Page MenuHome GnuPG
Create Task
Maniphest T4892

gpgsm --gen-key with existing key from "ssh-add" fails
Open, LowPublic
Actions

Description

with a fresh GNUPGHOME, and gpg-agent acting as ssh-agent:

ssh-keygen -f ssh-key -N ''
ssh-add ssh-key
gpgsm --gen-key

then choose "existing key" and select the keygrip found in sshcontrol. The result is:

Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 0B4329C87AD80CDCCA1D04C9F0B4FE11378A6F74
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=Alice
    Name-Email: alice@example.biz

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: error setting the public key: Invalid S-expression
gpgsm: error creating certificate request: Invalid S-expression <KSBA>

note that the key created by ssh-key is 3072-bit RSA, not 1024.

Using nettle-bin's sexp-conv, i see:

2 dkg@alice:/tmp/cdtemp.6ckvQX$ sexp-conv < private-keys-v1.d/A61AD73FB26752B4DAB90F007E6F76467659A19B.key 
(protected-private-key (rsa (n |AL3C+/cNPCsJ+xKZXOG/u+f1eGM/VsMA7Gs7y1w/
                                ki3y7fXeVCgV8KXaVQq/4ylfR04aXj3gsrmSDHYX
                                KYBo69OoGx8tLhhi20ugMAc1qlRuMgmQZDjYGc8U
                                m4ftOpwKoyKolfPV+PayoXQF0G7aeTC9+kmXxLfv
                                ZD5DL8UWx/nFTly+5LctlQGshN1+1AZ6U9f4qdRi
                                by2RpiMa7gdVD1M41RVm+Q2KoMYCs4WMeFgV4+Kj
                                vxU32O8lLMQ+RpB6Z7Ra/756FeXyATrY7Q2hTGAd
                                9V9X+vxupsX5MROlg1OfsSRClHVpK1kjiauM+0Zl
                                oxXEBorRn+qZ51SrimXBaYlAri0zBw0HWg/cc1Xx
                                pbxWqPrWh5rRrC+wukDG1XiM5LZdWBrZJiT0nYxZ
                                hzczd9jgjj45XpvcrgK6uiXUWpYPpyjCRAVP/sW1
                                ZVcm4x8RyYjuvwjh/vKg4F7kludEctnyavQI0utY
                                62nwESLUuQhKgNvN23Th20iVXGMWOik1GQ==|)
                            (e |AQAB|)
                            (protected openpgp-s2k3-sha1-aes-cbc
                                       ((sha1 |aFmt6IeekIM=|
                                              "72943616") |cT9DP9U3fOSXE
                                                           elRUvQW1Q==|)
                                       |2BrkPE2deaC3tf+d5rwG2x8QGdilAh+Z
                                        WOoHa/KVlZhvBBIFCfA8g12DamARZTZd
                                        MYIKcjIMDNTlj3I/xJZayzWcm5XliA0O
                                        WqvZJnedJWvjanHLWIu4z5ik+T85fL7E
                                        24/4nrQhTaTFtYo27cgdFgvGxeXbZx9f
                                        VCAhF/Kf12NHDkVEI3qMRBFNd0ofGeTq
                                        4xMtnGd0OfbSG2V51iK0GaexmW4ySkyt
                                        LYpyfMK4Tx/AdwZQAUacJqSs1/ZkoB+R
                                        hTAhW/EsWjHCYeuESZYizUZSuTX9vsGq
                                        If/bVZctTkGQ8jG0qjSpDY9qc8Kjf1wH
                                        ejN1L3qAvXwhDk1bSY+M5XuZ3WgYJgM5
                                        1XL02xQnJl4Eq60lfO9wkRqZEe56PcF+
                                        N4jpNwHcNAHHp58aROm9hsl7u3txAAu2
                                        4d59iGbzkZZFC+3EkC8AxHvhpMCN2vnL
                                        BH/3+THthzcJp4MA8GI5sGsjunHDesT4
                                        LYifUnk99+5bFeCtnnPCNc9kTUDWR0lY
                                        uGYJlmT7frIN+B2EYfaLvlVDlEkoUkM3
                                        aNP8OyViQpQEoLqpTI73/pDMMqOgJWPv
                                        9OgdPk21Ns0/MrKbHxnvKV1Kt7YOZiRI
                                        e7eHjs5PKp2Dk2KxDggwh4B+49o1N+4q
                                        ne/pizT8xNv0kfHaqFj6kfGSA2xevBUK
                                        tLUFvrtenTLV/WtuiLiB56xdG2rDPrmO
                                        VPyzw9B1j2AV2DEfQI6co88rUHO8pLVK
                                        FFqy5nMFnekUrqLITwmSZFPYW24Cf9os
                                        mpeZS/NXfbWITXY+A57mD4l5HGxq3+fu
                                        E5yYNaYoBYkWHTiYDZjdDU5XzU+XoO9A
                                        nFPYrP505dI5aN9QkOdH8HUFp7Qc+6za
                                        j/2MwrULF1BwzT8Lk+Zi6tKE1/K7jH1G
                                        kF5mDjvIfdJktcZU6pLzfIhLHG/egvzy
                                        dzliIDdS72mvsv9l5bWwxqhRNehXn43D
                                        lbSo8mGl1J70EXlXOlXaXnbW8tthlV9c
                                        IXUR1LLHsY5tXuw2UU+aAzlHDxWWlO58
                                        3UPhPUR+ESZCJ3c7uG1MPsIcphAOUVp1
                                        AuqIwYEA77mBvHMjHO1nW+7AS+vyNMOK
                                        iYCnHFZbvDCWHW+8VotsHwSc/8amILBy
                                        AESAbZllfu6nNYNOf4ai2BScUZPu3jNx
                                        /AhWiEK5Vqgv6xWrEi6Xx7/eTR0HhzXE
                                        U0/s5yfl7Rh9ax+2xWz00VEo5l2xHASX
                                        WDGTuhjREufMCgVwccxlMWMVLHiabYi8
                                        rKCtWDJp6c/DgSbGNz6Jy1IL40LPqjaJ
                                        viMmbQKnhmycMyCm+rVcKacVL1a9bYnZ
                                        yqrOplQm4DThEGPSVXn36W+8uSfgosJI
                                        ENvoCme0XnpozjnK5fBI3l1mLFcSvBtp
                                        7RG57f5s/MPNb+5MvrgPSM5xEoeXgyfC|)
                            (protected-at "20200326T010201"))
                       (comment "test@host"))

