trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

No support for adding subkeys to NIST-521 GPG identities

Open aitorpazos opened this issue 8 years ago • 4 comments

I was trying to add a new subkey from my Ledger Nano S to an existing key with other subkeys and I'm getting an "AssertionError". This is the key structure:

pub   nistp521 [SC]
sub   nistp521 [E]
sub   rsa4096 [S]
sub   rsa4096 [E]

The error seems to be related to the key configuration, as it worked fine with a new key created using default values, adding a subkey to it and then adding the ledger key. However, I don't know how could I fix it using my existing key.

This is the AssertionError trace:

Traceback (most recent call last):                                      
  File "/usr/bin/ledger-gpg", line 11, in <module>                                                                                                              
    sys.exit(gpg_tool())                                                         
  File "/usr/bin/ledger_agent.py", line 6, in <lambda>                       
    gpg_tool = lambda: libagent.gpg.main(DeviceType)                      
  File "/usr/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 241, in main
    return args.func(device_type=device_type, args=args)                           
  File "/usr/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 134, in run_init                                                                      
    export_public_key(device_type, args))                               
  File "/usr/lib/python3.6/site-packages/libagent/gpg/__init__.py", line 56, in export_public_key                                                               
    signer_func=signer_func)                                                     
  File "/usr/lib/python3.6/site-packages/libagent/gpg/encode.py", line 55, in create_subkey                                                                
    packets = list(decode.parse_packets(io.BytesIO(primary_bytes)))                                                                                        
  File "/usr/lib/python3.6/site-packages/libagent/gpg/decode.py", line 253, in parse_packets                                                                   
    p = packet_type(util.Reader(io.BytesIO(packet_data)))                        
  File "/usr/lib/python3.6/site-packages/libagent/gpg/decode.py", line 153, in _parse_pubkey                                                              
    assert oid in SUPPORTED_CURVES, util.hexlify(oid)                
AssertionError: 2B81040023

aitorpazos avatar Nov 12 '17 21:11 aitorpazos

Thanks for reporting this issue! I actually never tested it with NISTP521 keys... will reproduce locally and fix.

romanz avatar Nov 15 '17 06:11 romanz

This is indeed the issue - I need to add support for adding subkeys to NISTP521-based identities. Currently, the tool supports NIST-P256, Curve25519, RSA, DSA and ElGamal.

romanz avatar Nov 16 '17 18:11 romanz

AFAIK, no hardware wallet support operation NIST-521 curve, so this tool will only support adding new (not NIST-521) sub-keys to existing (NIST-521) ones.

romanz avatar Dec 08 '17 19:12 romanz

Currently, the tool supports NIST-P256, Curve25519, RSA, DSA and ElGamal.

My key is a nistp256 but I only see the following when trying to add a new subkey for signing:

image

@romanz in fact how does one specify which curve to use? trezor-gpg init just uses nistp256 (or is it nist256p1 - the output references both labels? Is there a difference?) by default. I'm thinking perhaps the available options differ depending on what the curve was used to create the primary key. I'm using gpg 2.2.27 if it matters. Thanks.

doolio avatar Sep 03 '23 17:09 doolio