Page MenuHome GnuPG
Create Task
Maniphest T6287

Kleopatra: Transfer key to OpenPGP card uses encryption slot when writing sign+auth key to authentication slot
Closed, ResolvedPublic
Actions

Description

If the capabilities of a subkey indicate that it's suitable for multiple slots of an OpenPGP card, then Kleopatra asks which slot to use. In case of a sign+auth subkey, it offers the Signature key slot (OPENPGP.1) and the Authentication key slot (OPENPGP.3). The Encryption key slot (OPENPGP.2) is not offered.

Erroneously, Kleopatra then uses the (1-based) index of the selected slot (i.e. 2 if the Authentication key slot is chosen by the user in the above example) as the slot to write the key to. In the example, that would be the Encryption key slot OPENPGP.2. If the card slot already contains a key, then an attentive user will notice that Kleopatra asks whether the existing encryption key should be overwritten. Additionally, the note "It will no longer be possible to decrypt past communication encrypted for the existing key." should raise the alarm if one tries to copy an authentication key to a smart card. It's still a serious bug that could lead to the loss of an encryption key.

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA0bdc7af93213 Use the actual card slot IDs instead of indexes to avoid mix-ups

Event Timeline

ikloecker claimed this task.Nov 23 2022, 12:04 PM
ikloecker triaged this task as High priority.
ikloecker created this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a commit: rKLEOPATRA0bdc7af93213: Use the actual card slot IDs instead of indexes to avoid mix-ups.Nov 23 2022, 12:19 PM
ikloecker changed the task status from Open to Testing.Nov 23 2022, 1:56 PM
ikloecker removed ikloecker as the assignee of this task.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

Fixed.

To test this you need a key with a subkey (including the primary key) that is marked for signing and authentication, but not for encryption. Open the Subkey dialog, insert an OpenPGP smart card, right-click this subkey and select Transfer to card. Select the Authentication slot when you are asked which card slot the key should be written to.

Expected result: When the key was copied to the smart card, then it is shown as Authentication key of the smart card.

ebo closed this task as Resolved.Apr 27 2023, 11:22 AM
ebo claimed this task.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ebo added a subscriber: ebo.

works