Details

Version
2.2.20

Revisions and Commits

rK libksba
rK1e903fe558bd Allow optional elements in keyinfo objects.

Related Objects

Event Timeline

dkg created this task.Mar 26 2020, 2:05 AM
werner closed this task as Wontfix.Mar 26 2020, 10:27 AM
werner claimed this task.
werner removed projects: gnupg (gpg22), Bug Report.
werner added a subscriber: werner.

Please use the mailing list for help on generating keys. I would also suggest to use GnuPG master for such experiments.

dkg added a comment.Mar 26 2020, 3:24 PM

OK, i've asked on gnupg-devel.

FWIW, I didn't do this "experiment", it was reported by a user on the #gnupg IRC channel on freenode, who appears to have been trying to use the documented interfaces to gpgsm and gpg-agent.

I'm disappointed by the "wontfix" tag here -- was there some step of the process described above that is a mistake somehow, or is counterindicated? If so, it would be great to document what that mistake is.

werner added a comment.Mar 30 2020, 5:00 PM

The problem was the comment field which was not expected in an rsa key. However ist makes sense to allow additional fields and thus I pushed a change to Libksba.

werner added a commit: rK1e903fe558bd: Allow optional elements in keyinfo objects..Mar 30 2020, 5:32 PM
dkg reopened this task as Open.Mar 30 2020, 9:59 PM
dkg closed this task as Resolved.
dkg added a project: Bug Report.
werner mentioned this in T4943: Release LibKSBA 1.4.0.May 19 2020, 3:41 PM
dkg reopened this task as Open.Jun 11 2020, 1:29 AM

This appears to still be a problem, despite upgrading to libksba 1.4.0:

> 
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: F05AB68219B28C2E5CD7F7AE9782B0971ED593B4
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=Alice
    Name-Email: alice@example.biz

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: error setting the public key: Invalid S-expression
gpgsm: error creating certificate request: Invalid S-expression <KSBA>
2 dkg@alice:/tmp/cdtemp.S6f1Da$  gpgsm --version
gpgsm (GnuPG) 2.2.20
libgcrypt 1.8.5
libksba 1.4.0-unknown
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /tmp/cdtemp.S6f1Da/g
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL
0 dkg@alice:/tmp/cdtemp.S6f1Da$

If this gets fixed, it would be good to add it to the test suite to ensure that it stays fixed.

werner triaged this task as Normal priority.Jan 5 2021, 9:33 AM
werner added a project: gnupg (gpg22).
werner lowered the priority of this task from Normal to Low.Jun 25 2021, 11:26 AM

Needs to be tested with the current 2.2 version and a gcry_log_debugsxp should be added to the error output.

werner edited projects, added gnupg22; removed gnupg (gpg22).Dec 12 2022, 11:40 PM
werner edited projects, added gnupg24; removed gnupg22.Aug 23 2023, 8:44 AM

Needs to be checked again with stable. No backport to 2..2, though.