Yubico Forum
https://forum.yubico.com/

[S!] After resetting OpenGPG-Applet: Subkeys don't import
https://forum.yubico.com/viewtopic.php?f=26&t=1710		 Page 1 of 1
Author:  Rince [ Sat Jan 17, 2015 12:04 am ]
Post subject:  [S!] After resetting OpenGPG-Applet: Subkeys don't import
Hi,

for some weeks I have used my Yubikey Neo now to sign my mails.
a gpg2.exe --card-status showed the following today:

Code:
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: männlich
URL of public key : http://blog.rince.de/download/4cf2d85a.txt
Login data .......: rince
Signature PIN ....: zwingend
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 42
Signature key ....: 069B C697 0BCB B079 D166  C0C4 3512 C2E2 3F4C 33A6
      created ....: 2014-12-19 17:07:11
Encryption key....: FDB9 2670 3AF8 A7B8 3352  18EB 6033 BEFC 5A92 775A
      created ....: 2014-12-19 17:07:40
Authentication key: F132 92A0 5884 5290 59CF  65F6 AEB2 C8E8 8651 4EAA
      created ....: 2014-12-19 17:07:57
General key info..: pub  2048R/3F4C33A6 2014-12-19 Hanno 'Rince' Wagner <wagner@rince.de>
sec#  3744R/4CF2D85A  erzeugt: 2014-12-19  verfällt: 2024-12-16
ssb>  2048R/3F4C33A6  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531
ssb>  2048R/5A92775A  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531
ssb>  2048R/86514EAA  erzeugt: 2014-12-19  verfällt: 2024-12-16
                      Kartennummer:0006 03016531


As you can see with the PIN retry counter, the normal PIN was at 0 - which means signing or decrypting wasn't possible anymore.
Luckily, I created the keys offline and used gpg2.exe keytocard to import the keys to the smartcard.

Since the PIN-retry count was at 0, I read in the forum that the best way would be to reset the Applet. So I checked the version - it is:
Code:
gpg-connect-agent --hex "scd apdu 00 f1 00 00" /bye
D[0000]  01 00 08 90 00   


Version 1.0.8.9 which seems to be the latest released version.

Now, after the reset I just put some infos on the card (name, language, sex), so --card-status shows the following:
Code:
gpg2.exe --card-status
Application ID ...: D2760001240102000006030165310000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03016531
Name of cardholder: Hanno Wagner
Language prefs ...: de
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]


So, this looks like a new key. The Retry-Counter is at 3 again and this seems to be legit.

When I made the reset, of course also the keys were lost - which was accepted. I wanted to re-imort the keys from my secring which was stored somewhere else.
And since I had backups, I also had a version where the subkeys were still on the secring and not (yet) linked to the card.

I followed the howto on http://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/ how to create these kind of keys. And it seemed to be fine:

Code:
gpg2.exe --list-secret-keys
--------------------
sec   3744R/4CF2D85A 2014-12-19 [expires: 2024-12-16]
uid                  Hanno 'Rince' Wagner <wagner@rince.de>
uid                  [jpeg image of size 5076]
uid                  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
uid                  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
uid                  Hanno 'Rince' Wagner <rince@linux.de>
ssb   2048R/3F4C33A6 2014-12-19
ssb   2048R/5A92775A 2014-12-19
ssb   2048R/86514EAA 2014-12-19


So, the secret keys are there and not (yet) linked to the card.

But when I try to put these keys onto the card gpg2 fails:
Code:
gpg2.exe --edit-key 0x4CF2D85A
gpg (GnuPG) 2.0.17; Copyright (C) 2011 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16  usage: SC
                     trust: ultimate      validity: ultimate
sub  2048R/3F4C33A6  created: 2014-12-19  expires: 2024-12-16  usage: S
sub  2048R/5A92775A  created: 2014-12-19  expires: 2024-12-16  usage: E
sub  2048R/86514EAA  created: 2014-12-19  expires: 2024-12-16  usage: A
[ultimate] (1). Hanno 'Rince' Wagner <wagner@rince.de>
[ultimate] (2)  [jpeg image of size 5076]
[ultimate] (3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
[ultimate] (4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
[ultimate] (5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> toggle

sec  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16
ssb  2048R/3F4C33A6  created: 2014-12-19  expires: never
ssb  2048R/5A92775A  created: 2014-12-19  expires: never
ssb  2048R/86514EAA  created: 2014-12-19  expires: never
(1)  Hanno 'Rince' Wagner <wagner@rince.de>
(2)  [jpeg image of size 5076]
(3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> key 1

sec  3744R/4CF2D85A  created: 2014-12-19  expires: 2024-12-16
ssb* 2048R/3F4C33A6  created: 2014-12-19  expires: never
ssb  2048R/5A92775A  created: 2014-12-19  expires: never
ssb  2048R/86514EAA  created: 2014-12-19  expires: never
(1)  Hanno 'Rince' Wagner <wagner@rince.de>
(2)  [jpeg image of size 5076]
(3)  Hanno 'Rince' Wagner (FITUG-Mailadresse) <wagner@fitug.de>
(4)  Hanno 'Rince' Wagner (CCCS-Mailadresse) <rince@cccs.de>
(5)  Hanno 'Rince' Wagner <rince@linux.de>

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "Hanno 'Rince' Wagner <wagner@rince.de>"
2048-bit RSA key, ID 3F4C33A6, created 2014-12-19

gpg: error writing key to card: Not supported


As you can see, suddenly this key is not supposed to go to that card. But why? This is the same key as there was before I had to reset the OpenGPG-Applet.

Unfortunately, I can not see what _exactly_ the card doesn't accept.

Is there another way to put the secret key on the card so I can use it again for signing or decrypting files?
Author:  Klas [ Wed Jan 21, 2015 3:38 pm ]
Post subject:  Re: [BUG] After resetting OpenGPG-Applet: Subkeys don't impo
Hello,

Key import is only supported with gpg 2.0.22 and later, this seems to be 2.0.17. When using a newer gpg make sure that all components (gpg-agent, scdaemon...) are the new version.

/klas
Author:  Rince [ Thu Jan 22, 2015 7:18 pm ]
Post subject:  Re: [SOLVED] After resetting OpenGPG-Applet: Subkeys....
Yes, you seem to be right. I also tested this before in windows and it didn't work. But maybe this was another problem.

As soon as I resetted the key again and installed the secret key with the latest gpg version für debian-backports it worked fine - thanks for the hint!
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/