gpgsm --gen-key with existing key from "ssh-add" fails
Open, Needs TriagePublic

Description

with a fresh GNUPGHOME, and gpg-agent acting as ssh-agent:

ssh-keygen -f ssh-key -N ''
ssh-add ssh-key
gpgsm --gen-key

then choose "existing key" and select the keygrip found in sshcontrol. The result is:

Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 0B4329C87AD80CDCCA1D04C9F0B4FE11378A6F74
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=Alice
    Name-Email: alice@example.biz

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: error setting the public key: Invalid S-expression
gpgsm: error creating certificate request: Invalid S-expression <KSBA>

note that the key created by ssh-key is 3072-bit RSA, not 1024.

Using nettle-bin's sexp-conv, i see:

2 dkg@alice:/tmp/cdtemp.6ckvQX$ sexp-conv < private-keys-v1.d/A61AD73FB26752B4DAB90F007E6F76467659A19B.key 
(protected-private-key (rsa (n |AL3C+/cNPCsJ+xKZXOG/u+f1eGM/VsMA7Gs7y1w/
                                ki3y7fXeVCgV8KXaVQq/4ylfR04aXj3gsrmSDHYX
                                KYBo69OoGx8tLhhi20ugMAc1qlRuMgmQZDjYGc8U
                                m4ftOpwKoyKolfPV+PayoXQF0G7aeTC9+kmXxLfv
                                ZD5DL8UWx/nFTly+5LctlQGshN1+1AZ6U9f4qdRi
                                by2RpiMa7gdVD1M41RVm+Q2KoMYCs4WMeFgV4+Kj
                                vxU32O8lLMQ+RpB6Z7Ra/756FeXyATrY7Q2hTGAd
                                9V9X+vxupsX5MROlg1OfsSRClHVpK1kjiauM+0Zl
                                oxXEBorRn+qZ51SrimXBaYlAri0zBw0HWg/cc1Xx
                                pbxWqPrWh5rRrC+wukDG1XiM5LZdWBrZJiT0nYxZ
                                hzczd9jgjj45XpvcrgK6uiXUWpYPpyjCRAVP/sW1
                                ZVcm4x8RyYjuvwjh/vKg4F7kludEctnyavQI0utY
                                62nwESLUuQhKgNvN23Th20iVXGMWOik1GQ==|)
                            (e |AQAB|)
                            (protected openpgp-s2k3-sha1-aes-cbc
                                       ((sha1 |aFmt6IeekIM=|
                                              "72943616") |cT9DP9U3fOSXE
                                                           elRUvQW1Q==|)
                                       |2BrkPE2deaC3tf+d5rwG2x8QGdilAh+Z
                                        WOoHa/KVlZhvBBIFCfA8g12DamARZTZd
                                        MYIKcjIMDNTlj3I/xJZayzWcm5XliA0O
                                        WqvZJnedJWvjanHLWIu4z5ik+T85fL7E
                                        24/4nrQhTaTFtYo27cgdFgvGxeXbZx9f
                                        VCAhF/Kf12NHDkVEI3qMRBFNd0ofGeTq
                                        4xMtnGd0OfbSG2V51iK0GaexmW4ySkyt
                                        LYpyfMK4Tx/AdwZQAUacJqSs1/ZkoB+R
                                        hTAhW/EsWjHCYeuESZYizUZSuTX9vsGq
                                        If/bVZctTkGQ8jG0qjSpDY9qc8Kjf1wH
                                        ejN1L3qAvXwhDk1bSY+M5XuZ3WgYJgM5
                                        1XL02xQnJl4Eq60lfO9wkRqZEe56PcF+
                                        N4jpNwHcNAHHp58aROm9hsl7u3txAAu2
                                        4d59iGbzkZZFC+3EkC8AxHvhpMCN2vnL
                                        BH/3+THthzcJp4MA8GI5sGsjunHDesT4
                                        LYifUnk99+5bFeCtnnPCNc9kTUDWR0lY
                                        uGYJlmT7frIN+B2EYfaLvlVDlEkoUkM3
                                        aNP8OyViQpQEoLqpTI73/pDMMqOgJWPv
                                        9OgdPk21Ns0/MrKbHxnvKV1Kt7YOZiRI
                                        e7eHjs5PKp2Dk2KxDggwh4B+49o1N+4q
                                        ne/pizT8xNv0kfHaqFj6kfGSA2xevBUK
                                        tLUFvrtenTLV/WtuiLiB56xdG2rDPrmO
                                        VPyzw9B1j2AV2DEfQI6co88rUHO8pLVK
                                        FFqy5nMFnekUrqLITwmSZFPYW24Cf9os
                                        mpeZS/NXfbWITXY+A57mD4l5HGxq3+fu
                                        E5yYNaYoBYkWHTiYDZjdDU5XzU+XoO9A
                                        nFPYrP505dI5aN9QkOdH8HUFp7Qc+6za
                                        j/2MwrULF1BwzT8Lk+Zi6tKE1/K7jH1G
                                        kF5mDjvIfdJktcZU6pLzfIhLHG/egvzy
                                        dzliIDdS72mvsv9l5bWwxqhRNehXn43D
                                        lbSo8mGl1J70EXlXOlXaXnbW8tthlV9c
                                        IXUR1LLHsY5tXuw2UU+aAzlHDxWWlO58
                                        3UPhPUR+ESZCJ3c7uG1MPsIcphAOUVp1
                                        AuqIwYEA77mBvHMjHO1nW+7AS+vyNMOK
                                        iYCnHFZbvDCWHW+8VotsHwSc/8amILBy
                                        AESAbZllfu6nNYNOf4ai2BScUZPu3jNx
                                        /AhWiEK5Vqgv6xWrEi6Xx7/eTR0HhzXE
                                        U0/s5yfl7Rh9ax+2xWz00VEo5l2xHASX
                                        WDGTuhjREufMCgVwccxlMWMVLHiabYi8
                                        rKCtWDJp6c/DgSbGNz6Jy1IL40LPqjaJ
                                        viMmbQKnhmycMyCm+rVcKacVL1a9bYnZ
                                        yqrOplQm4DThEGPSVXn36W+8uSfgosJI
                                        ENvoCme0XnpozjnK5fBI3l1mLFcSvBtp
                                        7RG57f5s/MPNb+5MvrgPSM5xEoeXgyfC|)
                            (protected-at "20200326T010201"))
                       (comment "test@host"))

