Page MenuHome GnuPG

addkey "set your own capabilities" silently sets Restricted Encryption capability
Testing, NormalPublic

Description

Description

Yesterday I tried to add a new signing subkey to my PGP key using gpg --expert --edit-key <fpr>:

$ gpg --expert --edit-key C7E8A6AD4181CFD2D382B1238C920482C5CDA5FB
Secret key is available.

sec  ed25519/0x8C920482C5CDA5FB
     created: 2022-04-01  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xD98102F24C067CA5
     created: 2022-04-01  expired: 2023-04-01  usage: S
     card-no: 0006 04267031
ssb  rsa4096/0x6566AAFFA15425EE
     created: 2022-04-01  expires: never       usage: E
     card-no: 0006 04267031
ssb  rsa4096/0x753468F4BE25063B
     created: 2023-04-03  expired: 2024-04-02  usage: S
     card-no: 0006 04267031
[ultimate] (1). ...

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 8

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Do 03 Apr 2025 14:07:03 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/0x8C920482C5CDA5FB
     created: 2022-04-01  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xD98102F24C067CA5
     created: 2022-04-01  expired: 2023-04-01  usage: S
     card-no: 0006 04267031
ssb  rsa4096/0x6566AAFFA15425EE
     created: 2022-04-01  expires: never       usage: E
     card-no: 0006 04267031
ssb  rsa4096/0x753468F4BE25063B
     created: 2023-04-03  expired: 2024-04-02  usage: S
     card-no: 0006 04267031
ssb  rsa4096/0xF29354429642DC16
     created: 2024-04-03  expires: 2025-04-03  usage: SR
[ultimate] (1). ...

As you can see, I chose "RSA (set your own capabilities)" and then removed the encryption capability, so that according to gpg, the only remaining key usage flag was S. However, after completing the key generation, the output showed the key usage flags SR.

Compare that to the result when "RSA (sign only) is chosen; this time, only the S flag is set:

gpg> newkey

Invalid command  (try "help")

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Do 03 Apr 2025 14:14:06 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/0x8C920482C5CDA5FB
     created: 2022-04-01  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xD98102F24C067CA5
     created: 2022-04-01  expired: 2023-04-01  usage: S
     card-no: 0006 04267031
ssb  rsa4096/0x6566AAFFA15425EE
     created: 2022-04-01  expires: never       usage: E
     card-no: 0006 04267031
ssb  rsa4096/0x753468F4BE25063B
     created: 2023-04-03  expired: 2024-04-02  usage: S
     card-no: 0006 04267031
ssb  rsa4096/0xC9E8EAB911C67BB8
     created: 2024-04-03  expires: 2025-04-03  usage: S
[ultimate] (1). ...

Expected Behavior

The "set your own capabilities" submenu should know about and display the R key usage flag, and provide a way to toggle it.

Actual Behavior

The "set your own capabilities" submenu does not appear to know about the R key usage flag at all, and silently sets it on newly created keys.

I have not checked what happens if other key types are chosen.

Environment

OS: Arch Linux x86_64
Kernel: Linux 6.6.23-1-lts
GnuPG Version: 2.4.5

Details

Version
2.4.5

Event Timeline

werner triaged this task as Normal priority.Apr 4 2024, 4:09 PM
werner added a project: gnupg24.

Pretty obvious. RENC is an allowed usage for an RSA key and thus set in the mask. I restricted this but allowed to set it anyway when using the "=sr" shortcut (here to set as signing and R-enc). Thanks for reporting.

werner changed the task status from Open to Testing.Apr 4 2024, 4:50 PM
werner moved this task from Backlog to QA on the gnupg24 board.
werner edited projects, added gnupg24 (2.4.6); removed gnupg24.