dearsky/pico-openpgp
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 15 Wiki Activity

Can't move ed25519/cv25519 keys to card #20

New Issue
Closed
opened 2024-09-28 15:53:40 +08:00 by ViZiD · 6 comments
ViZiD commented 2024-09-28 15:53:40 +08:00 (Migrated from github.com)
Copy Link

I have keys

/run/user/1000/gnupg/pubring.kbx
\--------------------------------
sec   ed25519/0xC2122D51CCE4FFF2 2024-09-28 [C]
      Key fingerprint = 6E22 B107 949E 5077 F405  D6BE C212 2D51 CCE4 FFF2
uid                   [ultimate] Radik Islamov <mail@vizqq.cc>
ssb   ed25519/0xF1E22078CF825EC5 2024-09-28 [S] [expires: 2026-09-28]
ssb   cv25519/0xDDBBF4D7E5B00481 2024-09-28 [E] [expires: 2026-09-28]
ssb   ed25519/0x92042AAEE5DED137 2024-09-28 [A] [expires: 2026-09-28]

After trying move subkeys to card, card is no longer detected in gnupg...

gpg> key 2

sec  ed25519/0xC2122D51CCE4FFF2
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
sub  ed25519/0xF1E22078CF825EC5
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb* cv25519/0xDDBBF4D7E5B00481
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x92042AAEE5DED137
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). Radik Islamov <mail@vizqq.cc>

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2

sec  ed25519/0xC2122D51CCE4FFF2
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
sub  ed25519/0xF1E22078CF825EC5
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb* cv25519/0xDDBBF4D7E5B00481
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x92042AAEE5DED137
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). Radik Islamov <mail@vizqq.cc>

Note: the local copy of the secret key will only be deleted with "save".
gpg> save
gpg: update failed: Card error
pcsc_scan log after card broke Scanning present readers... Waiting for the first reader... found one Scanning present readers... 0: Yubico YubiKey OTP+FIDO+CCID [Pico Key CCID Interface] (DE6270431F522A2B) 00 00

Sat Sep 28 07:13:38 2024
Reader 0: Yubico YubiKey OTP+FIDO+CCID [Pico Key CCID Interface] (DE6270431F522A2B) 00 00
Event number: 0
Card state: Card inserted,
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C

ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
+ TS = 3B --> Direct Convention
+ T0 = DA, Y(1): 1101, K: 10 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TC(1) = FF --> Extra guard time: 255 (special value)
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5
TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
+ Historical bytes: 00 31 F5 73 C0 01 60 00 90 00
Category indicator byte: 00 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: F5
- Application selection: by full DF name
- Application selection: by partial DF name
- BER-TLV data objects available in EF.DIR
- BER-TLV data objects available in EF.ATR
- EF.DIR and EF.ATR access services: by GET DATA command
- Card without MF
Tag: 7, len: 3 (card capabilities)
Selection methods: C0
- DF selection by full DF name
- DF selection by partial DF name
Data coding byte: 01
- Behaviour of write functions: one-time write
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 60
- Extended Lc and Le fields
- RFU (should not happen)
- Logical channel number assignment: No logical channel
- Maximum number of logical channels: 1
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 00 (No information given)
SW: 9000 (Normal processing.)
+ TCK = 1C (correct checksum)

Possibly identified card (using /nix/store/qd5x13g2kqlaj3rf5d6rvpdnbym3x9s1-pcsc-tools-1.7.2/share/pcsc/smartcard_list.txt):
3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C
OpenPGP Card V3

