Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
gpgsm --gen-key with existing key from "ssh-add" fails
gnupg-devel at gnupg
Mar 26, 2020, 6:54 AM
Post #1 of 5 (943 views)
Permalink
This was originally reported over on https://dev.gnupg.org/T4892, but it
was requested to move it to the mailing list, so i'm repeating it here.

This was reported by a user on the #gnupg IRC channel on freenode.

With a fresh GNUPGHOME, and gpg-agent acting as ssh-agent:

ssh-keygen -f ssh-key -N ''
ssh-add ssh-key
gpgsm --gen-key

then choose "existing key" and select the keygrip found in sshcontrol. The result is:

Create self-signed certificate? (y/N) y
These parameters are used:
Key-Type: RSA
Key-Length: 1024
Key-Grip: 0B4329C87AD80CDCCA1D04C9F0B4FE11378A6F74
Key-Usage: sign, encrypt
Serial: random
Name-DN: CN=Alice
Name-Email: alice@example.biz

Proceed with creation? (y/N) y
Now creating self-signed certificate. This may take a while ...
gpgsm: error setting the public key: Invalid S-expression
gpgsm: error creating certificate request: Invalid S-expression <KSBA>

note that the key created by ssh-key is 3072-bit RSA, not 1024.

Using nettle-bin's sexp-conv, i see:

2 dkg@alice:/tmp/cdtemp.6ckvQX$ sexp-conv < private-keys-v1.d/A61AD73FB26752B4DAB90F007E6F76467659A19B.key
(protected-private-key (rsa (n |AL3C+/cNPCsJ+xKZXOG/u+f1eGM/VsMA7Gs7y1w/
ki3y7fXeVCgV8KXaVQq/4ylfR04aXj3gsrmSDHYX
KYBo69OoGx8tLhhi20ugMAc1qlRuMgmQZDjYGc8U
m4ftOpwKoyKolfPV+PayoXQF0G7aeTC9+kmXxLfv
ZD5DL8UWx/nFTly+5LctlQGshN1+1AZ6U9f4qdRi
by2RpiMa7gdVD1M41RVm+Q2KoMYCs4WMeFgV4+Kj
vxU32O8lLMQ+RpB6Z7Ra/756FeXyATrY7Q2hTGAd
9V9X+vxupsX5MROlg1OfsSRClHVpK1kjiauM+0Zl
oxXEBorRn+qZ51SrimXBaYlAri0zBw0HWg/cc1Xx
pbxWqPrWh5rRrC+wukDG1XiM5LZdWBrZJiT0nYxZ
hzczd9jgjj45XpvcrgK6uiXUWpYPpyjCRAVP/sW1
ZVcm4x8RyYjuvwjh/vKg4F7kludEctnyavQI0utY
62nwESLUuQhKgNvN23Th20iVXGMWOik1GQ==|)
(e |AQAB|)
(protected openpgp-s2k3-sha1-aes-cbc
((sha1 |aFmt6IeekIM=|
"72943616") |cT9DP9U3fOSXE
elRUvQW1Q==|)
|2BrkPE2deaC3tf+d5rwG2x8QGdilAh+Z
WOoHa/KVlZhvBBIFCfA8g12DamARZTZd
MYIKcjIMDNTlj3I/xJZayzWcm5XliA0O
WqvZJnedJWvjanHLWIu4z5ik+T85fL7E
24/4nrQhTaTFtYo27cgdFgvGxeXbZx9f
VCAhF/Kf12NHDkVEI3qMRBFNd0ofGeTq
4xMtnGd0OfbSG2V51iK0GaexmW4ySkyt
LYpyfMK4Tx/AdwZQAUacJqSs1/ZkoB+R
hTAhW/EsWjHCYeuESZYizUZSuTX9vsGq
If/bVZctTkGQ8jG0qjSpDY9qc8Kjf1wH
ejN1L3qAvXwhDk1bSY+M5XuZ3WgYJgM5
1XL02xQnJl4Eq60lfO9wkRqZEe56PcF+
N4jpNwHcNAHHp58aROm9hsl7u3txAAu2
4d59iGbzkZZFC+3EkC8AxHvhpMCN2vnL
BH/3+THthzcJp4MA8GI5sGsjunHDesT4
LYifUnk99+5bFeCtnnPCNc9kTUDWR0lY
uGYJlmT7frIN+B2EYfaLvlVDlEkoUkM3
aNP8OyViQpQEoLqpTI73/pDMMqOgJWPv
9OgdPk21Ns0/MrKbHxnvKV1Kt7YOZiRI
e7eHjs5PKp2Dk2KxDggwh4B+49o1N+4q
ne/pizT8xNv0kfHaqFj6kfGSA2xevBUK
tLUFvrtenTLV/WtuiLiB56xdG2rDPrmO
VPyzw9B1j2AV2DEfQI6co88rUHO8pLVK
FFqy5nMFnekUrqLITwmSZFPYW24Cf9os
mpeZS/NXfbWITXY+A57mD4l5HGxq3+fu
E5yYNaYoBYkWHTiYDZjdDU5XzU+XoO9A
nFPYrP505dI5aN9QkOdH8HUFp7Qc+6za
j/2MwrULF1BwzT8Lk+Zi6tKE1/K7jH1G
kF5mDjvIfdJktcZU6pLzfIhLHG/egvzy
dzliIDdS72mvsv9l5bWwxqhRNehXn43D
lbSo8mGl1J70EXlXOlXaXnbW8tthlV9c
IXUR1LLHsY5tXuw2UU+aAzlHDxWWlO58
3UPhPUR+ESZCJ3c7uG1MPsIcphAOUVp1
AuqIwYEA77mBvHMjHO1nW+7AS+vyNMOK
iYCnHFZbvDCWHW+8VotsHwSc/8amILBy
AESAbZllfu6nNYNOf4ai2BScUZPu3jNx
/AhWiEK5Vqgv6xWrEi6Xx7/eTR0HhzXE
U0/s5yfl7Rh9ax+2xWz00VEo5l2xHASX
WDGTuhjREufMCgVwccxlMWMVLHiabYi8
rKCtWDJp6c/DgSbGNz6Jy1IL40LPqjaJ
viMmbQKnhmycMyCm+rVcKacVL1a9bYnZ
yqrOplQm4DThEGPSVXn36W+8uSfgosJI
ENvoCme0XnpozjnK5fBI3l1mLFcSvBtp
7RG57f5s/MPNb+5MvrgPSM5xEoeXgyfC|)
(protected-at "20200326T010201"))
(comment "test@host"))


