Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 8:54 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Sat Jan 17, 2015 12:04 am 
Offline

Joined: Fri Jan 16, 2015 10:52 pm
Posts: 3
Hi,

for some weeks I have used my Yubikey Neo now to sign my mails.
a gpg2.exe --card-status showed the following today:

Code:
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: männlich
URL of public key : http://blog.rince.de/download/4cf2d85a.txt
Login data .......: rince
Signature PIN ....: zwingend
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 42
Signature key ....: 069B C697 0BCB B079 D166  C0C4 3512 C2E2 3F4C 33A6
      created ....: 2014-12-19 17:07:11
Encryption key....: FDB9 2670 3AF8 A7B8 3352  18EB 6033 BEFC 5A92 775A
      created ....: 2014-12-19 17:07:40
Authentication key: F132 92A0 5884 5290 59CF  65F6 AEB2 C8E8 8651 4EAA
      created ....: 2014-12-19 17:07:57
General key info..: pub  2048R/3F4C33A6 2014-12-19 Hanno 'Rince' Wagner <wagner@rince.de>
sec#  3744R/4CF2D85A  erzeugt: 2014-12-19  verfällt: 2024-12-16
ssb>  2048R/3F4C33A6  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531
ssb>  2048R/5A92775A  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531
ssb>  2048R/86514EAA  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531


As you can see with the PIN retry counter, the normal PIN was at 0 - which means signing or decrypting wasn't possible anymore.
Luckily, I created the keys offline and used gpg2.exe keytocard to import the keys to the smartcard.

Since the PIN-retry count was at 0, I read in the forum that the best way would be to reset the Applet. So I checked the version - it is:
Code:
gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  01 00 08 90 00   


Version 1.0.8.9 which seems to be the latest released version.

Now, after the reset I just put some infos on the card (name, language, sex), so --card-status shows the following:
Code:
gpg2.exe --card-status
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]


So, this looks like a new key. The Retry-Counter is at 3 again and this seems to be legit.

When I made the reset, of course also the keys were lost - which was accepted. I wanted to re-imort the keys from my secring which was stored somewhere else.
And since I had backups, I also had a version where the subkeys were still on the secring and not (yet) linked to the card.

I followed the howto on http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ how to create these kind of keys. And it seemed to be fine:

Code:
gpg2.exe --list-secret-keys
--------------------
sec   3744R/4CF2D85A 2014-12-19 [expires: 2024-12-16]
uid                  Hanno 'Rince' Wagner <wagner@rince.de>
uid                  [jpeg image of size 5076]
uid                  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
uid                  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
uid                  Hanno 'Rince' Wagner <rince@linux.de>
ssb   2048R/3F4C33A6 2014-12-19
ssb   2048R/5A92775A 2014-12-19
ssb   2048R/86514EAA 2014-12-19


So, the secret keys are there and not (yet) linked to the card.

But when I try to put these keys onto the card gpg2 fails:
Code:
gpg2.exe --edit-key 0x4CF2D85A
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16  usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/3F4C33A6  created: 2014-12-19  expires: 2024-12-16  usage: S
sub  2048R/5A92775A  created: 2014-12-19  expires: 2024-12-16  usage: E
sub  2048R/86514EAA  created: 2014-12-19  expires: 2024-12-16  usage: A
[ultimate] (1). Hanno 'Rince' Wagner <wagner@rince.de>
[ultimate] (2)  [jpeg image of size 5076]
[ultimate] (3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
[ultimate] (4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
[ultimate] (5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> toggle

sec  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16
ssb  2048R/3F4C33A6  created: 2014-12-19  expires: never
ssb  2048R/5A92775A  created: 2014-12-19  expires: never
ssb  2048R/86514EAA  created: 2014-12-19  expires: never
(1)  Hanno 'Rince' Wagner <wagner@rince.de>
(2)  [jpeg image of size 5076]
(3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> key 1

sec  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16
ssb* 2048R/3F4C33A6  created: 2014-12-19  expires: never
ssb  2048R/5A92775A  created: 2014-12-19  expires: never
ssb  2048R/86514EAA  created: 2014-12-19  expires: never
(1)  Hanno 'Rince' Wagner <wagner@rince.de>
(2)  [jpeg image of size 5076]
(3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "Hanno 'Rince' Wagner <wagner@rince.de>"
2048-bit RSA key, ID 3F4C33A6, created 2014-12-19

gpg: error writing key to card: Not supported


As you can see, suddenly this key is not supposed to go to that card. But why? This is the same key as there was before I had to reset the OpenGPG-Applet.

Unfortunately, I can not see what _exactly_ the card doesn't accept.

Is there another way to put the secret key on the card so I can use it again for signing or decrypting files?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jan 21, 2015 3:38 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

Key import is only supported with gpg 2.0.22 and later, this seems to be 2.0.17. When using a newer gpg make sure that all components (gpg-agent, scdaemon...) are the new version.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 22, 2015 7:18 pm 
Offline

Joined: Fri Jan 16, 2015 10:52 pm
Posts: 3
Yes, you seem to be right. I also tested this before in windows and it didn't work. But maybe this was another problem.

As soon as I resetted the key again and installed the secret key with the latest gpg version für debian-backports it worked fine - thanks for the hint!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group