Page MenuHome GnuPG
Create Task
Maniphest T7709

Decryption with ECC smartcard keys broken
Closed, ResolvedPublic
Actions

Description

Decryption with smartcard keys are currently failing (tested: notepad, encrypt/decrypt workflow).

I created a new key on the smartcard (tested: brainpoolP256r1, nist256) and also ensured, that this is not related to stale smartcard/key data (tested: generation with no backup, restarted all gpg related processes) or other artifacts (tested: new clean gnupghome dir).

To reproduce e.g. in notepad:

  1. Generate a key on smartcard (e.g. with default settings)
  2. Encrypt some text in the notepad (encrypt for & sign with new key)
  3. Decrypt again

audit log:

gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID E2C4E1CFE5027094, erzeugt 2025-06-30
      "sc"
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten

debugview output:

[8936] org.kde.pim.kleopatra: GpgME::DecryptionResult(
[8936]  error:                GpgME::Error(67108943 (Ungültige Daten))
[8936]  fileName:             <null>
[8936]  unsupportedAlgorithm: <null>
[8936]  isWrongKeyUsage:      0
[8936]  isDeVs:               0
[8936]  isBetaCompliance:     0
[8936]  legacyCipherNoMDC:    0
[8936]  symkeyAlgo:           ?.?
[8936]  recipients:
[8936] GpgME::DecryptionResult::Recipient(
[8936]  keyID:              6F16E23204466286
[8936]  shortKeyID:         04466286
[8936]  publicKeyAlgorithm: ECDH
[8936]  status:             GpgME::Error(117440529 (Kein geheimer Schlüssel)))
[8936] )
[8936] GpgME::VerificationResult(
[8936]  error:      GpgME::Error(67108943 (Ungültige Daten))
[8936]  fileName:
[8936]  signatures:
[8936] )

gpgme log (decryption started 14:21:55)

gpgme_log.txt910 KBDownload

Details

Version
gpg4win-5.0.0-beta336 @ win10

Revisions and Commits

rG GnuPG
rGf6bd1ad0f8e9 agent: Another fix for our use of point prefixes.
rGfe62b4b00bc6 agent: Fix for smartcard decryption, checking compressed format.
rG4ad08a8998fa agent: Fix for smartcard decryption returning x-coordinate only.

Related Objects
Search...

Event Timeline

timegrid created this task.Jun 30 2025, 1:08 PM
timegrid created this object with edit policy "Contributor (Project)".
TobiasFella added a subscriber: TobiasFella.Jul 1 2025, 12:18 PM

I can't reproduce. Please check whether this works if you use gpg directly; it's a bit unlikely that this is kleopatra-specific, since kleopatra doesn't really care whether the key is on a smartcard or not.

gpgsm log

That's just for S/MIME, not openpgp

timegrid added a comment.Jul 1 2025, 12:44 PM

You're right, it also errors on gpg directly:

C:\Users\g10\Desktop\tmp\scdecrypt>gpg --encrypt --sign --recipient sc --sign-with sc test.txt
C:\Users\g10\Desktop\tmp\scdecrypt>gpg --decrypt test.txt.gpg
gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID FA2BF0F52BE05D89, erzeugt 2025-07-01
      "sc"
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten
timegrid updated the task description. (Show Details)Jul 1 2025, 12:45 PM
ikloecker added a comment.Jul 1 2025, 1:18 PM

gpg --version?
gpg -K?

timegrid added a comment.Jul 1 2025, 1:26 PM

version

C:\Users\g10\Desktop\tmp\scdecrypt>gpg --version
gpg (GnuPG) 2.5.8
libgcrypt 1.11.1
Copyright (C) 2025 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: C:\Users\g10\AppData\Roaming\gnupg
Unterstützte Verfahren:
Öff. Schlüssel: RSA, Kyber, ELG, DSA, ECDH, ECDSA, EDDSA
Verschlü.: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
           CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Komprimierung: nicht komprimiert, ZIP, ZLIB, BZIP2

secret keys

[keyboxd]
---------
sec   rsa3072 2023-03-08 [SC]
      11A9C6D06717C4E284960BA906E28F5FB5297489
uid        [vollständig] Edward Tester <Edward.Tester@demo.gnupg.com>
ssb   rsa3072 2023-03-08 [E]
      756613A147108F13282B8B7B037BFD4B2C571A9E