Any suggestions on what is going wrong here?

--dkg

Attached Files:

Re: gpgsm --gen-key with existing key from "ssh-add" fails [ In reply to ]
gnupg-devel at gnupg
Mar 27, 2020, 5:16 PM
Post #2 of 5 (940 views)
Permalink
On Thu 2020-03-26 09:54:02 -0400, Daniel Kahn Gillmor via Gnupg-devel wrote:
> This was originally reported over on https://dev.gnupg.org/T4892

Over there, Werner wrote:

> I would also suggest to use GnuPG master

The original reporter (in Cc) has now tried the same process with GnuPG
master, and reports that they see the same misbehavior on GnuPG master.

What is the next step for debugging this? It seems clearly buggy to me
(on both STABLE-BRANCH-2-2 and master).

--dkg

Attached Files:

Re: gpgsm --gen-key with existing key from "ssh-add" fails [ In reply to ]
gnupg-devel at gnupg
Mar 29, 2020, 9:16 AM
Post #3 of 5 (939 views)
Permalink
On Thu, 26 Mar 2020 09:54, Daniel Kahn Gillmor said:

> Now creating self-signed certificate. This may take a while ...
> gpgsm: error setting the public key: Invalid S-expression
> gpgsm: error creating certificate request: Invalid S-expression <KSBA>
>
> note that the key created by ssh-key is 3072-bit RSA, not 1024.

> Using nettle-bin's sexp-conv, i see:

Better don't use Nettle's tool because it encodes un("|....|") but GnuPG
only implements only hex encoding ("#...#"). Binary output would thus
be easier to analyze, or put

enable-extended-key-format

into gpg-agent.conf and change the passphrase so that that the file gets
rewritten. I fear that single stepping is the best way to track this
down.


BTW, That option is anyway the default in 2.3 because it allows to add
meta data with an editor, like

Label: My key on the green painted yubikey.
Key: ....

