Closed sanmai closed 2 years ago
alonbl
commented
5 years ago Hi,
Correct.
This requires good knowledge of gcrypt to know how to encode public key
into sexp.
And reverse engineering of how gnupg expects public key to be transmitted.
As I have no device with EC and little time it is very difficult for me to
support this right now.
The key is the keyutil.c file which handles the conversion of x509 into
public key and public key into gcrypt objects.
Regards,
Alon
sanmai
commented
5 years ago gcrypt wants to see a q-point for a public key, where I believe pkcs11-tool shows just that. So as I have a suitable card, and maybe I could find time, I could look into that thing myself. Would you be willing to review a PR if so?
On the other hand, pkcs11-tool had trouble signing things:
$ pkcs11-tool --login --slot 1 --sign
Logging in to "PIN2 (....".
Please enter User PIN:
Using signature algorithm ECDSA
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_LEN_RANGE (0x21)
Aborting.This can be a real setback with a card I have. (But since I found https://github.com/OpenSC/OpenSC/issues/1428 I rather hope it won't.)
alonbl
commented
5 years ago On Wed, Apr 10, 2019 at 5:21 AM Alexey Kopytko notifications@github.com wrote:
gcrypt wants to see a q-point https://www.gnupg.org/(en)/documentation/manuals/gcrypt/ECC-key-parameters.html for a public key, where I believe pkcs11-tool shows just that. So as I have a suitable card, and maybe I could find time, I could look into that thing myself. Would you be willing to review a PR if so?
Sure! I will love if you can help. As I wrote, first you need to take care of keyutil to support EC which is the low level work, then we can integrate it into the scd commands.
manonfgoo
commented
4 years ago Dear Alon,
I am having the same issues with a Yubikey Smartcard as soon as an ECCP384 or ECCP256 Key is loaded to the smartcard. IMHO gnupg-pkcs11-scd should have an option to ignore slots with key-types it cannot handle.
Manon
alonbl
commented
4 years ago I agree. Patches are welcomed.
manonfgoo
commented
4 years ago could you give me some hints where to look ? where to look for the certificate listing ?
Von meinem iPhone gesendet
Manon Goo Dembach Goo Informatik GmbH & Co. KG Hohenzollernring 72 D-50672 Köln
Tel.: +49 221 12095-211<tel:+49%20221%2012095-211> Mobil: +49 151 12222781<tel:+49%20151%2012222781> Fax: +49 221 12095-220<tel:+49%20221%2012095-220> E-Mail:manon.goo@dg-i.netmailto:manon.goo@dg-i.net
Support-Hotline: 0800 / 100 4323<tel:0800%20/%20100%204323>
Amtsgericht Köln HRA 22794, USt-IdNr.: DE242 159 527 Haftende Gesellschafterin: Dembach Goo Verwaltungsgesellschaft mbH Deren Geschäftsführer: Andreas Dembach, Mike Liebsch, Manon Goo
Am 08.01.2020 um 20:41 schrieb Alon Bar-Lev notifications@github.com:
I agree. Patches are welcomed.
— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/alonbl/gnupg-pkcs11-scd/issues/17?email_source=notifications&email_token=ABTP25EER26TDWYPPEGGRGLQ4YUCXA5CNFSM4HEOE572YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEINXQLY#issuecomment-572225583, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABTP25ARUCWZPCFPYQBCTJ3Q4YUCXANCNFSM4HEOE57Q.
alonbl
commented
4 years ago You can look at this[1] and fix entire flow to return GPG_ERR_WRONG_PUBKEY_ALGO if unsupported algorithm notice that openssl logic already does that, then in caller, ignore GPG_ERR_WRONG_PUBKEY_ALGO error.
[1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/gnupg-pkcs11-scd/keyutil.c#L221
type4ranjan
commented
3 years ago Hi @alonbl ,
I am also facing the same issue "Wrong public key algorithm" with ec keys on gpg 2.2.27. Is any patch available for this? Can you please add patch to ignore this error?
Thanks in Advance! Ranjan
alonbl
commented
3 years ago Hi, Looking at the code, the code already returns GPG_ERR_WRONG_PUBKEY_ALGO when using openssl when certificate is not RSA, I have not noticed that two years ago... so that the agent is returning the right error while the component which should ignore the error is the gnupg. Can you please send gpg debug log so we confirm that the correct error is returned so that you can contact gnupg team to ignore these cases? BTW: I doubt they will. Is the problem inhibit you from using all the keys? Thanks, Alon
On Fri, Mar 19, 2021 at 3:16 PM type4ranjan @.***> wrote:
Hi @alonbl https://github.com/alonbl ,
I am also facing the same issue "Wrong public key algorithm" with ec keys on gpg 2.2.27. Is any patch available for this? Can you please add patch to ignore this error?
Thanks in Advance! Ranjan
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/17#issuecomment-802825241, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLNGMV7AYX5OCWBQRHLTENFDNANCNFSM4HEOE57Q .
wiktor-k
commented
3 years ago Hi :wave:!
I'm writing a small proof-of-concept of a similar tool and recently added signing using ECDSA and if you don't mind I can share some findings that you may find useful:
CKA_EC_POINT attribute. This is DER-encoded and apparently just removing first two bytes is enough to get the raw key for OpenPGP, (first half of the raw bytes is R value and the second is S)CKM_ECDSA mechanism and send raw digest bytes to be signed (not PKCS#1.5 encoded in DigestInfo). In my tests the digest had to be truncated to a length acceptable to the curve (e.g. for P-256 it was 32 bytes).The entire commit containing type conversions is at https://github.com/parallaxsecond/rust-cryptoki/commit/064b34a6a037681f62e4036c636ec44e20fa54b4 while my tool is at https://gitlab.com/wiktor/pkcs11-openpgp
As for sexps for interacting with GnuPG Sequoia has some examples: https://gitlab.com/sequoia-pgp/sequoia/-/blob/main/ipc/tests/data/sexp/ecdsa-signature.sexp as well as for ECDH: https://gitlab.com/sequoia-pgp/sequoia/-/blob/main/ipc/src/sexp.rs#L294-305
manonfgoo
commented
3 years ago Hi, Looking at the code, the code already returns GPG_ERR_WRONG_PUBKEY_ALGO when using openssl when certificate is not RSA, I have not noticed that two years ago... so that the agent is returning the right error while the component which should ignore the error is the gnupg. Can you please send gpg debug log so we confirm that the correct error is returned so that you can contact gnupg team to ignore these cases? BTW: I doubt they will. Is the problem inhibit you from using all the keys? Thanks, Alon … On Fri, Mar 19, 2021 at 3:16 PM type4ranjan @.***> wrote: Hi @alonbl https://github.com/alonbl , I am also facing the same issue "Wrong public key algorithm" with ec keys on gpg 2.2.27. Is any patch available for this? Can you please add patch to ignore this error? Thanks in Advance! Ranjan — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#17 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLNGMV7AYX5OCWBQRHLTENFDNANCNFSM4HEOE57Q .
Dear Alon,
your code stops in a "for" loop unless the error is GPG_ERR_NO_ERROR, Please have a look at my patch that continues when either GPG_ERR_NO_ERROR or GPG_ERR_WRONG_PUBKEY_ALGO is found and stops on all other errors.
Kind regards, Manon
alonbl
commented
2 years ago Should work with gnupg-pkcs11-scd-0.9.3
type4ranjan
commented
2 years ago Dear @alonbl Has EC keys support been added to gnupg-pkcs11-scd-0.10.0?
type4ranjan
commented
1 year ago @alonbl Can you please confirm if EC Keys are supported for gnupg-pkcs11-scd-0.10.0?
alonbl
commented
1 year ago @alonbl Can you please confirm if EC Keys are supported for gnupg-pkcs11-scd-0.10.0?
I can confirm it does not support. Patches are welcomed.
ulrichb
commented
9 months ago Although this issue is closed, EC keys are not yet supported in gnupg-pkcs11-scd. Correct?
alonbl
commented
9 months ago Correct.
I have an Estonian ID-card with an EC certificate. How hard would be to get gnupg-pkcs11-scd working with EC keys?
There's a second slot also with
OU=digital signature.It seems like gnupg-pkcs11-scd is not aware of anything else but RSA, as per manual.