我使用 創建了一組經典的身份驗證、簽名和加密子密鑰gpg,然後將它們移至智能卡 [ledger nano S] 中,這似乎工作正常,因為我可以看到這三個子密鑰:
$ gpg --card-status
Serial number ....: 00000000
Signature key ....: F34F 66B8 5D18 A8BC CDD4 C909 4705 D74B 9E2F EFFC
Encryption key....: AD71 E2C1 2E41 C870 3192 D997 78B9 F3F6 7D9B 47DC
Authentication key: D644 70D8 88AB BA93 F9F4 BFE0 2726 E1C4 E4DB E4C3
我是如何登陸那裡的
基本資訊:
$ gpg --version
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
產生加密、簽署和認證子金鑰:
$ gpg --expert --edit-key Plup*
gpg> addkey
type: ECC (sign only)
curve: cv25519
Please unlock the card
gpg> addkey
type: ECC (encrypt only)
curve: cv25519
gpg> addkey
type: ECC (set your own capabilities)
allowed actions: Authenticate
curve: cv25519
gpg> save
檢查子項:
$ gpg -K Plup*
sec> ed25519 2022-06-03 [SC]
394ED8F3BA05CF4E7866D54657EEBF4BCFF5BFCD
Card serial no. = 2C97 11BFF50F
uid [ultimate] Plup* <[email protected]>
ssb ed25519 2022-06-03 [S]
ssb cv25519 2022-06-03 [E]
ssb ed25519 2022-06-03 [A]
將子金鑰移至新的智慧卡插槽(/!\確保不覆蓋主金鑰):
$ gpg --card-status
Reader ...........: Ledger Nano S [Nano S] (0001) 00 00
Serial number ....: 7AC3CFF8
Signature key ....: [none]
$ gpg --edit-key Plup*
gpg> key 1
gpg> keytocard
Signature key
Passphrase:
Please entre the Admin PIN
Number: 2C97 7AC3CFF8
gpg> key 1
gpg> key 2
gpg> keytocard
Encryption key
Passphrase:
gpg> key 2
gpg> key 3
gpg> keytocard
Authentication key
Passphrase:
gpg> save
我現在遇到的問題
指紋與密鑰環所看到的相匹配,但由於某種我不明白的原因,加密密鑰存根未就位,並且私有子密鑰仍然存在於電腦密鑰環中。解密時它仍然要求輸入密碼而不是智慧卡 PIN:
```
$ gpg --with-keygrip --with-subkey-fingerprints -K Plup*
sec> ed25519 2022-06-03 [SC]
394ED8F3BA05CF4E7866D54657EEBF4BCFF5BFCD
Keygrip = 27D911732841CDB06B3CDFA100DDE95DF420B92E
Card serial no. = 2C97 11BFF50F
uid [ultimate] Plup* <[email protected]>
ssb> ed25519 2022-06-03 [S]
F34F66B85D18A8BCCDD4C9094705D74B9E2FEFFC
Card serial no. = 2C97 7AC3CFF8
Keygrip = AF76C5E4B1DA101E0F3AFEDDDED6276C4D011261
ssb cv25519 2022-06-03 [E]
AD71E2C12E41C8703192D99778B9F3F67D9B47DC
Keygrip = E6D65814CBE230A21001F36BD2BC232E6B7251ED
ssb> ed25519 2022-06-03 [A]
D64470D888ABBA93F9F4BFE02726E1C4E4DBE4C3
Card serial no. = 2C97 7AC3CFF8
Keygrip = 511C8CAAC3A7B8A2DAD4B3E6A512A7F160A02CD5
```
到目前為止我嘗試過的
我嘗試刪除私鑰,但無法強制存根自行建立:
ssb# cv25519/78B9F3F67D9B47DC created: 2022-06-03 expires: never在偵錯中啟動會顯示該密鑰的鍵柄錯誤(刪除後它會不斷創建相同的鍵柄):
2022-06-06 12:47:44 gpg-agent[12064] id: OPENPGP.2 (grip=C74F8FF13CB491D0C98497C6B77A49FCB156F7E5)
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 -> READKEY OPENPGP.2
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 <- [ 44 20 28 31 30 3a 70 75 62 6c 69 63 2d 6b 65 79 ...(91 byte(s) skipped) ]
2022-06-06 12:47:44 gpg-agent[12064] DBG: chan_11 <- OK
2022-06-06 12:47:44 gpg-agent[12064] id: OPENPGP.2 - shadow key created
已確認:
$ gpg-connect-agent 'keyinfo --list' /bye | grep D2760001240103032C977AC3CFF80000
S KEYINFO 705790B1A7609806F633BCCB212784031E42017E T D2760001240103032C977AC3CFF80000 OPENPGP.1 - - - - -
S KEYINFO AF76C5E4B1DA101E0F3AFEDDDED6276C4D011261 T D2760001240103032C977AC3CFF80000 OPENPGP.1 - - - - -
S KEYINFO C74F8FF13CB491D0C98497C6B77A49FCB156F7E5 T D2760001240103032C977AC3CFF80000 OPENPGP.2 - - - - -
S KEYINFO 511C8CAAC3A7B8A2DAD4B3E6A512A7F160A02CD5 T D2760001240103032C977AC3CFF80000 OPENPGP.3 - - - - -
- 我嘗試使用相同的曲線重新創建一個新的加密子密鑰,但其
keytocard行為仍然相同:它完成時沒有錯誤,但密鑰(下面的新手柄)沒有移動:
$ gpg-connect-agent 'keyinfo --list' /bye | grep 5CF6DF65EF080B01F774BCC7F8063814CE5DAEF6
S KEYINFO 5CF6DF65EF080B01F774BCC7F8063814CE5DAEF6 D - - - P - - -
答案1
好的,使用不同的曲線可以:
$ gpg -K plup*
sec> ed25519 2022-06-03 [SC]
394ED8F3BA05CF4E7866D54657EEBF4BCFF5BFCD
Card serial no. = 2C97 11BFF50F
uid [ultimate] Plup* <[email protected]>
ssb> ed25519 2022-06-03 [S]
ssb> ed25519 2022-06-03 [A]
ssb> nistp256 2022-06-06 [E]
我想我必須向信用卡提供者報告此事。