I trying move RSA keys, it's work normal

I use waveshare rp2040 one, firmware version 2.2

I have keys ```bash /run/user/1000/gnupg/pubring.kbx \-------------------------------- sec ed25519/0xC2122D51CCE4FFF2 2024-09-28 [C] Key fingerprint = 6E22 B107 949E 5077 F405 D6BE C212 2D51 CCE4 FFF2 uid [ultimate] Radik Islamov <mail@vizqq.cc> ssb ed25519/0xF1E22078CF825EC5 2024-09-28 [S] [expires: 2026-09-28] ssb cv25519/0xDDBBF4D7E5B00481 2024-09-28 [E] [expires: 2026-09-28] ssb ed25519/0x92042AAEE5DED137 2024-09-28 [A] [expires: 2026-09-28] ``` After trying move subkeys to card, card is no longer detected in gnupg... ```bash gpg> key 2 sec ed25519/0xC2122D51CCE4FFF2 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate sub ed25519/0xF1E22078CF825EC5 created: 2024-09-28 expires: 2026-09-28 usage: S ssb* cv25519/0xDDBBF4D7E5B00481 created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x92042AAEE5DED137 created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). Radik Islamov <mail@vizqq.cc> gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2 sec ed25519/0xC2122D51CCE4FFF2 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate sub ed25519/0xF1E22078CF825EC5 created: 2024-09-28 expires: 2026-09-28 usage: S ssb* cv25519/0xDDBBF4D7E5B00481 created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x92042AAEE5DED137 created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). Radik Islamov <mail@vizqq.cc> Note: the local copy of the secret key will only be deleted with "save". gpg> save gpg: update failed: Card error ``` <details> <summary>pcsc_scan log after card broke</summary> Scanning present readers... Waiting for the first reader... found one Scanning present readers... 0: Yubico YubiKey OTP+FIDO+CCID [Pico Key CCID Interface] (DE6270431F522A2B) 00 00 Sat Sep 28 07:13:38 2024 Reader 0: Yubico YubiKey OTP+FIDO+CCID [Pico Key CCID Interface] (DE6270431F522A2B) 00 00 Event number: 0 Card state: Card inserted, ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C \+ TS = 3B --> Direct Convention \+ T0 = DA, Y(1): 1101, K: 10 (historical bytes) TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s TC(1) = FF --> Extra guard time: 255 (special value) TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 \----- TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 \----- TA(3) = FE --> IFSC: 254 TB(3) = 75 --> Block Waiting Integer: 7 - Character Waiting Integer: 5 TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following \----- TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V \+ Historical bytes: 00 31 F5 73 C0 01 60 00 90 00 Category indicator byte: 00 (compact TLV data object) Tag: 3, len: 1 (card service data byte) Card service data byte: F5 \- Application selection: by full DF name \- Application selection: by partial DF name \- BER-TLV data objects available in EF.DIR \- BER-TLV data objects available in EF.ATR \- EF.DIR and EF.ATR access services: by GET DATA command \- Card without MF Tag: 7, len: 3 (card capabilities) Selection methods: C0 \- DF selection by full DF name \- DF selection by partial DF name Data coding byte: 01 \- Behaviour of write functions: one-time write \- Value 'FF' for the first byte of BER-TLV tag fields: invalid \- Data unit in quartets: 2 Command chaining, length fields and logical channels: 60 \- Extended Lc and Le fields \- RFU (should not happen) \- Logical channel number assignment: No logical channel \- Maximum number of logical channels: 1 Mandatory status indicator (3 last bytes) LCS (life card cycle): 00 (No information given) SW: 9000 (Normal processing.) \+ TCK = 1C (correct checksum) Possibly identified card (using /nix/store/qd5x13g2kqlaj3rf5d6rvpdnbym3x9s1-pcsc-tools-1.7.2/share/pcsc/smartcard_list.txt): 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 F5 73 C0 01 60 00 90 00 1C OpenPGP Card V3 </details> I trying move RSA keys, it's work normal I use waveshare rp2040 one, firmware version 2.2
polhenarejos commented 2024-09-28 16:30:16 +08:00 (Migrated from github.com)
Copy Link

Please provide steps to reproduce it, including the generation of ed25519 key in localhost.

Please provide steps to reproduce it, including the generation of ed25519 key in localhost.
👍 1
ViZiD commented 2024-09-28 17:48:16 +08:00 (Migrated from github.com)
Copy Link
export IDENTITY="johh locke <johh@locke.me>"
export EXPIRATION=2y

gpg --pinentry-mode=loopback --quick-generate-key "$IDENTITY" ed25519 cert never

export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }')

gpg --pinentry-mode=loopback --quick-add-key $KEYFP ed25519 sign $EXPIRATION
gpg --pinentry-mode=loopback --quick-add-key $KEYFP cv25519 encr $EXPIRATION
gpg --pinentry-mode=loopback --quick-add-key $KEYFP ed25519 auth $EXPIRATION

gpg --edit-key $KEYFP 

Secret key is available.

sec  ed25519/0x54C046F05B051A89
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  ed25519/0xE7FA1A03722683A8
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb  cv25519/0xFC452AADEE3DC41F
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x4D7D7CDA4128AC7E
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). johh locke <johh@locke.me>

gpg> key 1

sec  ed25519/0x54C046F05B051A89
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb* ed25519/0xE7FA1A03722683A8
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb  cv25519/0xFC452AADEE3DC41F
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x4D7D7CDA4128AC7E
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). johh locke <johh@locke.me>