The Label for example is shown by the pinentry.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

Re: gpgsm --gen-key with existing key from "ssh-add" fails [ In reply to ]
gnupg-devel at gnupg
Mar 29, 2020, 4:06 PM
Post #4 of 5 (939 views)
Permalink
On Sun 2020-03-29 18:16:03 +0200, Werner Koch wrote:
> Better don't use Nettle's tool because it encodes un("|....|") but GnuPG
> only implements only hex encoding ("#...#"). Binary output would thus
> be easier to analyze, or put
>
> enable-extended-key-format

if gpg can't read base64-encoded s-expressions, nettle's sexp-conv can
also use hex encoding insteadwith "-s hex", fwiw.

Anyway, I can't imagine that the format used by nettle-sexp is the issue
here, but to avoid confusion, i've repeated the experiment using
enable-extended-key-format (see the postscript here for examples).

The point of the bug report has to do with gpgsm, and it failing to
generate an X.509 certificate as expected, though. The initial report
includes enough to reproduce the bug. Have you been unable to reproduce
it?

export GNUPGHOME=$(mktemp -d)
export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
echo enable-extended-key-format > $GNUPGHOME/gpg-agent.conf
gpgconf --start gpg-agent
ssh-keygen -f test.key -N ''
ssh-add test.key
grip=$(ls $GNUPGHOME/private-keys-v1.d | cut -f1 -d.)
gpgsm --gen-key

(in gpgsm, select "existing key" and put in the generated keygrip)

I started trying to write up a --batch generation script to make a
fully-automated reproducer for this bug report, but i ran into a
different bug (https://dev.gnupg.org/T4895) so i gave up.

Regards,

--dkg

PS here is the extended-key format, and an OpenSSH private key that was
added via ssh-add:

Key: (private-key (rsa (n #009DFE0B31B096178536EB8EB18C81899D54B65C5D21
740B87E0F58215F7F72C94E1F3530493DB12681C9FABA527E79FD45D55C572A57AD7AA
BE6D8E918E1612680393560E5E6532F6180DCA442F54C7CE2D4A8D40B3E94B5323CDE8
6E366F973CFABC4A5104C7A64B84DD9CCC1608EA33F18B1C930006104393A3E059943F
901B1275E4B2CA8D3156F09BD0074B5EE928449A59E8DF36353BDFAA82F64DBC9BA87B
C054935E0A8A601F84F027E41605238E43D3E1FD371ED3B1ABD4D69322A221D6D3087F
655783B1556AE64F1BC7D705BEB8F516F0E2E5A79535B903AF259AC3DB5E03DBEF4A4D
139CC9F54CA2AD6277A54C20AC0B640D03F582897F4A537D275067B5AFE271189D7FB5
2530DE07493FD815E1C66B24823C4C0B1C9CD8ED76AD9F9363EB597BB2F1825C63A1D8
8D8FF54C00D5EC1297B763EDA472DBF95625E2D404B88A4099CD35486F8F9E44135307
A10073146246F1D81B7ED323C93DB53C9E592CB79C5F97ABC042E4C3FCBB6B7286364C
EAFE3AE3DA1BC0C5CCCE636763#)(e #010001#)(d
#7CB3D802106F67812E281F28E4CE19E0A4CC8B7AB6BCF19CFE62C99AAD6DDB326865
B65116A3039449837DE78DE7B4AFDA3BA8ED24D0210A13E445737DC2CE246B2E0FEEA7
73191645461D30546B8689A6160207DFF9740ADB67DADDA2F9D155C0527E1614BFC0F2
3A9CF0F5E52E842D1BA9C19405A0C3959322F621BE71AD3CB1057CCDE2322F8F7FBA7C
2845C55423048310144E9A6ACA27705E8E2A2D846F27BE57033A66F771876F565F2618
7B55E52484490BA44620B14BFF629E1FE7F7B0060F820CBC2F200CF370A9CE830F108B
B81C66D30515DACA0C1E774109A89E32E041EA699D07A7A8FB5AD02D4CE26AFB095108
85937D87E7FFD7867BE48E049654F84D224CEC9DE0D5A86C4A5DF0B4343AA8416CD138
6DE929F8D7C0C46D126472ED867AB15B348017C98BFF6B351116FC643EC182AF156E12
5EC3E4D9DC8D6D61F52A4861603254F786B7BF0947C13A9D4F77C116B98651FDEE7524
D976E4C4735EEAD6F8F6A8BEF01006FC668BA3D3EE03F43996BCDD21278A18F0C27A81
#)(p #00C2EA695EDDD0D35DB9EA10B91D0085A2E8B5F3636612A3212291B90285D988
E757C9ACFBAC40E05A9ED9917F846DB13A0A9D4A2507FEBEA984BF8EC51D1E09F6F085
78EA998684C5787DE290779323CBB1AC8BACC8FC17D60C3A7C563B3949560E99C59CD5
2DE7C2CE35733AAC6B7C14BA8BABFD5FCB75FAB50C1296050D1F113A67BFBBF658E3BC
BC1AA3A7BEBB053E701A8E43EE851D4C954475374C57B29F0B4F673D3BB598AA9FAEAB
F3BE9E88DF66C4D173249A2191B4743A97D028F16F#)(q
#00CF815E64E21EE6592B71026AD827100ABB0BEA07E01D42EBF6214E24523AFF5F6D
2D9D602A4B7517C57760F9065996333E69BAF66441BCC1FC2A50ED3BA50CAE2CEBE78F
12269A99A4EE86290E96B1D5D6856278DDB0D29BED811DB19FDC55744D67C0B476E213
35DA7EC8F370E868F0441BA185FD4D66964A5F7576A2576E5AC697A76C82BB9A95FA95
DF9D2C6AB850953B0B96CDCBD5828504EA7589BBAB0C2330DF1029D9AD1ECB18B36F05
E7A24E3C41C65D55F88A9905A48A412233474D#)(u
#00B6159877B4D68ACEE41836ABCE62C34CE2B56FF2080FCF0646FB53A55B6E23B38E
F70BB54C2B394DA1A68A32FD44F04C2E69DBAEBAEC46D1F41E1CA0811B770CF94D8943
9B8EC36946F22100D494C02F161ED155B6D7F0516D9978C90DF6AB0B6AA334BE6B4DF5
5FEC50B5F5A71BAEE5726040E55E9D2533D37638FDCEB49B673B184B0CE1FDED29AB6D
C20FC3EF72F9DC57C938CBACC2E59E61113D6259AF246B198484CA931667FA1176EE0C
E39A83BB9099FD86C0D8AFE0F0D0A882022059#))(comment "dkg@alice"))


