Page MenuHome GnuPG
Create Task
Maniphest T3280

Cannot add subkeys to key stored on card
Closed, ResolvedPublic
Actions

Description

Trying to reproduce T3187 I noticed that I cannot add a subkey to a key with the primary key residing on the card:

sec  rsa2048/3E56B63B8CC487F8
     created: 2017-07-17  expires: 2018-07-17  usage: C   
     card-no: 0006 04250529
     trust: ultimate      validity: ultimate
[ultimate] (1). cert on card <cert-on-card@example.org>

gpg> addkey
Secret parts of primary key are stored on-card.
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Tue 17 Jul 2018 12:15:19 PM CEST
Is this correct? (y/N) y
Really create? (y/N) y
gpg: Key generation failed: Not implemented

gpg>

The log reveals:

5 - 12:15:11 gpg-agent[2621]: DBG: chan_10 <- HAVEKEY F143C29C748EB826478472CC24115DE57D42EAA8
5 - 12:15:11 gpg-agent[2621]: DBG: chan_10 -> OK
5 - 12:15:11 gpg-agent[2621]: DBG: chan_10 <- KEYINFO F143C29C748EB826478472CC24115DE57D42EAA8
5 - 12:15:11 gpg-agent[2621]: DBG: chan_10 -> S KEYINFO F143C29C748EB826478472CC24115DE57D42EAA8 T D2760001240102010006042505290000 OPENPGP.1 - - - - -
5 - 12:15:11 gpg-agent[2621]: DBG: chan_10 -> OK
5 - 12:15:13 gpg-agent[2621]: DBG: chan_10 <- KEYINFO F143C29C748EB826478472CC24115DE57D42EAA8
5 - 12:15:13 gpg-agent[2621]: DBG: chan_10 -> S KEYINFO F143C29C748EB826478472CC24115DE57D42EAA8 T D2760001240102010006042505290000 OPENPGP.1 - - - - -
5 - 12:15:13 gpg-agent[2621]: DBG: chan_10 -> OK
5 - 12:15:20 gpg-agent[2621]: DBG: chan_10 <- SETKEYDESC Please+enter+the+passphrase+to+unlock+the+OpenPGP+secret+key:%0A%22cert+on+card+<cert-on-card@example.org>%22%0A2048-bit+RSA+key,+ID+3E56B63B8CC487F8,%0Acreated+2017-07-17.%0A
5 - 12:15:20 gpg-agent[2621]: DBG: chan_10 -> OK
5 - 12:15:20 gpg-agent[2621]: DBG: chan_10 <- PASSWD  --verify F143C29C748EB826478472CC24115DE57D42EAA8
5 - 12:15:20 gpg-agent[2621]: changing a smartcard PIN is not yet supported
5 - 12:15:20 gpg-agent[2621]: command 'PASSWD' failed: Not implemented
5 - 12:15:20 gpg-agent[2621]: DBG: chan_10 -> ERR 67108933 Not implemented <GPG Agent>

Revisions and Commits

rG GnuPG
rG44fb3fbc85b3 gpg: Fix creating on-disk subkey with on-card primary key.

Related Objects

Event Timeline

justus created this task.Jul 17 2017, 12:21 PM
ikke added a subscriber: ikke.Aug 5 2017, 9:45 PM
akerl added a subscriber: akerl.Sep 3 2017, 9:03 PM
arlininger added a subscriber: arlininger.Oct 5 2017, 3:41 PM
freysteinn added a subscriber: freysteinn.Oct 17 2017, 6:10 PM
freysteinn added a comment.EditedOct 17 2017, 8:29 PM

Hello.
I am having the same problem with my Yubikey v4.

I am able to run all other operations with my Yubikey, such as signing keys, creating revocation certificates, and authenticate using gpg-agent and ssh.
The only thing I am not able to do is to create subkeys with my primary key on the Yubikey.

$ gpg2 --version
gpg (GnuPG) 2.2.1
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/frey/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
werner claimed this task.Oct 18 2017, 9:04 AM
werner raised the priority of this task from Wishlist to High.
werner removed projects: gpgagent, scd.
werner added a subscriber: werner.

This comment in the gpg code is relevant for the bug:

/* Verify the passphrase now so that we get a cache item for the
 * primary key passphrase.  The agent also returns a passphrase
 * nonce, which we can use to set the passphrase for the subkey to
 * that of the primary key.  */

We do a "PASSWD --verify" request to the agent to achieve this. However, PASSWD can't be used for smartcards and thus the key generation fails. That is obviously wrong and the solution is to take the error response as an indication that the key is on a smartcard and we need to skip that caching.

yantar92 added a subscriber: yantar92.Oct 18 2017, 11:08 AM
werner added a commit: rG44fb3fbc85b3: gpg: Fix creating on-disk subkey with on-card primary key..Oct 19 2017, 6:15 PM
werner closed this task as Resolved.Oct 19 2017, 6:19 PM

Well we could of course also add code to gpg-agent to verify the card key but the fix I just pushed fixes the problem more easily. If we ever want to implement PASSWD --verify for card keys (which has a couple of side effects) this patch won't be in the way.

Will go into 2.2.2.

ikke added a comment.Oct 25 2017, 6:27 PM

Verified that the fix works, I can create subkeys now.