Page MenuHome GnuPG
Create Task
Maniphest T401

Blank passprhase on added subkey if OpenPGP card used
Closed, ResolvedPublic
Actions

Description

Release: 1.4.0

Environment

Win2K and FreeBSD 5.3
SCM SCR331 CCID SmartCard reader (latest firmware) and Gemplus GRC415
OpenPGP SmartCard

Description

Assuming that I have my primary signing key (RSA1024) as well as encryption subkey (RSA1024) stored into an OpenPGP card (stub in my local keyring). If I just add an additional encryption subkey (RSA1024) to my local keyring. Then encrypting file with this new subkey will lead to "pass-free" encrypted file where in fact no passphrase is required ! (but the file looks encrypted)

How To Repeat

bash-2.05b$ gpg --gen-key
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Please select what kind of key you want:

(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)

Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.

   0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:

"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: TESTNUMBER4
Email address:
Comment:
You selected this USER-ID:

"TESTNUMBER4"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
.+++++
+++++
gpg: key 3186D0DD marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 1024R/3186D0DD 2005-01-09

Key fingerprint = 8422 DA92 7A7F 6BAB 608F  D3AF 6E35 E902 3186 D0DD

uid TESTNUMBER4

Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a secondary key for this purpose.
bash-2.05b$ gpg --edit-key TESTNUMBER4
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Secret key is available.

pub 1024R/3186D0DD created: 2005-01-09 expires: never usage: CS

trust: ultimate      validity: ultimate

[ultimate] (1). TESTNUMBER4

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "TESTNUMBER4"
1024-bit RSA key, ID 3186D0DD, created 2005-01-09

Please select what kind of key you want:

(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)

Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.

   0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
+++++
+++++

pub 1024R/3186D0DD created: 2005-01-09 expires: never usage: CS

trust: ultimate      validity: ultimate

sub 1024R/7FFB5067 created: 2005-01-09 expires: never usage: E
[ultimate] (1). TESTNUMBER4

Command> toggle

sec 1024R/3186D0DD created: 2005-01-09 expires: never
ssb 1024R/7FFB5067 created: 2005-01-09 expires: never
(1) TESTNUMBER4

Command> keytocard
Really move the primary key? (y/N) y
gpg: detected reader `GemPC410 0 0'
Signature key ....: 7815 7459 657E 29C6 B2DA D89C C9C9 D516 41AD B9DD
Encryption key....: 0D13 FC30 F6D4 127C 5E9C 481C 7B1E 9420 4D07 C21C
Authentication key: 7CBB 67EA 4845 9535 4F3A F188 61A6 A1A2 504D 2B68

Please select where to store the key:

(1) Signature key
(3) Authentication key

Your selection? 1

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "TESTNUMBER4"
1024-bit RSA key, ID 3186D0DD, created 2005-01-09

gpg: 3 Admin PIN attempts remaining before card is permanently locked
gpg: DBG: asking for PIN '|A|Admin PIN'

Admin PIN

sec 1024R/3186D0DD created: 2005-01-09 expires: never

card-no: 0001 000000F4

ssb 1024R/7FFB5067 created: 2005-01-09 expires: never
(1) TESTNUMBER4

Command> key 1

sec 1024R/3186D0DD created: 2005-01-09 expires: never

card-no: 0001 000000F4

ssb* 1024R/7FFB5067 created: 2005-01-09 expires: never
(1) TESTNUMBER4

Command> keytocard
Signature key ....: 8422 DA92 7A7F 6BAB 608F D3AF 6E35 E902 3186 D0DD
Encryption key....: 0D13 FC30 F6D4 127C 5E9C 481C 7B1E 9420 4D07 C21C
Authentication key: 7CBB 67EA 4845 9535 4F3A F188 61A6 A1A2 504D 2B68

Please select where to store the key:

(2) Encryption key

Your selection? 2

gpg: WARNING: such a key has already been stored on the card!

Replace existing key? (y/N) y

You need a passphrase to unlock the secret key for
user: "[User ID not found]"

sec 1024R/3186D0DD created: 2005-01-09 expires: never

card-no: 0001 000000F4

ssb* 1024R/7FFB5067 created: 2005-01-09 expires: never

card-no: 0001 000000F4

(1) TESTNUMBER4

Command> q
Save changes? (y/N) y

bash-2.05b$ gpg -e -r TESTNUMBER4 test.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
bash-2.05b$ gpg -d test.txt.gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: detected reader `GemPC410 0 0'
gpg: DBG: asking for PIN 'PIN'

PIN
gpg: encrypted with 1024-bit RSA key, ID 7FFB5067, created 2005-01-09

"TESTNUMBER4"

a test
bash-2.05b$ gpg --edit-key TESTNUMBER4
gpg (GnuPG) 1.4.0; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Secret key is available.

pub 1024R/3186D0DD created: 2005-01-09 expires: never usage: CS

trust: ultimate      validity: ultimate

sub 1024R/7FFB5067 created: 2005-01-09 expires: never usage: E
[ultimate] (1). TESTNUMBER4

Command> addkey
Key is protected.
Please select what kind of key you want:

(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)

Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.

   0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++
.....+++++
gpg: detected reader `GemPC410 0 0'
gpg: signatures created so far: 0
gpg: DBG: asking for PIN 'PIN [sigs done: 0]'

PIN [sigs done: 0]
gpg: signatures created so far: 0

pub 1024R/3186D0DD created: 2005-01-09 expires: never usage: CS

trust: ultimate      validity: ultimate

sub 1024R/7FFB5067 created: 2005-01-09 expires: never usage: E
sub 1024R/012BAB53 created: 2005-01-09 expires: never usage: E
[ultimate] (1). TESTNUMBER4

Command> q
Save changes? (y/N) y
bash-2.05b$ gpg -e -r 0x012BAB53 test.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
File `test.txt.gpg' exists. Overwrite? (y/N) y
bash-2.05b$ gpg -d test.txt.gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: encrypted with 1024-bit RSA key, ID 012BAB53, created 2005-01-09

"TESTNUMBER4"

a test

Fix

Unknown

Release Note

Fixed in CVS.

Event Timeline

dany added projects: gnupg, Bug Report.Jan 9 2005, 7:30 PM
werner added a subscriber: werner.Jan 27 2005, 1:41 PM

This is related to #402. Fixed in CVS.

werner added a project: Restricted Project.Jan 27 2005, 1:41 PM
werner added a comment.Mar 7 2005, 1:01 PM

1.4.1rc2 fixes this

werner closed this task as Resolved.Mar 7 2005, 1:01 PM
werner removed a project: Restricted Project.