sec   ed25519 2023-05-09 [SC] [verfallen: 2023-05-10]
      1AF2E0899B2741E58487ACC132F17CC07C6B182F
uid        [ verfallen ] Ali-abgelaufen

sec   rsa3072 2023-03-08 [SC] [verfallen: 2023-03-09]
      1B7724C95351B75394303415C2577F23F8E93418
uid        [ verfallen ] Xena-expired

sec   ed25519 2023-03-08 [SC]
      5563BF178A9ADB8AF41F9DDA08F8682320DEDDB9
uid        [vollständig] Conny-cv25519
ssb   cv25519 2023-03-08 [E]
      C5C08C2A043D628C5A30EC69EFB23BB2F1DA0599

sec   ed25519 2023-03-09 [SC] [widerrufen: 2023-03-13]
      5D73251BA326024602696FD87CA8B3C25843D5D3
      Grund für Widerruf: Kein Grund angegeben
         Widerruf-Bemerkung: Testgrund
uid        [ widerrufen] Ron-revoked

sec   brainpoolP256r1 2025-06-28 [SC] [verfällt: 2028-06-28]
      64687A787374DE2BD77EF6BC82D01B98E9AEDE58
uid        [ ultimativ ] soon expires
ssb   brainpoolP256r1 2025-06-28 [E] [verfällt: 2028-06-28]
      A8E14BF41EF3607A09BAB2AB11A5FE186C620257

sec   rsa3072 2023-03-08 [SC]
      98111E67AE06F2BEFD2BDE10C5D6C919005F36A4
uid        [ ultimativ ] Ted Tester <Ted.Tester@demo.gnupg.com>
ssb   rsa3072 2023-03-08 [E]
      CC5274CB8072E9778DADD15BCD573B2B0736643A

sec   ed448 2025-06-28 [SC] [verfällt: 2028-06-28]
      A474EEE9493BCC406EC144176DE2F2D0081ECB984E14D1491FE0F99E0252604F
uid        [ ultimativ ] v5 key
uid        [vollständig] v5 uid
ssb   cv448 2025-06-28 [E] [verfällt: 2028-06-28]
      7964E5E34D6AD3F70A7CA006D9225EB8FECD3EF4F35538C701A8E2BE1600752B

sec   rsa2048 2023-03-08 [SC]
      A6F76A4C451F0319AEB3B2FEDD4A11F368DAF68F
uid        [vollständig] Rita-RSA2048
ssb   rsa2048 2023-03-08 [E]
      BB5E9C0603A9D1743F4EA951BA9A98374E6575EF

sec   rsa4096 2023-07-24 [SC]
      B2247C8918F42958722AB17651F15155D5EB6F1E
uid        [vollständig] Rena-RSA4096
ssb   rsa4096 2023-07-24 [E]
      13FE109D705B1BA07DD1B7589A04B8E7237CCB62

sec   dsa2048 2023-03-08 [SC]
      C00AE5DF1A9033B0BA112C32F6AA692505C0227E
uid        [vollständig] Dan-DSA2048
ssb   elg2048 2023-03-08 [E]
      890D6B4C74AFD7AE54EE57ECAB8057F7EBCE6B9A

sec>  brainpoolP256r1 2025-07-01 [SC] [verfällt: 2028-07-01]
      CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
      Kartenseriennr. = 0005 00009D59
uid        [ ultimativ ] sc
ssb>  brainpoolP256r1 2025-07-01 [A] [verfällt: 2028-07-01]
      AAE624062270EA70ABF7A0461DD570FC663FBF6A
      Kartenseriennr. = 0005 00009D59
ssb>  brainpoolP256r1 2025-07-01 [E] [verfällt: 2028-07-01]
      E0DBE7209AE340947C7C00A6FA2BF0F52BE05D89
      Kartenseriennr. = 0005 00009D59

sec   brainpoolP256r1 2025-06-30 [SC] [verfällt: 2028-06-30]
      E412A9C3F6CDE8D50BF7166CCC8086B9FEAE19D0
uid        [ ultimativ ] ky768_bp256
ssb   ky768_bp256 2025-06-30 [E] [verfällt: 2028-06-30]
      48C0EEB570315B183D9D7E786E2970BE6C0C184073FFEA0E23CB58BD7AB7FB31

sec   brainpoolP384r1 2023-03-08 [SC]
      F8D51DE0EE16E9B57009B8DE458612006D8E6F0D
uid        [vollständig] Berta Boss <Berta.Boss@demo.gnupg.com>
ssb   brainpoolP384r1 2023-03-08 [E]
      46ED5D7758C1BD71C27AF928FFA2FCCB2EC589F8

