Yubico Forum

...visit our web-store at store.yubico.com
It is currently Wed Mar 29, 2017 10:06 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Tue Mar 14, 2017 5:40 am 
Offline

Joined: Tue Mar 14, 2017 5:31 am
Posts: 5
i followed josefsson's instructions for setting up a neo with pgp subkeys on debian.

everything seemed to work perfectly. but i cannot seem to sign or encrypt on windows (usb) or debian (usb) or android (usb|nfc). debian seems to be the most descriptive of all:

Code:
lucas@calliope:~$ gpg --clearsign demo.txt
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 00 00'
gpg: signatures created so far: 0

Please enter the PIN
[sigs done: 0]
gpg: apdu_send_simple(0) failed: unknown status error
gpg: signing failed: general error
gpg: demo.txt: clearsign failed: general error
lucas@calliope:~$


Code:
lucas@calliope:~$ gpg --card-status
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 00 00'
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: pub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never     
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440


if i enter the wrong pin, it throws a different error, and decrements the respective counter:

Code:
lucas@calliope:~$ gpg --clearsign demo.txt
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 00 00'
gpg: signatures created so far: 0

Please enter the PIN
[sigs done: 0]
gpg: verify CHV1 failed: general error
gpg: signing failed: general error
gpg: demo.txt: clearsign failed: general error
lucas@calliope:~$ gpg --card-status
gpg: detected reader `Yubico Yubikey NEO OTP+U2F+CCID 00 00'
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: na
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 2 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: pub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never     
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
lucas@calliope:~$


so i know the problem is not that i am entering the wrong pin.

are there complexity requirements on the pin that may not be met? my user pin is 6 digits, admin pin is 8 digits.

please help! many thanks.


Last edited by jlr on Mon Mar 27, 2017 7:51 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 15, 2017 8:56 pm 
Offline

Joined: Tue Mar 14, 2017 5:31 am
Posts: 5
windows logs this for scdaemon:

Code:
2017-03-15 12:55:51 scdaemon[6132] detected reader `Yubico Yubikey NEO OTP+U2F+CCID 0'
2017-03-15 12:55:51 scdaemon[6132] pcsc_control failed: invalid PC/SC error code (0x1)
2017-03-15 12:55:51 scdaemon[6132] pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65547
2017-03-15 12:55:52 scdaemon[6132] updating slot 0 status: 0x0000->0x0007 (0->1)
2017-03-15 12:55:52 scdaemon[6132] triggering event e4 (000000E4) for client -1
2017-03-15 12:55:52 scdaemon[6132] signatures created so far: 0
2017-03-15 12:55:52 scdaemon[6132] DBG: asking for PIN '||Please enter the PIN%0A[sigs done: 0]'
2017-03-15 12:55:59 scdaemon[6132] apdu_send_simple(0) failed: unknown status error
2017-03-15 12:55:59 scdaemon[6132] app_sign failed: Card error


then some of the information is missing, including counters:

Code:
gpg/card> quit
PS C:\Users\lucas> gpg --card-status
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
PS C:\Users\lucas>


so strange.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 17, 2017 10:49 pm 
Offline

Joined: Tue Mar 14, 2017 5:31 am
Posts: 5
OK, i figured out that i can encrypt and decrypt. but i can't sign. signing throws the error. and once signing throws the error, i can't encrypt again until i pull the card, kill gpg2-agent, and reinsert the card.

anyone know why this may be happening?


Code:
[b]PS C:\Users\lucas> gpg --card-status[/b]
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
[b]PS C:\Users\lucas> gpg2 -r lucas -e .\demo.txt
File `.\\demo.txt.gpg' exists. Overwrite? (y/N) y
PS C:\Users\lucas> gpg2 -d .\demo.txt.gpg
gpg: encrypted with 2048-bit RSA key, ID 397F555D, created 2017-03-11
      "Jonathan Lucas Reddinger <jlr@lucasreddinger.com>"
 ¦d e m o   m e s s a g e !
 PS C:\Users\lucas> gpg --card-status[/b]
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
[b]PS C:\Users\lucas> gpg2 -d .\demo.txt.gpg
gpg: encrypted with 2048-bit RSA key, ID 397F555D, created 2017-03-11
      "Jonathan Lucas Reddinger <jlr@lucasreddinger.com>"
 ¦d e m o   m e s s a g e !
 PS C:\Users\lucas> gpg --card-status[/b]
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
[b]PS C:\Users\lucas> gpg2 -d .\demo.txt.gpg
gpg: encrypted with 2048-bit RSA key, ID 397F555D, created 2017-03-11
      "Jonathan Lucas Reddinger <jlr@lucasreddinger.com>"
 ¦d e m o   m e s s a g e !
 PS C:\Users\lucas> gpg --card-status[/b]
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
[b]PS C:\Users\lucas> gpg2 -s .\demo.txt
File `.\\demo.txt.gpg' exists. Overwrite? (y/N) y
gpg: signing failed: Card error
gpg: signing failed: Card error
PS C:\Users\lucas> gpg --card-status[/b]
Application ID ...: D2760001240102000006036424400000
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 03642440
Name of cardholder: Jonathan Lucas Reddinger
Language prefs ...: en
Sex ..............: unspecified
URL of public key : https://www.lucasreddinger.com/pk.txt
Login data .......: lucas
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
[b]Max. PIN lengths .: 0 0 0
PIN retry counter : 0 0 0[/b]
Signature counter : 0
Signature key ....: 0250 918D 200B F39C 411A  B5CD 33B4 A2FC 1625 B552
      created ....: 2017-03-11 15:44:33
Encryption key....: 408E B966 E4D6 0D2C F68B  1215 5570 AEE7 397F 555D
      created ....: 2017-03-11 16:09:22
Authentication key: 73E3 E4B6 F0A4 353E 11A5  9BC5 13A6 16CA BA8A 2398
      created ....: 2017-03-11 16:09:58
General key info..: sub  2048R/1625B552 2017-03-11 Jonathan Lucas Reddinger <jlr@lucasreddinger.com>
sec#  4096R/4D445E28  created: 2017-03-11  expires: never
ssb>  2048R/1625B552  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/397F555D  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
ssb>  2048R/BA8A2398  created: 2017-03-11  expires: 2018-03-11
                      card-no: 0006 03642440
[b]PS C:\Users\lucas> gpg2 -r lucas -e .\demo.txt
PS C:\Users\lucas> gpg2 -d .\demo.txt.gpg
gpg: encrypted with 2048-bit RSA key, ID 397F555D, created 2017-03-11
      "Jonathan Lucas Reddinger <jlr@lucasreddinger.com>"
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key[/b]


