Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:17 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Mon Feb 24, 2014 4:37 pm 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
Hello to all.

I would like to send my old private key on my YubikeyNeo . I follow the README repository: https://github.com/Yubico/ykneo-openpgp . The installation went very well and I use the script " keyParser.py " which also works fine except a regular expression in " parsingFunctions.py " because I 'm french . (line 121) :
Code:
regexp = r " ^ \ s + Footprint key = (+). ? " keyid + + "$"

By executing this script , I have an commande line that appears to play . eg
Code:
./keyParser.py e 00XXXXXX 12345678
opensc-tool -s '00 ...........'

I execute opensc-tool result and the key is added to the yubikey in Signature, Encryption and Authentication modes.
I test with a file:
Code:
gpg -ae test.txt

which create me well an encrypted file . It is trying to uncrypt that is more complicated :
Code:
gpg -d test.txt.asc
gpg : parts of the secret key is not available
gpg : encrypted with RSA key 4096 bits , XXXX identifier created on 2014-02-24
      " xxx x <x@x> "
gpg : decryption fails public key : general error
gpg : decryption failed : secret key not available

Why Gpg can not find my key?

Code:
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [non positionné]
Language prefs ...: [non positionné]
Sex ..............: non indiqué
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: forcé
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: XXXXXXXXXXX
Encryption key....: XXXXXXXXXX 
Authentication key: XXXXXXXXXXXX
General key info..: pub  4096R/XXX 2014-02-24 xxx <x@x>
sec>  4096R/XXX  créé : 2014-02-24  expire : jamais   
                      nº de carte : 0000 00000001
ssb#  4096R/XXX  créé : 2014-02-24  expire : jamais

Regards


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Feb 24, 2014 6:11 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
This seems to suggest your RSA key had 4096 bit modulus, which is AFAIK not supported for Yubikey Neo, 2048 bit RSA is max:

Quote:
gpg : encrypted with RSA key 4096 bits


Later, in the gpg output it shows that the imported key is 2048 bit, according to the card (something got truncated somewhere?)

Quote:
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: XXXXXXXXXXX
Encryption key....: XXXXXXXXXX
Authentication key: XXXXXXXXXXXX
General key info..: pub 4096R/XXX 2014-02-24 xxx <x@x>


I also found out that the import doesn't work correctly if you created extra subkeys for your key (I had to revoke one signing subkey).

BTW I used different method, moving keys directly to card with "keytocard" command from "gpg --edit-key".


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 24, 2014 7:18 pm 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
I also tried with 2048 key and i have the same error. Tommorrow i try to reinitialise Yubikey with gpshell and upload 2048 key without sub key.
I'm not verry confident because i think i have already tried.

also keytocard (gpg --edit-key) dont work with me. i append log tomorow.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 9:41 am 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
Here's what I did to reproduce my problem.
Code:
ja@x220:~/src/ykneo-openpgp$ gpshell gpinstall.txt
mode_211
enable_trace
establish_context
card_connect
select -AID a000000003000000
Command --> 00A4040008A000000003000000
Wrapped command --> 00A4040008A000000003000000
....
Response <-- 009000
card_disconnect
release_context


Code:
ja@x220:~/src/ykneo-openpgp$ gpg --card-status
gpg: detected reader `YubiKey Neo CCID 00 00'
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [non positionné]
Language prefs ...: [non positionné]
Sex ..............: non indiqué
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: forcé
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]


Code:
ja@x220:~/src/ykneo-openpgp$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Sélectionnez le type de clef désiré :
   (1) RSA et RSA (par défaut)
   (2) DSA et Elgamal
   (3) DSA (signature seule)
   (4) RSA (signature seule)
Quel est votre choix ? 1
les clefs RSA peuvent faire entre 1024 et 4096 bits de longueur.
Quelle taille de clef désirez-vous ? (2048)
La taille demandée est 2048 bits
Veuillez indiquer le temps pendant lequel cette clef devrait être valable.
         0 = la clef n'expire pas
      <n>  = la clef expire dans n jours
      <n>w = la clef expire dans n semaines
      <n>m = la clef expire dans n mois
      <n>y = la clef expire dans n ans
Pendant combien de temps la clef est-elle valable ? (0) 1
La clef expire le mer. 26 févr. 2014 09:22:26 CET
Est-ce correct ? (o/N) o