i had used ssh-add on this key:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAnf4LMbCWF4U2646xjIGJnVS2XF0hdAuH4PWCFff3LJTh81MEk9sS
aByfq6Un55/UXVXFcqV616q+bY6RjhYSaAOTVg5eZTL2GA3KRC9Ux84tSo1As+lLUyPN6G
42b5c8+rxKUQTHpkuE3ZzMFgjqM/GLHJMABhBDk6PgWZQ/kBsSdeSyyo0xVvCb0AdLXuko
RJpZ6N82NTvfqoL2TbybqHvAVJNeCopgH4TwJ+QWBSOOQ9Ph/Tce07Gr1NaTIqIh1tMIf2
VXg7FVauZPG8fXBb649Rbw4uWnlTW5A68lmsPbXgPb70pNE5zJ9UyirWJ3pUwgrAtkDQP1
gol/SlN9J1Bnta/icRidf7UlMN4HST/YFeHGaySCPEwLHJzY7Xatn5Nj61l7svGCXGOh2I
2P9UwA1ewSl7dj7aRy2/lWJeLUBLiKQJnNNUhvj55EE1MHoQBzFGJG8dgbftMjyT21PJ5Z
LLecX5erwELkw/y7a3KGNkzq/jrj2hvAxczOY2djAAAFgHsPPvF7Dz7xAAAAB3NzaC1yc2
EAAAGBAJ3+CzGwlheFNuuOsYyBiZ1UtlxdIXQLh+D1ghX39yyU4fNTBJPbEmgcn6ulJ+ef
1F1VxXKleteqvm2OkY4WEmgDk1YOXmUy9hgNykQvVMfOLUqNQLPpS1MjzehuNm+XPPq8Sl
EEx6ZLhN2czBYI6jPxixyTAAYQQ5Oj4FmUP5AbEnXkssqNMVbwm9AHS17pKESaWejfNjU7
36qC9k28m6h7wFSTXgqKYB+E8CfkFgUjjkPT4f03HtOxq9TWkyKiIdbTCH9lV4OxVWrmTx
vH1wW+uPUW8OLlp5U1uQOvJZrD214D2+9KTROcyfVMoq1id6VMIKwLZA0D9YKJf0pTfSdQ
Z7Wv4nEYnX+1JTDeB0k/2BXhxmskgjxMCxyc2O12rZ+TY+tZe7LxglxjodiNj/VMANXsEp
e3Y+2kctv5ViXi1AS4ikCZzTVIb4+eRBNTB6EAcxRiRvHYG37TI8k9tTyeWSy3nF+Xq8BC
5MP8u2tyhjZM6v4649obwMXMzmNnYwAAAAMBAAEAAAGAfLPYAhBvZ4EuKB8o5M4Z4KTMi3
q2vPGc/mLJmq1t2zJoZbZRFqMDlEmDfeeN57Sv2juo7STQIQoT5EVzfcLOJGsuD+6ncxkW
RUYdMFRrhommFgIH3/l0Cttn2t2i+dFVwFJ+FhS/wPI6nPD15S6ELRupwZQFoMOVkyL2Ib
5xrTyxBXzN4jIvj3+6fChFxVQjBIMQFE6aasoncF6OKi2Ebye+VwM6Zvdxh29WXyYYe1Xl
JIRJC6RGILFL/2KeH+f3sAYPggy8LyAM83CpzoMPEIu4HGbTBRXaygwed0EJqJ4y4EHqaZ
0Hp6j7WtAtTOJq+wlRCIWTfYfn/9eGe+SOBJZU+E0iTOyd4NWobEpd8LQ0OqhBbNE4bekp
+NfAxG0SZHLthnqxWzSAF8mL/2s1ERb8ZD7Bgq8VbhJew+TZ3I1tYfUqSGFgMlT3hre/CU