sec   ed25519 2023-03-08 [SC]
      FADC4675146CFAF3D86F137E1D3C5E6E3DB3C71D
uid        [vollständig] Udo-UID
uid        [ ultimativ ] Udo-Nutzerkennung
ssb   cv25519 2023-03-08 [E]
      1D14E3C986AF431ED3034C70E736A70AFD0F1520
TobiasFella renamed this task from Kleopatra: Decryption with smartcard keys broken to Decryption with smartcard keys broken.Jul 2 2025, 12:40 PM
TobiasFella removed a project: kleopatra.
werner added a subscriber: werner.Jul 4 2025, 1:27 PM

Please always add -v t commands like "gpg --decrypt test.txt.gpg". To decide whether this is smartcard or gpg-agent releated, I need to see a log file form gpg-agent and scdaemon. The latter is more important. I would suggest "debug ipc,app,cardio"

timegrid added a comment.Jul 4 2025, 1:59 PM

commands with -v

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -K CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
sec>  brainpoolP256r1 2025-07-01 [SC] [verfällt: 2028-07-01]
      CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129
      Kartenseriennr. = 0005 00009D59
uid        [ ultimativ ] sc
ssb>  brainpoolP256r1 2025-07-01 [A] [verfällt: 2028-07-01]
      AAE624062270EA70ABF7A0461DD570FC663FBF6A
      Kartenseriennr. = 0005 00009D59
ssb>  brainpoolP256r1 2025-07-01 [E] [verfällt: 2028-07-01]
      E0DBE7209AE340947C7C00A6FA2BF0F52BE05D89
      Kartenseriennr. = 0005 00009D59

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -v --encrypt --sign --recipient CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129 --sign-with CD6B0ACDAAC5EB090B99AE8C1BA7A5FD943C1129 test.txt
gpg: enabled compatibility flags:
gpg: der Unterschlüssel FA2BF0F52BE05D89 wird anstelle des Hauptschlüssels 1BA7A5FD943C1129 verwendet
gpg: verwende Vertrauensmodell pgp
gpg: Dieser Schlüssel gehört uns (da wir nämlich den geheimen Schlüssel dazu haben)
gpg: Schreiben nach 'test.txt.gpg'
gpg: ECDH/AES256.OCB verschlüsselt für: "FA2BF0F52BE05D89 sc"
gpg: pinentry launched (7444 qt 1.3.1 - - - - 0/0 -)
gpg: ECDSA/SHA256 Signatur von: "1BA7A5FD943C1129 sc"

C:\Users\g10\Desktop\tmp\scdecrypt>gpg -v --decrypt test.txt.gpg
gpg: enabled compatibility flags:
gpg: Öffentlicher Schlüssel ist FA2BF0F52BE05D89
gpg: Kein aktiver keyboxd - `C:\\Program Files\\Gpg4win\\..\\GnuPG\\bin\\keyboxd.exe' wird gestartet
gpg: Warte bis der Keyboxd bereit ist ... (8s)
gpg: Verbindung zum Keyboxd aufgebaut
gpg: der Unterschlüssel FA2BF0F52BE05D89 wird anstelle des Hauptschlüssels 1BA7A5FD943C1129 verwendet
gpg: verschlüsselt mit brainpoolP256r1 Schlüssel, ID FA2BF0F52BE05D89, erzeugt 2025-07-01
      "sc"
gpg: Kein aktiver gpg-agent - `C:\\Program Files\\Gpg4win\\..\\GnuPG\\bin\\gpg-agent.exe' wird gestartet
gpg: Warte bis der gpg-agent bereit ist ... (8s)
gpg: Verbindung zum gpg-agent aufgebaut
gpg: pinentry launched (1264 qt 1.3.1 - - - - 0/0 -)
gpg: Hinweis: Signaturschlüssel 32F17CC07C6B182F ist am 2023-05-10 10:00:00 verfallen
gpg: Hinweis: Signaturschlüssel C2577F23F8E93418 ist am 2023-03-09 11:00:00 verfallen
gpg: Entschlüsselung mit Public-Key-Verfahren fehlgeschlagen: Ungültige Daten
gpg: Entschlüsselung fehlgeschlagen: Ungültige Daten

scdaemon log (debug ipc,app,cardio)

scdaemon.log31 KBDownload

ebo added a subscriber: ebo.Jul 11 2025, 11:27 AM

I have not tested this extensively but it seems to me after some fast checks that the pivotal point here is the usage of a brainpool key on a smart card for the decryption.