Une identité est nécessaire à la clef ; le programme la construit à partir
du nom réel, d'un commentaire et d'une adresse électronique de cette façon :
   « Heinrich Heine (le poète) <heinrichh@duesseldorf.de> »

Nom réel : My Name
Adresse électronique : mail@mail.com
Commentaire :
Vous avez sélectionné cette identité :
    « My Name <mail@mail.com> »

Faut-il modifier le (N)om, le (C)ommentaire, l'(A)dresse électronique
ou (O)ui/(Q)uitter ? o
Une phrase de passe est nécessaire pour protéger votre clef secrète.
....
gpg: vérification de la base de confiance
gpg: 3 marginale(s) nécessaire(s), 1 complète(s) nécessaire(s),
     modèle de confiance PGP
gpg: profondeur : 0  valables :   1  signées :   0
     confiance : 0 i., 0 n.d., 0 j., 0 m., 0 t., 1 u.
gpg: la prochaine vérification de la base de confiance aura lieu le 2014-02-26
pub   2048R/41EF8C31 2014-02-25 [expire : 2014-02-26]
 Empreinte de la clef = D3E4 FAB7 E2CC A306 7509  2B06 2FE9 B563 41EF 8C31
uid                  My Name <mail@mail.com>
sub   2048R/75FB60D7 2014-02-25 [expire : 2014-02-26]


Code:
ja@x220:~/src/ykneo-openpgp$ gpg --edit-key 41EF8C31
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/41EF8C31  created: 2014-02-25  expires: 2014-02-26  usage: SC 
                     trust: ultimate      validity: ultimate
sub  2048R/75FB60D7  created: 2014-02-25  expires: 2014-02-26  usage: E   
[ultimate] (1). My Name <mail@mail.com>

gpg> toggle

sec  2048R/41EF8C31  created: 2014-02-25  expires: 2014-02-26
ssb  2048R/75FB60D7  created: 2014-02-25  expires: never     
(1)  My Name <mail@mail.com>

gpg> keytocard
Really move the primary key? (y/N) y
gpg: detected reader `YubiKey Neo CCID 00 00'
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "My Name <mail@mail.com>"
2048-bit RSA key, ID 41EF8C31, created 2014-02-25

gpg: writing new key
gpg: error writing key to card: not supported


Ok, i use keyParser.py script

Code:
ja@x220:~/src/ykneo-openpgp/util$ ./keyParser.py a 41EF8C31 12345678
writing RSA key
pub   2048R/41EF8C31 2014-02-25 [expire : 2014-02-26]
 Empreinte de la clef = D3E4 FAB7 E2CC A306 7509  2B06 2FE9 B563 41EF 8C31
uid                  My Name <mail@mail.com>
sub   2048R/75FB60D7 2014-02-25 [expire : 2014-02-26]
 Empreinte de la clef = 536C 694F 5E46 B3A2 1ABD  64B7 6BB7 4D00 75FB 60D7


Code:
opensc-tool -s '00 A4 04 00 ....'


idem with option a s and e

Code:
ja@x220:~/src/ykneo-openpgp/util$ gpg --card-status
gpg: detected reader `YubiKey Neo CCID 00 00'
Application ID ...: D2760001240102000000000000010000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000001
Name of cardholder: [non positionné]
Language prefs ...: [non positionné]
Sex ..............: non indiqué
URL of public key : [non positionné]
Login data .......: [non positionné]
Signature PIN ....: forcé
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: D3E4 FAB7 E2CC A306 7509  2B06 2FE9 B563 41EF 8C31
Encryption key....: D3E4 FAB7 E2CC A306 7509  2B06 2FE9 B563 41EF 8C31
Authentication key: D3E4 FAB7 E2CC A306 7509  2B06 2FE9 B563 41EF 8C31
General key info..: pub  2048R/41EF8C31 2014-02-25 My Name <mail@mail.com>
sec   2048R/41EF8C31  créé : 2014-02-25  expire : 2014-02-26
ssb   2048R/75FB60D7  créé : 2014-02-25  expire : 2014-02-26



