Nitrokey Pro 2 cannot sign using SHA512

CodingCellist · August 9, 2020, 2:33pm

To whom it may concern,

I recently acquired a Nitrokey Pro 2 and set it up with GnuPG and subkeys. When testing to see if the signing subkey worked, I kept getting the error gpg: signing failed: Conditions of use not satisfied. I initially thought this was a problem with using ECC for the keys instead of RSA. However, I discovered that it was to do with my gpg.conf setup instead, which was set to use SHA512 as the preferred digest algorithm. Changing this to SHA384 or SHA256 fixed the problem and I was able to sign files. This is odd to me, as the Nitrokey Pro 2 factsheet states that SHA512 is supported by the device.

Using strace to investigate the problem, I confirmed that it was using SHA512 that was the root of the problem. In the included strace-files, you can see that the only thing that changes is the number used in SETHASH on line 9:

strace-sha512 breaks

execve("/usr/bin/gpg", ["gpg", "-s", "-u", "teh6@st-andrews.ac.uk", "--digest-algo", "SHA512", "test-s.txt"], <...> /* 37 vars */) = 0
<...>
write(4, "SIGKEY <...>"..., 47) = 47
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETKEYDESC Please+enter+the+pass"..., 247) = 247
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETHASH 10 <...>"..., 139) = 139
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "PKSIGN", 6)                   = 6
write(4, "\n", 1)                       = 1
read(4, "INQUIRE PINENTRY_LAUNCHED <...> g"..., 1002) = 70
write(4, "END", 3)                      = 3
write(4, "\n", 1)                       = 1
read(4, "ERR 100663427 Conditions of use "..., 1002) = 52
write(2, "gpg: signing failed: Conditions "..., 52) = 52
write(2, "\n", 1)                       = 1
<...>
write(2, "gpg: signing failed: Conditions "..., 52) = 52
write(2, "\n", 1)                       = 1
close(3)                                = 0
<...>
exit_group(2)                           = ?
+++ exited with 2 +++

strace-sha384 works

execve("/usr/bin/gpg", ["gpg", "-s", "-u", "teh6@st-andrews.ac.uk", "--digest-algo", "SHA384", "test-s.txt"], <...> /* 37 vars */) = 0
<...>
write(4, "SIGKEY <...>"..., 47) = 47
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETKEYDESC Please+enter+the+pass"..., 243) = 243
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETHASH 9 <...>"..., 106) = 106
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "PKSIGN", 6)                   = 6
write(4, "\n", 1)                       = 1
read(4, "INQUIRE PINENTRY_LAUNCHED <...> g"..., 1002) = 70
write(4, "END", 3)                      = 3
write(4, "\n", 1)                       = 1
read(4, "<...>"..., 1002) = 140
<...>
write(6, "<...>"..., 212) = 212
close(6)                                = 0
close(3)                                = 0
<...>
exit_group(0)                           = ?
+++ exited with 0 +++

strace-sha256 works

execve("/usr/bin/gpg", ["gpg", "-s", "-u", "teh6@st-andrews.ac.uk", "--digest-algo", "SHA256", "test-s.txt"], <...> /* 37 vars */) = 0
<...>
write(4, "SIGKEY <...>"..., 47) = 47
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETKEYDESC Please+enter+the+pass"..., 247) = 247
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "SETHASH 8 <...>"..., 74) = 74
write(4, "\n", 1)                       = 1
read(4, "OK\n", 1002)                   = 3
write(4, "PKSIGN", 6)                   = 6
write(4, "\n", 1)                       = 1
read(4, "INQUIRE PINENTRY_LAUNCHED <...> g"..., 1002) = 70
write(4, "END", 3)                      = 3
write(4, "\n", 1)                       = 1
read(4, "<...>"..., 1002) = 142
<...>
write(6, "<...>"..., 213) = 213
close(6)                                = 0
close(3)                                = 0
<...>
exit_group(0)                           = ?
+++ exited with 0 +++

Looking at the GnuPG source definitions, the numbers 8, 9, and 10 correspond to the algorithms SHA256, SHA384, and SHA512 respectively, and it is only SETHASH 10 that causes the error to occur.

typedef enum
  {
    DIGEST_ALGO_MD5         =  1,
    DIGEST_ALGO_SHA1        =  2,
    DIGEST_ALGO_RMD160      =  3,
    /* 4, 5, 6, and 7 are reserved. */
    DIGEST_ALGO_SHA256      =  8,
    DIGEST_ALGO_SHA384      =  9,
    DIGEST_ALGO_SHA512      = 10,
    DIGEST_ALGO_SHA224      = 11,
    DIGEST_ALGO_PRIVATE10   = 110
  }
digest_algo_t;

I am happy to help investigate this further if need be. It could also be that it is a problem with GnuPG rather than the Nitrokey Pro 2. However, I thought the best start would be to raise an issue here.

My setup is as follows:

OS: Linux 5.7.11
Nitrokey Pro 2 version: 3.3
GnuPG: 2.2.21
libgcrypt: 1.8.6
libnitrokey: 3.5

Let me know if you need any further details.

Yours faithfully,
Thomas E. Hansen

jan · August 10, 2020, 6:15am

Most likely an issue with GnuPG or any of its libraries. It would be awesome if you could report this issue at GnuPG’s mailing list or issue tracker.

szszszsz · August 10, 2020, 12:00pm

Hi @CodingCellist!

Thank you for much informative report!

I believe this is a GnuPG problem, as specification says that the sha512 is supported. See the specification:
- https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf, page 54
- https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf, page 56
If possible please set up scdaemon logging with copying this scdaemon.conf file to your ~/.gnupg/ directory, and changed path to /home/<your login>/.gnupg/scdaemon.log . When the issue occurs please attach the log. Do not use secret PINs since setting this, as all communication with smart card will be included there.

CodingCellist · August 10, 2020, 10:03pm

Hi both,

Thank you for getting back so quick. I have a couple of questions concerning how to proceed.
@szszszsz , I will set up the scdaemon stuff tomorrow and play around with it.

When you say “[d]o not use secret PINs since setting this”, is this only the smart-card unlocking and admin PINs or is it also the keys? I.e., am I okay to use my keys that are on the Nitrokey or do I have to change those as well?
Should I still open an issue on the GnuPG issue tracker, or should I wait until I have the scdaemon log?

All the best,
Thomas

szszszsz · August 11, 2020, 4:44pm

Hi!

Only Admin and User PINs, which are sent plaintext to the device. The private parts of the PGP keys are never released from the smart card, once they are written there. Potentially any custom Data Objects content (e.g. part of the disk encryption key) could be revealed due to how the GnuPG treats them (it shows it clear text on the smart card status screen).
I think that GnuPG team will ask for the scdaemon logs anyway, so this will not be a wasted effort unless they do know about the issue already. However search for sha512 shows nothing interesting.

szszszsz · August 11, 2020, 4:48pm

You can send the logs to support@nitrokey.com in case you would like to share them privately just in case.

CodingCellist · August 11, 2020, 9:02pm

Got the scdaemon config working. I made sure to reset the PINs to the card defaults first. The files can be found at this GitHub gist.

I also created a bug report on the GnuPG site here. I guess this is where most of the further debugging will be happening?

szszszsz · August 12, 2020, 8:39am

Great! Thank you for taking care of this!

Exactly. We will monitor this ticket as well just in case we could help somehow.

CodingCellist · August 13, 2020, 1:50pm

Turned out to be a GnuPG issue. It will be solved in GnuPG 2.2.22. Thanks for helping me provide the right details.