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1


# move cv25519 key
gpg --edit-key $KEYFP 
Secret key is available.

sec  ed25519/0x54C046F05B051A89
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
sub  ed25519/0xE7FA1A03722683A8
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb  cv25519/0xFC452AADEE3DC41F
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x4D7D7CDA4128AC7E
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). johh locke <johh@locke.me>

gpg> key 2

sec  ed25519/0x54C046F05B051A89
     created: 2024-09-28  expires: never       usage: C   
     trust: ultimate      validity: ultimate
sub  ed25519/0xE7FA1A03722683A8
     created: 2024-09-28  expires: 2026-09-28  usage: S   
ssb* cv25519/0xFC452AADEE3DC41F
     created: 2024-09-28  expires: 2026-09-28  usage: E   
ssb  ed25519/0x4D7D7CDA4128AC7E
     created: 2024-09-28  expires: 2026-09-28  usage: A   
[ultimate] (1). johh locke <johh@locke.me>

gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
```bash export IDENTITY="johh locke <johh@locke.me>" export EXPIRATION=2y gpg --pinentry-mode=loopback --quick-generate-key "$IDENTITY" ed25519 cert never export KEYFP=$(gpg -k --with-colons "$IDENTITY" | awk -F: '/^fpr:/ { print $10; exit }') gpg --pinentry-mode=loopback --quick-add-key $KEYFP ed25519 sign $EXPIRATION gpg --pinentry-mode=loopback --quick-add-key $KEYFP cv25519 encr $EXPIRATION gpg --pinentry-mode=loopback --quick-add-key $KEYFP ed25519 auth $EXPIRATION gpg --edit-key $KEYFP Secret key is available. sec ed25519/0x54C046F05B051A89 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate ssb ed25519/0xE7FA1A03722683A8 created: 2024-09-28 expires: 2026-09-28 usage: S ssb cv25519/0xFC452AADEE3DC41F created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x4D7D7CDA4128AC7E created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). johh locke <johh@locke.me> gpg> key 1 sec ed25519/0x54C046F05B051A89 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate ssb* ed25519/0xE7FA1A03722683A8 created: 2024-09-28 expires: 2026-09-28 usage: S ssb cv25519/0xFC452AADEE3DC41F created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x4D7D7CDA4128AC7E created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). johh locke <johh@locke.me> gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 # move cv25519 key gpg --edit-key $KEYFP Secret key is available. sec ed25519/0x54C046F05B051A89 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate sub ed25519/0xE7FA1A03722683A8 created: 2024-09-28 expires: 2026-09-28 usage: S ssb cv25519/0xFC452AADEE3DC41F created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x4D7D7CDA4128AC7E created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). johh locke <johh@locke.me> gpg> key 2 sec ed25519/0x54C046F05B051A89 created: 2024-09-28 expires: never usage: C trust: ultimate validity: ultimate sub ed25519/0xE7FA1A03722683A8 created: 2024-09-28 expires: 2026-09-28 usage: S ssb* cv25519/0xFC452AADEE3DC41F created: 2024-09-28 expires: 2026-09-28 usage: E ssb ed25519/0x4D7D7CDA4128AC7E created: 2024-09-28 expires: 2026-09-28 usage: A [ultimate] (1). johh locke <johh@locke.me> gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2 ```
polhenarejos commented 2024-09-30 23:02:38 +08:00 (Migrated from github.com)
Copy Link

Are you using the EdDSA branch?

Are you using the EdDSA branch?
ViZiD commented 2024-10-01 02:02:36 +08:00 (Migrated from github.com)
Copy Link

Are you using the EdDSA branch?

Hi, no, i use 2.2 version from release page

> Are you using the EdDSA branch? Hi, no, i use 2.2 version from release page
ViZiD commented 2024-10-04 22:35:15 +08:00 (Migrated from github.com)
Copy Link

Are you using the EdDSA branch?

I try eddsa branch, and it work ;-)

> Are you using the EdDSA branch? I try eddsa branch, and it work ;-)
polhenarejos commented 2025-01-15 17:52:08 +08:00 (Migrated from github.com)
Copy Link

No activity. Reopen if needed.

No activity. Reopen if needed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
Something isn't working
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 enhancement
New feature or request
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 invalid
This doesn't seem right
 question
Further information is requested
 wontfix
This will not be worked on
No Label bug good first issue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dearsky
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-openpgp#20
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?