Page MenuHome GnuPG
Create Task
Maniphest T5219

scd: Generating CSR for SigG NetKey card key fails
Open, NormalPublic
Actions

Description

Generating a CSR for the SigG signing key of a NetKey card fails.

How to reproduce:

  • Put the following key parameters into a file (e.g. keyparams.txt)
Key-Type:card:NKS-SIGG.4531
Key-Usage:sign
Name-DN:CN=Otto Example,O=Example,C=DE
Name-Email:otto@example.net
  • Run
$ gpgsm --debug=ipc --gen-key --armor --batch <keyparams.txt
gpgsm: reading options from '[cmdline]'
gpgsm: enabled debug flags: ipc
gpgsm: DBG: chan_3 <- OK Pleased to meet you, process 26541
gpgsm: DBG: connection to the gpg-agent established
gpgsm: DBG: chan_3 -> RESET
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION ttyname=/dev/pts/41
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION ttytype=xterm-256color
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION display=:0
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION xauthority=/run/user/1000/xauth_MBadcS
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION putenv=XMODIFIERS=@im=ibus
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION putenv=GTK_IM_MODULE=ibus
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION putenv=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION putenv=QT_IM_MODULE=ibus
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION lc-ctype=de_DE.UTF-8
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION lc-messages=de_DE.UTF-8
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> GETINFO version
gpgsm: DBG: chan_3 <- D 2.3.0-beta1490
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> OPTION allow-pinentry-notify
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> RESET
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> SCD READKEY NKS-SIGG.4531
gpgsm: DBG: chan_3 <- [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(293 byte(s) skipped) ]
gpgsm: DBG: chan_3 <- OK
gpgsm: about to sign the CSR for key: &A69B0D3796EE33E4426E5CE4B6BEEE5F1209FBA4
gpgsm: DBG: chan_3 -> SCD READKEY NKS-SIGG.4531
gpgsm: DBG: chan_3 <- [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(293 byte(s) skipped) ]
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> SCD SETDATA E7F363028723DA8994907485C8437B4E37CE5CAA28BADE4A84EAB8411E73560F
gpgsm: DBG: chan_3 <- OK
gpgsm: DBG: chan_3 -> SCD PKSIGN --hash=sha256 NKS-SIGG.4531
gpgsm: DBG: chan_3 <- INQUIRE PINENTRY_LAUNCHED 26564 qt 1.1.1-beta44 /dev/pts/41 xterm-256color :0 20600/1000/5 1000/100 0
gpgsm: DBG: chan_3 -> END
gpgsm: DBG: chan_3 <- ERR 100663383 Bad PIN <SCD>
gpgsm: signing failed: Bad PIN
gpgsm: error creating certificate request: Bad PIN <SCD>

One problem could be that do_sign (app-nks.c) is hard-coded to "use the Global PIN 1". I would expect that "SigG PIN 1" is required to sign something with the SigG key. But setting pwid to 0x81 in do_sign doesn't help. iso7816_compute_ds() still returns a Bad PIN error.

Here's the output of scdaemon (patched to use pwid 0x81):

2021-01-06 15:55:51 scdaemon[20518] DBG: chan_7 <- PKSIGN --hash=sha256 NKS-SIGG.4531
2021-01-06 15:55:51 scdaemon[20518] DBG: send apdu: c=00 i=22 p1=41 p2=B6 lc=6 le=-1 em=0
2021-01-06 15:55:51 scdaemon[20518] DBG:  raw apdu: 002241b606800102840184
2021-01-06 15:55:51 scdaemon[20518] DBG:  response: sw=9000  datalen=0
2021-01-06 15:55:51 scdaemon[20518] DBG:      dump: [all zero]
2021-01-06 15:55:51 scdaemon[20518] DBG:  raw apdu: 00200081
2021-01-06 15:55:51 scdaemon[20518] DBG:  response: sw=63C3  datalen=0
2021-01-06 15:55:51 scdaemon[20518] DBG: prompting for pinpad entry '||PIN%0A%0A\x1eNumber\x1f: 8949017330002661652%0AHold>
2021-01-06 15:55:51 scdaemon[20518] DBG: chan_7 -> [ 49 4e 51 55 49 52 45 20 50 4f 50 55 50 50 49 4e ...(62 byte(s) skippe>
2021-01-06 15:55:51 scdaemon[20518] DBG: chan_7 <- END
2021-01-06 15:55:59 scdaemon[20518] DBG: dismiss pinpad entry prompt
2021-01-06 15:55:59 scdaemon[20518] DBG: chan_7 -> INQUIRE DISMISSPINPADPROMPT
2021-01-06 15:55:59 scdaemon[20518] DBG: chan_7 <- END
2021-01-06 15:55:59 scdaemon[20518] DBG: send apdu: c=00 i=2A p1=9E p2=9A lc=51 le=256 em=0
2021-01-06 15:55:59 scdaemon[20518] DBG:  raw apdu: 002a9e9a333031300d060960864801650304020105000420e7f363028723da89 \
2021-01-06 15:55:59 scdaemon[20518] DBG:  94907485c8437b4e37ce5caa28bade4a84eab8411e73560f00
2021-01-06 15:56:00 scdaemon[20518] DBG:  response: sw=6982  datalen=0
2021-01-06 15:56:00 scdaemon[20518] operation sign result: Bad PIN
2021-01-06 15:56:00 scdaemon[20518] app_sign failed: Bad PIN
2021-01-06 15:56:00 scdaemon[20518] DBG: chan_7 -> ERR 100663383 Bad PIN <SCD>

Revisions and Commits

rG GnuPG
rG5cd25f4ca485 scd:nks: Support the Telesec ESIGN application.
rG07eaf006c276 scd:nks: Support the Telesec ESIGN application.

Related Objects
Search...

Event Timeline

ikloecker created this task.Jan 7 2021, 10:35 AM
ikloecker added a parent task: T5129: Kleopatra: Generate S/MIME CSR for NetKey card key.
ikloecker mentioned this in T5129: Kleopatra: Generate S/MIME CSR for NetKey card key.Jan 7 2021, 10:37 AM
werner added a subscriber: werner.Jan 7 2021, 12:04 PM

We need to switch to the SigG application. Shall I look at it?

ikloecker added a comment.Jan 7 2021, 4:11 PM

do_sign() calls find_fid_by_keyref() which does a switch_application(). So, I think the SigG application should already be active. But, yes, please have a look at it.

werner triaged this task as Low priority.Jan 11 2021, 8:35 PM

Lowered priority because in reality it is not possible to get a certificate for an arbitrary SigG key on the card. Only accredited CAs may issue certs and they want to keep full control over the key generation.

werner raised the priority of this task from Low to Normal.May 29 2022, 3:51 PM
werner added a project: gnupg (gpg23).

Related problem exists with the modern ESIGN application. I think I fixed that but the whole Telesec eIDAS QES case needs more work.

werner added a project: eIDAS.May 29 2022, 3:54 PM
werner added a commit: rG07eaf006c276: scd:nks: Support the Telesec ESIGN application..May 29 2022, 3:57 PM
werner mentioned this in T5947: Release GnuPG 2.3.7.Jul 26 2022, 7:40 PM
werner added a commit: rG5cd25f4ca485: scd:nks: Support the Telesec ESIGN application..Oct 20 2022, 12:23 PM
werner added a project: gnupg24.Dec 13 2022, 11:21 AM