not allowed
There is a commit in GnuPG which implies it's nothing critical:
commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4 Author: Werner Koch [email protected] Date: Mon Dec 5 14:31:45 2022 +0100
gpgsm: Silence the "non-critical certificate policy not allowed". * sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode.