search

jderuiter / javacard-openpgpcard

Java Card implementation of the OpenPGP smart card
GNU General Public License v2.0
61 stars 18 forks source link

gpg --card-status doesn't recreate private key stubs #5

Open hexum opened 6 years ago

hexum commented 6 years ago

Hello!

I can't find a way to recreate private key stubs with a new keyring. Steps I do:

What am I doing wrong? Is it an applet bug or is it a gpg bug?

gpg version: 2.2.1 openpgpcard version: cada19e

Thanks for any clues.

mkesper commented 6 years ago

Did you install scdaemon? It didn't work for me without doing so,

hexum commented 6 years ago

I'm using Gentoo linux. Gnupg is build with smartcard USE flag and scdaemon is located in /usr/libexec dir. gpg --card-status looks pretty fine and I even can change card parameters and load keys. So, yes, scdaemon is here and it works.

mkesper commented 6 years ago

And did you import the corresponding public key?

hexum commented 6 years ago

I sure did. One more interesting thing is that moving private keys with gpg --edit-key keytocard do not replace key with stub on save. It can be a very subtle card communication error.

mkesper commented 6 years ago

Sorry, no idea then. ¯\(ツ)

hexum commented 6 years ago

Thank you anyway =) BTW, what opengpg card are you using?

mkesper commented 6 years ago

I use the openpgpg card from Free Software Foundation Europe. It's a Zeitcontrol 2.0.

jderuiter commented 6 years ago

It's been a while since I wrote this code, so it could very well be that gpg changed in the meantime. Part of the functionality was written purely using the specs as not everything was supported by gpg at that time. I'll try to see if I can reproduce the problems you're experiencing.

hexum commented 6 years ago

Thank you very much! I would like to do troubleshooting by myself, but I'm new to gpg. Could you point on the possible resons of observed behavior?

jderuiter commented 6 years ago

I'm not sure what could be causing this issue. If gpg --card-status shows the keys correctly, I don't immediately expect a problem with the applet though. Could you maybe provide the exact commands you used?

hexum commented 6 years ago

My commands listing.

Init key in empty gpg homedir.

killall gpg-agent  # needed to change it's homedir
mkdir gpg1
cd gpg1
gpg --full-generate-key --expert --homedir .
# Key type: (8) RSA (set your own capabilities)
# Current allowed actions: Certify
# Key size: 4096
# Never expire
# Real name: test1
# Email: test1@test.com
# Comment is empty
# Empty password for private key

Create subkeys

gpg --expert --homedir . --key-edit test1@test.com
gpg> addkey
# (4) RSA (sign only)
# Key size: 2048
# Never expire
# Empty password for private key

gpg> addkey
# (6) RSA (encrypt only)
# Key size: 2048
# Never expire
# Empty password for private key

gpg> addkey
# (8) RSA (set your own capabilities)
# Current allowed actions: Authenticate
# Key size: 2048
# Never expire
# Empty password for private key

Move keys to card

# Moving first key to card
gpg> key 1
gpg> keytocard
# (1) Signature key
gpg> key 1

# Moving first key to card
gpg> key 2
gpg> keytocard
# (2) Encryption key
gpg> key 2

# Moving first key to card
gpg> key 3
gpg> keytocard
# (2) Encryption key

gpg> save

Save command MUST replace private keys with stubs (according to gpg docs). But original keys are still there.

gpg -K --homedir . --keyid-format long
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg1'
/home/hexum/gpg1/pubring.kbx
----------------------------
sec   rsa4096/D10ADD549188F73D 2017-12-01 [C]
      2C6A86EDCD5A6D4DEACAE811D10ADD549188F73D
uid                 [ultimate] test1 <test1@test.com>
ssb   rsa2048/8BB1B3F8D9CE4084 2017-12-01 [S]
ssb   rsa2048/30EECD8D9B1E04A9 2017-12-01 [E]
ssb   rsa2048/BACEA2FE6231C7E0 2017-12-01 [A]

Moving to new dir

mkdir ../gpg2
gpg --homedir . --armor --export > ../gpg2/pubkeys
cd ../gpg2
gpg --homedir . --import pubkeys
killall gpg-agent  # needed to change it's homedir

Check card status

gpg --card-status --homedir .
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg2'

Reader ...........: Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: B14E 2B10 367A D76B 48F2  2065 8BB1 B3F8 D9CE 4084
      created ....: 2017-12-01 20:23:39
Encryption key....: F73F 7195 8FA1 C65C EC25  D902 30EE CD8D 9B1E 04A9
      created ....: 2017-12-01 20:23:57
Authentication key: A3EC FAA1 0BDA 05F5 5BDF  B414 BACE A2FE 6231 C7E0
      created ....: 2017-12-01 20:24:28
General key info..: sub  rsa2048/8BB1B3F8D9CE4084 2017-12-01 test1 <test1@test.com>
sec#  rsa4096/D10ADD549188F73D  created: 2017-12-01  expires: never     
ssb#  rsa2048/8BB1B3F8D9CE4084  created: 2017-12-01  expires: never     
ssb#  rsa2048/30EECD8D9B1E04A9  created: 2017-12-01  expires: never     
ssb#  rsa2048/BACEA2FE6231C7E0  created: 2017-12-01  expires: never

No private keys and no their stubs are available.

gpg -K --homedir .
gpg: WARNING: unsafe permissions on homedir '/home/hexum/gpg2
# no more lines here
jderuiter commented 6 years ago

It seems that when importing keys the public key was not imported properly. gpg tries to retrieve the public key on the 'save' command and if this fails does not create the stubs. This should be fixed in ce9d525. Could you check whether this also solves your issues?

hexum commented 6 years ago

Tried ce9d525. Problem is reproducible.

hexum commented 6 years ago

It's applet bug. ykneo-openpgp works as expected, but I do not want to use it.

jderuiter commented 6 years ago

Are the private keys still not replaced by templates after the save command for you? Could you run the PC/SC daemon in the foreground with APDU logging (pcscd -f -a) and post the output here? This output will contain the private keys that are sent to the card, so please only post this for test keys.