fBOp1Pd8EWuYZR/e51JNl25MRzXurW+PaovvAQBvxmi6PT7gP0OZa83SEnihjwwnqBAAAA
wQC2FZh3tNaKzuQYNqvOYsNM4rVv8ggPzwZG+1OlW24js473C7VMKzlNoaaKMv1E8Ewuad
uuuuxG0fQeHKCBG3cM+U2JQ5uOw2lG8iEA1JTALxYe0VW21/BRbZl4yQ32qwtqozS+a031
X+xQtfWnG67lcmBA5V6dJTPTdjj9zrSbZzsYSwzh/e0pq23CD8PvcvncV8k4y6zC5Z5hET
1iWa8kaxmEhMqTFmf6EXbuDOOag7uQmf2GwNiv4PDQqIICIFkAAADBAM+BXmTiHuZZK3EC
atgnEAq7C+oH4B1C6/YhTiRSOv9fbS2dYCpLdRfFd2D5BlmWMz5puvZkQbzB/CpQ7TulDK
4s6+ePEiaamaTuhikOlrHV1oVieN2w0pvtgR2xn9xVdE1nwLR24hM12n7I83DoaPBEG6GF
/U1mlkpfdXaiV25axpenbIK7mpX6ld+dLGq4UJU7C5bNy9WChQTqdYm7qwwjMN8QKdmtHs
sYs28F56JOPEHGXVX4ipkFpIpBIjNHTQAAAMEAwuppXt3Q01256hC5HQCFoui182NmEqMh
IpG5AoXZiOdXyaz7rEDgWp7ZkX+EbbE6Cp1KJQf+vqmEv47FHR4J9vCFeOqZhoTFeH3ikH
eTI8uxrIusyPwX1gw6fFY7OUlWDpnFnNUt58LONXM6rGt8FLqLq/1fy3X6tQwSlgUNHxE6
Z7+79ljjvLwao6e+uwU+cBqOQ+6FHUyVRHU3TFeynwtPZz07tZiqn66r876eiN9mxNFzJJ
ohkbR0OpfQKPFvAAAACWRrZ0BhbGljZQE=
-----END OPENSSH PRIVATE KEY-----

Attached Files:

Re: gpgsm --gen-key with existing key from "ssh-add" fails [ In reply to ]
gnupg-devel at gnupg
Mar 30, 2020, 8:05 AM
Post #5 of 5 (939 views)
Permalink
Hi,

I found the problem:

(public-key
(rsa
(n #00B1[...]#)
(e #010001#)
)
(comment ./test.key)
)

This is passed to Libksba but Libksba does not grok the comment part and
bails out on this. I pushed a change to Libksba

commit 1e903fe558bd6583c5447fbebe2ef019229dbfdc
Allow optional elements in keyinfo objects.

We are planning a new libksba release anyway, which has a a bunch of
smaller fixes collected since the last release in 2016.

Thanks for identifying this bug.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal