Page MenuHome GnuPG

Errors during on-card key generation make keys unusable
Closed, ResolvedPublic

Description

Release: GnuPG 1.4.0

Environment

AMD 2800+
FreeBSD 5.3.0 Release
Gemplus GCR415 smart card reader
G10.code OpenPGP Card

Description

Errors are occuring during the on-card key generation process. The resulting keys are not usable.

gpg: please wait while key is being generated ...
gpg: key generation completed (26 seconds)
gpg: signing failed: wrong secret key used
gpg: make_keysig_packet failed: wrong secret key used
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (20 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (14 seconds)
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: key 41ADB9DD marked as ultimately trusted
public and secret key created and signed.

How To Repeat

bash-2.05b$ gpg --card-edit
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information

gpg: detected reader `GemPC410 0 0'
Application ID ...: D2760001240101000001000000110000
Version ..........: 1.0
Manufacturer .....: PPC Card Systems
Serial number ....: 00000011
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Max. PIN lengths .: 254 254 254
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 6F61 422F F950 173D 46F2 17D4 51FF D2A7 B4D0 9EF9
Encryption key....: 24BA 7364 DE14 4C4D C911 BBA6 CBE9 1A7D 6E7E 49F9
Authentication key: 5E74 FC83 8A12 8111 78F9 6BB4 B9C8 7460 32A1 539C
General key info..: [none]

Command> admin
Admin commands are allowed

Command> generate
Make off-card backup of encryption key? (Y/n) n

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y
gpg: DBG: asking for PIN 'PIN'

PIN
Please specify how long the key should be valid.

   0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: ONCARD-NOBACKUP
Email address:
Comment:
You selected this USER-ID:

"ONCARD-NOBACKUP"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: existing key will be replaced
gpg: 3 Admin PIN attempts remaining before card is permanently locked
gpg: DBG: asking for PIN '|A|Admin PIN'

Admin PIN
gpg: please wait while key is being generated ...
gpg: key generation completed (26 seconds)
gpg: signing failed: wrong secret key used
gpg: make_keysig_packet failed: wrong secret key used
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (20 seconds)
gpg: signatures created so far: 0
gpg: signatures created so far: 0
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (14 seconds)
gpg: signatures created so far: 2
gpg: signatures created so far: 2
gpg: key 41ADB9DD marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/41ADB9DD 2005-01-09

Key fingerprint = 7815 7459 657E 29C6 B2DA  D89C C9C9 D516 41AD B9DD

uid ONCARD-NOBACKUP
sub 1024R/4D07C21C 2005-01-09
sub 1024R/504D2B68 2005-01-09

Command> toggle

Invalid command (try "help")

Command> help
quit quit this menu
admin show admin commands
help show this help
list list all available data
name change card holder's name
url change URL to retrieve key
fetch fetch the key specified in the card URL
login change the login name
lang change the language preferences
sex change card holder's sex
cafpr change a CA fingerprint
forcesig toggle the signature force PIN flag
generate generate new keys
passwd menu to change or unblock the PIN

Command> q
bash-2.05b$ gpg --edit-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
usage: gpg [options] --edit-key user-id [commands]
bash-2.05b$ gpg --edit-key ONCARD
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Secret key is available.

pub 1024R/41ADB9DD created: 2005-01-09 expires: never usage: CSEA

trust: ultimate      validity: ultimate

sub 1024R/4D07C21C created: 2005-01-09 expires: never usage: E
sub 1024R/504D2B68 created: 2005-01-09 expires: never usage: A
[ultimate] (1). ONCARD-NOBACKUP

Command> toggle

sec 1024R/41ADB9DD created: 2005-01-09 expires: never

card-no: 0001 000000F4

ssb 1024R/4D07C21C created: 2005-01-09 expires: never

card-no: 0001 000000F4

ssb 1024R/504D2B68 created: 2005-01-09 expires: never

card-no: 0001 000000F4

(1) ONCARD-NOBACKUP

Command> q
bash-2.05b$ gpg -e -r ONCARD-NOBACKUP test4.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: ONCARD-NOBACKUP: skipped: unusable public key
gpg: test4.txt: encryption failed: unusable public key
bash-2.05b$

Fix

Do not use on-card, key gen (less secure?)

Event Timeline

This is a caching problem introduced on 2004-09-27. It has
now been fixed in the CVS.

Dany, can you confim that it has been fixed in 1.4.1rc2?

BTW, we won't be able to fix all card related stuff in 1.4.1, we need to add a few new features in 1.4.2 anyway. For example to solve the cooperation problem between scdaemon using the card as well as gpg 1.4.x.

From: Dany Nativel <dany@natzo.com>
To: bugs@trithemius.gnupg.org
Cc: gnupg-hackers@gnupg.org, gnats-admin@trithemius.gnupg.org, wk@gnupg.org
Subject: Re: gnupg/399
Date: Thu, 10 Mar 2005 21:53:20 +0100

I thought that was linked to the pcsc driver. If you recall I also had
issues with the the CCID one and you mentioned you may have a track to
solve the R-block error. Any code you want me to test ?

Dany

wk@gnupg.org wrote:

Synopsis: Errors during on-card key generation make keys unusable

  • Comment added by werner on Mon, 07 Mar 2005 18:53:34 +0100 ****

Dany, can you confim that it has been fixed in 1.4.1rc2?

BTW, we won't be able to fix all card related stuff in 1.4.1, we need to
add a few new features in 1.4.2 anyway. For example to solve the
cooperation problem between scdaemon using the card as well as gpg 1.4.x.

werner removed a project: Restricted Project.

Those bugs reader related bugs are now fixed in 1.42rc1