Code:
ja@x220:/tmp$ gpg -ea msg.txt
Vous n'avez pas indiqué d'identité (vous pouvez utiliser « -r »).

Destinataires actuels :

Entrez l'identité, en terminant par une ligne vide : mail@mail.com

Destinataires actuels :
2048R/75FB60D7 2014-02-25 "My Name <mail@mail.com>"


Code:
ja@x220:/tmp$ cat msg.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.12 (GNU/Linux)

hQEMA2u3TQB1+2DXAQf/ZgHDgq/jBaMsDKUvXEsCGHnKvQyDUk8ByUnUrSOLz7CC
WCvcYD37YA8ZdffNUpNOKqN9rMD8MwbGmu+HIxgvuY/T+HVXPi/xlUVa4t2rTqrj
uqWyS2xpx3o5SXraegwg+Ekd2sxMG6BqKVI6N/nbbslYzIndvucFXzdWfGtievq4
DhQ0P0qlnd9hFkSpKp2EX6Xy9Qex0tvvhEGgGDLJJ5xs4OZMLYahPrXFxTUXYGBt
GBgwXs6ssRKhWuUXtn0Gb9ZCqQcDVxJmmaXrgKcZbSQiKgEHVPF2k5ydDly6Xaeh
wFvgkbPVE8hqxHiB/oufHXzy4N55aabnLQcOPC+sc9JMAWGykNqAk8QDtZchBTgX
4kTfn1LGrYH/qIr3qk/f9MtQQoP/aL5xOTIJEoderlsmVGKSkgv7fCXn7vm+g3Nd
VG2Jfc3A2T8AOyGLfw==
=tVGY
-----END PGP MESSAGE-----


Code:
ja@x220:/tmp$ gpg -d msg.txt.asc
gpg: chiffré avec une clef RSA de 2048 bits, identifiant 75FB60D7, créée le 2014-02-25
      « My Name <mail@mail.com> »
hello gpg



ok

Code:
rm -rf /home/ja/.gnupg
(as if I was on a new computer)

Code:
ja@x220:/tmp$ gpg -d msg.txt.asc
gpg: directory `/home/ja/.gnupg' created
gpg: new configuration file `/home/ja/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/ja/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/ja/.gnupg/secring.gpg' created
gpg: keyring `/home/ja/.gnupg/pubring.gpg' created
gpg: encrypted with RSA key, ID 75FB60D7
gpg: decryption failed: secret key not available
ja@x220:/tmp$ gpg -d msg.txt.asc
gpg: encrypted with RSA key, ID 75FB60D7
gpg: decryption failed: secret key not available


why ? :) why I can not use the secret key that is on the key?


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 11:26 am 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
First of all, you can't just delete ~/.gnupg, even if you moved key to smartcard. The key that you just moved to Neo is still on your keyring as secret key, but has a special "S2K" flag. This flag tells GnuPG that the private key is not present in the keyring as a file, but it has instead to ask the smartcard.

If you list "gpg --list-secret-keys", there will be a new line showing that the key is on the card now:
Code:
Card serial no. = 0000 00000001


If you want to use the keycard on another computer, you have to export the key fully and import it on the new computer using the usual "gpg --import". This is the part that might have been very counter-intuitive. On the new computer, the key will also require Neo physically inserted to be usable. The key is really moved to the card - you can check with with "gpg --list-packets" that will show you low-level packet format of PGP file.

