Page MenuHome GnuPG
Create Task
Maniphest T5021

Trying to sign using SHA512 and a Nitrokey Pro 2 produces "Conditions of use not satisfied"
Closed, ResolvedPublic
Actions

Description

Hello,

When trying to sign things using gpg with my Nitrokey Pro 2 smart-card and SHA512 as the digest algorithm, the error signing failed: Conditions of use not satisfied appears. I initially reported this to the Nitrokey forums (see external link) and @szszszsz-nitrokey said it might be a problem with GnuPG, hence this bug report.
I believe I have confirmed that everything else is working as expected (see the strace transcripts in the external link), that the problem is specific to using SHA512, and that the problem occurs despite the smart-card supporting SHA512.

As per the request in the external link, I took some logs using scdaemon. They can be found at this GitHub gist.

I am happy to help investigate this further if need be. As far as I could tell, this issue has not already been reported.

My setup is as follows:

  • OS: Linux 5.7.11
  • GnuPG: 2.2.21
  • libgcrypt: 1.8.6
  • libnitrokey: 3.5
  • Nitrokey Pro 2 version: 3.3

All the best,
Thomas

Details

External Link
https://support.nitrokey.com/t/nitrokey-pro-2-cannot-sign-using-sha512/2586
Version
2.2.21

Revisions and Commits

rG GnuPG
rGf0f8b124f0d2 gpg: Ignore personal_digest_prefs for ECDSA keys.
rG53d84f981570 gpg: Ignore personal_digest_prefs for ECDSA keys.

Related Objects

Event Timeline

CodingCellist created this task.Aug 11 2020, 10:58 PM
CodingCellist removed Version.
CodingCellist set Version to 2.2.21.
jans added a subscriber: jans.Aug 11 2020, 11:13 PM
werner triaged this task as High priority.Aug 12 2020, 8:54 AM
werner added a project: gnupg (gpg22).
werner added a subscriber: werner.

You used --personal-digest-preferences to force the use of SHA-512, right?

Without that option the code would have selected SHA-384 as the matching hash algorithm for a brainpoolp385r1 curve. If you don't use a card truncation will happen and you use SHA-512 trunctated to 384 bit. A card, however, checks that the provided data matches the algorithm/curve and rejects the too long data.

The question is how we can solve this. I will consider to ignore the personal digest preferences and use the macthing hash algorithm. After all there is no security gain by using a truncated version.

werner added a commit: rG53d84f981570: gpg: Ignore personal_digest_prefs for ECDSA keys..Aug 13 2020, 11:37 AM
werner added a commit: rGf0f8b124f0d2: gpg: Ignore personal_digest_prefs for ECDSA keys..
werner closed this task as Resolved.Aug 13 2020, 11:38 AM
werner claimed this task.

Fix will be in 2.2.22. Thanks for the report.

CodingCellist added a comment.Aug 13 2020, 3:46 PM

Awesome. Thank you for the explanation and for solving the issue.

CodingCellist removed a subscriber: CodingCellist.Aug 13 2020, 3:52 PM
werner mentioned this in T5030: Release GnuPG 2.2.22 .Aug 27 2020, 3:03 PM