Related Objects

dkg created this task.Mar 26 2020, 2:05 AM
werner closed this task as Wontfix.
werner claimed this task.
werner added a subscriber: werner.

Please use the mailing list for help on generating keys. I would also suggest to use GnuPG master for such experiments.

dkg added a comment.Mar 26 2020, 3:24 PM

OK, i've asked on gnupg-devel.

FWIW, I didn't do this "experiment", it was reported by a user on the #gnupg IRC channel on freenode, who appears to have been trying to use the documented interfaces to gpgsm and gpg-agent.

I'm disappointed by the "wontfix" tag here -- was there some step of the process described above that is a mistake somehow, or is counterindicated? If so, it would be great to document what that mistake is.

The problem was the comment field which was not expected in an rsa key. However ist makes sense to allow additional fields and thus I pushed a change to Libksba.

dkg reopened this task as Open.
dkg closed this task as Resolved.
dkg reopened this task as Open.Jun 11 2020, 1:29 AM

This appears to still be a problem, despite upgrading to libksba 1.4.0:

> 
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: F05AB68219B28C2E5CD7F7AE9782B0971ED593B4
    Key-Usage: sign, encrypt
    Serial: random
    Name-DN: CN=Alice
    Name-Email: alice@example.biz

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: error setting the public key: Invalid S-expression
gpgsm: error creating certificate request: Invalid S-expression <KSBA>
2 dkg@alice:/tmp/cdtemp.S6f1Da$  gpgsm --version
gpgsm (GnuPG) 2.2.20
libgcrypt 1.8.5
libksba 1.4.0-unknown
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /tmp/cdtemp.S6f1Da/g
Supported algorithms:
Cipher: 3DES, AES128, AES192, AES256, SERPENT128, SERPENT192, SERPENT256, SEED, CAMELLIA128, CAMELLIA192, CAMELLIA256
Pubkey: RSA, ECC
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224, WHIRLPOOL
0 dkg@alice:/tmp/cdtemp.S6f1Da$

If this gets fixed, it would be good to add it to the test suite to ensure that it stays fixed.