-----
If the above did not help, here are few things you could try:

I am a bit worried about this part, it may indicate you have an old build of openpgpcard.cap after the "keytocard" command:
Quote:
gpg: error writing key to card: not supported

Where did you get the "openpgpcard.cap" file? The version that's for download from Yubico site may be the old one, without key import. I had to build the openpgpcard.cap myself from code in their git repo.

Does the OpenPGP applet work if you let it generate key according to the older manual (instead of importing existing key)?

You might also try to kill gpg-agent, and retry.

Here is an openpgpcard.cap I built from current github master, you might try that one, too. It's built from revision 3c11acaf6b93402f032d8ac91ed31f79eff96d7c (just one commit after 1.0.5 that only changes version number to 1.0.6).

SHA256 file checksum (the forum won't upload the file itself as attachment):
Code:
7a26fd239ac6ef8d70c70b999741bef870d80292ac130504da4e9caa1f7dc6cb  openpgpcard.cap


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 11:57 am 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
Thank you for your reply. Now I better understand the principle of private key on the key.

However, I can not use "keytocard". I had compiled from the git repo. In doubt I used your ".cap" but I have the same error.
I also tried killing gpg-agent


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 12:06 pm 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
ja@x220:~$ gpg2 --edit-key 4E99BDD5
gpg (GnuPG) 2.0.19; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

La clé secrète est disponible.

pub 2048R/4E99BDD5 créé: 2014-02-25 expire: jamais utilisation: SC
confiance: ultime validité: ultime
sub 2048R/8775108D créé: 2014-02-25 expire: jamais utilisation: E
[ ultime ] (1). myname <m@xxxx>

gpg> toggle

sec 2048R/4E99BDD5 créé: 2014-02-25 expire: jamais
ssb 2048R/8775108D créé: 2014-02-25 expire: jamais
(1) myname <m@j4.pe>

gpg> keytocard
Enlever réellement la clé principale ? (o/N) o
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Sélectionnez l'endroit où stocker la clé:
(1) Clé de signature
(3) Clé d'authentification
Votre choix ? 1

Vous avez besoin d'une phrase de passe pour déverrouiller la
clé secrète pour l'utilisateur: « myname <m@mail> »
clé de 2048 bits RSA, ID 4E99BDD5, créée le 2014-02-25

gpg: error writing key to card: Non pris en charge

gpg>


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 1:20 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
And can you try again the keyParser.py script again with 2048 bit key? That seemed to work. Just don't delete the .gnupg dir :-)

I think I used hand-compiled gnupg 2.0.22 for the "keytocard" part to work, but if it worked with the keyParser.py for you, then that shouldn't matter. Here's the related issue from github.


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 3:14 pm 
Offline

Joined: Mon Feb 24, 2014 4:21 pm
Posts: 7
Thank you for your help

I could actually use keytocard with version 2.2 gpg.
So I then used "gpg - list-secret-keys" that adds me "Serial No. Card = 0000 00000001"

Code:
ja@x220:~$ gpg --list-secret-keys
/home/ja/.gnupg/secring.gpg
---------------------------
sec>  2048R/6AC871C1 2014-02-25 [expire : 2014-02-26]
 Nº de série de carte = 0000 00000001
uid                 name <m@mail>
ssb   2048R/74F58795 2014-02-25


But, the Yubikey is never asked me when I want to decrypt. I was just wondering the pass of the secret key. I have a paramettre to add to the key?


Top
 Profile  
Reply with quote  
PostPosted: Tue Feb 25, 2014 6:03 pm 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
Tools like gpg-agent cache the passphrase for some time, I think 10 minutes is default. You can force purge it by sending SIGHUP to gpg-agent, like "killall -SIGHUP gpg-agent".

The way to change the password is via "gpg --card-edit", the select "passwd" command. The OpenPGP applet has hardcoded minimum of 6 chars for password length and 8 chars for admin password.

(Maybe someone from staff should add some of the stuff from here into FAQ, especially the part about using the Neo Openpgp on multiple computers.)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group