javacard-openpgpcard
javacard-openpgpcard copied to clipboard
jderuiter
gpg --card-status doesn't recreate private key stubs
Hello!
I can't find a way to recreate private key stubs with a new keyring. Steps I do:
- creating new keyring
- creating certification key
- creating signing key
- creating encryption key
- creating authentication key
- moving keys to corresponding card slots with keytocard command
- creating new keyring by changing
GNUPGHOMEand importing public keys from previous one - restarting gpg-agent
- invoking
gpg --card-status- all keys are on the card -
gpg -Kshow nothing, only pub keys are available withgpg -k
What am I doing wrong? Is it an applet bug or is it a gpg bug?
gpg version: 2.2.1
openpgpcard version: cada19e
Thanks for any clues.
I'm using Gentoo linux.
Gnupg is build with smartcard USE flag and scdaemon is located in /usr/libexec dir.
gpg --card-status looks pretty fine and I even can change card parameters and load keys.
So, yes, scdaemon is here and it works.
I sure did.
One more interesting thing is that moving private keys with gpg --edit-key keytocard do not replace key with stub on save.
It can be a very subtle card communication error.
I use the openpgpg card from Free Software Foundation Europe. It's a Zeitcontrol 2.0.
It's been a while since I wrote this code, so it could very well be that gpg changed in the meantime. Part of the functionality was written purely using the specs as not everything was supported by gpg at that time. I'll try to see if I can reproduce the problems you're experiencing.
Thank you very much! I would like to do troubleshooting by myself, but I'm new to gpg. Could you point on the possible resons of observed behavior?
I'm not sure what could be causing this issue. If gpg --card-status shows the keys correctly, I don't immediately expect a problem with the applet though. Could you maybe provide the exact commands you used?
My commands listing.
Init key in empty gpg homedir.
killall gpg-agent # needed to change it's homedir
mkdir gpg1
cd gpg1
gpg --full-generate-key --expert --homedir .
# Key type: (8) RSA (set your own capabilities)
# Current allowed actions: Certify
# Key size: 4096
# Never expire
# Real name: test1
# Email: [email protected]
# Comment is empty
# Empty password for private key
Create subkeys
gpg --expert --homedir . --key-edit [email protected]
gpg> addkey
# (4) RSA (sign only)
# Key size: 2048
# Never expire
# Empty password for private key
gpg> addkey
# (6) RSA (encrypt only)
# Key size: 2048
# Never expire
# Empty password for private key
gpg> addkey
# (8) RSA (set your own capabilities)
# Current allowed actions: Authenticate
# Key size: 2048
# Never expire
# Empty password for private key
Move keys to card
# Moving first key to card
gpg> key 1
gpg> keytocard
# (1) Signature key
gpg> key 1
# Moving first key to card
gpg> key 2
gpg> keytocard
# (2) Encryption key
gpg> key 2
# Moving first key to card
gpg> key 3
gpg> keytocard
# (2) Encryption key
gpg> save
Save command MUST replace private keys with stubs (according to gpg docs). But original keys are still there.
gpg -K --homedir . --keyid-format long
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg1'
/home/hexum/gpg1/pubring.kbx
----------------------------
sec rsa4096/D10ADD549188F73D 2017-12-01 [C]
2C6A86EDCD5A6D4DEACAE811D10ADD549188F73D
uid [ultimate] test1 <[email protected]>
ssb rsa2048/8BB1B3F8D9CE4084 2017-12-01 [S]
ssb rsa2048/30EECD8D9B1E04A9 2017-12-01 [E]
ssb rsa2048/BACEA2FE6231C7E0 2017-12-01 [A]
Moving to new dir
mkdir ../gpg2
gpg --homedir . --armor --export > ../gpg2/pubkeys
cd ../gpg2
gpg --homedir . --import pubkeys
killall gpg-agent # needed to change it's homedir
Check card status
gpg --card-status --homedir .
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg2'
Reader ...........: Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: B14E 2B10 367A D76B 48F2 2065 8BB1 B3F8 D9CE 4084
created ....: 2017-12-01 20:23:39
Encryption key....: F73F 7195 8FA1 C65C EC25 D902 30EE CD8D 9B1E 04A9
created ....: 2017-12-01 20:23:57
Authentication key: A3EC FAA1 0BDA 05F5 5BDF B414 BACE A2FE 6231 C7E0
created ....: 2017-12-01 20:24:28
General key info..: sub rsa2048/8BB1B3F8D9CE4084 2017-12-01 test1 <[email protected]>
sec# rsa4096/D10ADD549188F73D created: 2017-12-01 expires: never
ssb# rsa2048/8BB1B3F8D9CE4084 created: 2017-12-01 expires: never
ssb# rsa2048/30EECD8D9B1E04A9 created: 2017-12-01 expires: never
ssb# rsa2048/BACEA2FE6231C7E0 created: 2017-12-01 expires: never
No private keys and no their stubs are available.
gpg -K --homedir .
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg2
# no more lines here
It seems that when importing keys the public key was not imported properly. gpg tries to retrieve the public key on the 'save' command and if this fails does not create the stubs. This should be fixed in ce9d525. Could you check whether this also solves your issues?
Are the private keys still not replaced by templates after the save command for you? Could you run the PC/SC daemon in the foreground with APDU logging (pcscd -f -a) and post the output here? This output will contain the private keys that are sent to the card, so please only post this for test keys.