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 23, 2017 2:14 am 
Offline

Joined: Tue Mar 14, 2017 5:31 am
Posts: 5
One more note: specifying the specific subkey for signing does not solve the problem:

Code:
PS C:\Users\lucas> gpg --armor -su 1625b552 .\demo.txt
File `.\\demo.txt.asc' exists. Overwrite? (y/N) y
gpg: signing failed: Card error
gpg: signing failed: Card error


I contacted Yubico support today. Hopefully they'll be able to help. I hope I just overlooked something silly!

The encryption works all fine and dandy, which is cool. So I'm close to having this all working...

I'll leave you all alone until I can mark this topic as solved. Thanks for looking, and sorry for the updates.


Top
 Profile  
Reply with quote  
PostPosted: Mon Mar 27, 2017 7:51 am 
Offline

Joined: Tue Mar 14, 2017 5:31 am
Posts: 5
I got it to work, with help of Yubico's Matthew.

I booted a kubuntu live OS, and installed the packages as listed by Simon (backports unnecessary).

I restored the secrets from my backup. I then moved the subkeys to the Neo, overwriting the old subkeys on the Neo.

That resolved all the issues.

Code:
kubuntu@kubuntu:~$ echo "secret demo message." | gpg -aser jlr@lucasreddinger.com
-----BEGIN PGP MESSAGE-----

hQEMA1Vwruc5f1VdAQf7BLS//ZhaFTVUPpD17tlMLjHEjgA/M6+8ME8keSBLm6o1
CPa6Ipqlrpi26UuOEtmFMeTfFOxdLvMBm+cPM4NOnGtVHRYnMcuWLh2lxtuS8QSm
qtaRuBjAw4+nruIPuQLZCNLzi1dZULrpGxb4PGCB4fzrcFzCcPKKPbbUkiH+GWS+
ucbbwK8gBR+zX5vUn81tVT26CrXqO/nNovrqtnRf1ADs9J/KFgBSQJkRUaLK6he8
YQ1EIuTDMuh0LQ/AQyvzpEnL3+IsyZRctDL4ZvU0h87OaqKnbqoG9Lt17YxTq0qt
Is5iVnW99qxyJHUFGCl7PM0xUjkznhAoLCnfT+V63dLAuwGQxKZ+6IzAyKVrcNCc
mkEU4f/Y0z1Z/eIYZdm9MDS50c6ltw6RaHelTK6VLb64LLzNa2tLWZME5E8BjgqU
fot0eOW0GIILvLG8rXnwCO6JtGzOGqqdivCQlXX/ZPy6dC9QLPhw6K2su26So2kV
roIT/2mAPlJe1R+7yv9XADdJ6kAjbwAwwBDYhCuJ3FT7Bji3ag+RA0WP4KWx+EoJ
yNWkW0XftUreSsD3V7JUY6gB+KYCohcZ1rpdRrJ5S3LpYibx0mIHI7/Lo+6q7S+2
hstYqUqTZO7Dak7sSxMbMKYlfYKI+yBhwHXqi8bd4FEi1Epi+JLmegwhxRgsf2Z+
awgGzZVoDcqortMTD+Ew74DX3bafv3+XgxtqwPfFeaE5Mr5vYhDTKGQ7sYifBVXH
SdpaaiUw5iZNJM2YZXd0XA22PTL4C5VsUKHdJ+lKrSOCXG9otefVkgJibwSs4E/O
QWitH5h5kXZ5SFpjQ7aLnxz0yjLOUFtzbbuVLj4=
=Tohz
-----END PGP MESSAGE-----
kubuntu@kubuntu:~$


:D


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group