It is not relevant that the key was created on a card (I copied one to card). And decryption with an RSA key on a smart card works.
(Btw: decryption (or the time till the error message) is notably much slower than usual in all cases, whether with key on card or on disk.)

ebo added a comment.Jul 15 2025, 1:34 PM

The issue remains with gpg 2.5.9 from Gpg4win-5.0.0-beta345.
Here a gpg-agent log for the failed decryption:

mylog_4214 KBDownload

ebo renamed this task from Decryption with smartcard keys broken to Decryption with ECC smartcard keys broken.Jul 16 2025, 10:27 AM
werner assigned this task to gniibe.Jul 16 2025, 11:42 AM
werner triaged this task as High priority.
werner added a project: gnupg26.
gniibe added a comment.Jul 16 2025, 12:09 PM

Here is a patch.

diff --git a/agent/divert-scd.c b/agent/divert-scd.c
index 1e5de4671..bb42dd3b4 100644
--- a/agent/divert-scd.c
+++ b/agent/divert-scd.c
@@ -517,6 +517,9 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct,
 
   if (len == ecc_point_len)
     memcpy (ecc_ecdh, ecdh, len);
+  else if ((len - 1) * 2 == ecc_point_len - 1 && ecdh[0] == 0x02)
+    /* It's x-coordinate-only (compressed) point representation.  */
+    memcpy (ecc_ecdh, ecdh, len);
   else if (len == ecc_point_len + 1 && ecdh[0] == 0x40) /* The prefix */
     memcpy (ecc_ecdh, ecdh + 1, len - 1);
   else

Not tested yet.

gniibe added a commit: rG4ad08a8998fa: agent: Fix for smartcard decryption returning x-coordinate only..Jul 17 2025, 2:53 AM
gniibe added a parent task: T7649: gnupg: Use KEM interface for encryption/decryption.Jul 17 2025, 4:24 AM
werner changed the task status from Open to Testing.Jul 17 2025, 9:12 AM
werner moved this task from Backlog to WIP on the gnupg26 board.
werner moved this task from Backlog to WIP on the gpd5x board.
werner mentioned this in T7719: Release GnuPG 2.5.10.Fri, Jul 25, 5:26 PM
werner moved this task from WIP to QA on the gnupg26 board.Fri, Jul 25, 5:29 PM
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Jul 28, 8:00 AM
gniibe added a commit: rGfe62b4b00bc6: agent: Fix for smartcard decryption, checking compressed format..Tue, Jul 29, 8:23 AM
werner added a comment.Tue, Jul 29, 3:25 PM

The card returned these 32 bytes:

1883ba0d1cacda6f357ad9caa062ebd7b3a07291a7788565caf38973bf414286

agent_card_pkdecrypt however returned 33 bytes:

411883ba0d1cacda6f357ad9caa062ebd7b3a07291a7788565caf38973bf414286

Thus the indicator byte is 0x41. The specs (librepgp, rfc4880bis) say:

This specification introduces the new flag byte 0x40 to indicate the
point compression format.  The value has been chosen so that the high
bit is not cleared and thus to avoid accidental sign extension.  Two
other values might also be interesting for other ECC specifications:

  Flag  Description
  ----  -----------
  0x04  Standard flag for uncompressed format
  0x40  Native point format of the curve follows
  0x41  Only X coordinate follows.
  0x42  Only Y coordinate follows.

Commit rG6bbd97d6c771b2e2c7cfcff6d5a823f0fb44d443 introduced the 0x41. That is because for ecdh we only need the x-coordinate.

werner added a commit: rGf6bd1ad0f8e9: agent: Another fix for our use of point prefixes..Tue, Jul 29, 3:29 PM
werner mentioned this in T7743: Release GnuPG 2.5.11.Wed, Jul 30, 11:05 AM
ebo moved this task from WIP to Done on the gpd5x board.Wed, Jul 30, 1:46 PM

tested with Gpg4win-5.0.0-beta357 (GnuPG 2.5.11):

Works now with the same testkey + smartcard I used before.

ebo closed this task as Resolved.Wed, Jul 30, 1:46 PM
ebo moved this task from QA to Done on the gnupg26 board.
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Aug 4, 8:02 AM