scute / firefox: cannot connect to GPG agent

Fabian Peter Hammerle fabian.hammerle at gmail.com
Mon Jun 5 19:04:55 CEST 2017 

> Could you perform your tests again with Scute debugging turned on?

Scute log when launching Firefox with Yubikey unplugged:

> scute debug init: flags=0xff
> scute: scute_agent_initialize: Establishing connection to gpg-agent

After plugging in the Yubikey:

> scute: scute_agent_get_cert: got certificate from card with length 259
> scute: asn1_get_element: wrong element in lookup path
> scute: scute_attr_prv: rejecting certificate: could not get subject: General error
> scute: scute_agent_get_cert: got certificate from card with length 259
> scute: asn1_get_element: wrong element in lookup path
> scute: scute_attr_prv: rejecting certificate: could not get subject: General error
[repeating rapidly]

Due to scute 'rejecting certificate' I just removed my current
certificate for the auth subkey from gpgsm and created / imported a new
self-signed certificate:

$ gpgsm --gen-key
> [...]
> Please select what kind of key you want:
>    (1) RSA
>    (2) Existing key
>    (3) Existing key from card
> Your selection? 3
> Serial number of the card: D27600[...]
> Available keys:
>    (1) C2E04B00B3F087DB143B4BB6411813BA220ED4BA OPENPGP.1
>    (2) FDB0E6A955AA1194D369A942B8EF10E6C66E0BB4 OPENPGP.2
>    (3) 22BD35D43F4D748110C935CC6B8D13575306F89B OPENPGP.3
> Your selection? 3
> [...]
> Create self-signed certificate? (y/N) y
> These parameters are used:
>     Key-Type: card:OPENPGP.3
>     Key-Length: 1024
>     Key-Usage: sign
>     Serial: random
>     Name-DN: CN=scute test,C=AT
> 
> Proceed with creation? (y/N) y
> Now creating self-signed certificate.  This may take a while ...
> gpgsm: about to sign the certificate for key: &22BD35D43F4D748110C935CC6B8D13575306F89B
> gpgsm: certificate created
> Ready.
> -----BEGIN CERTIFICATE-----
> [...]

I am not sure why gpgsm wrote
>     Key-Length: 1024
although the actual key length is 4096:

$ gpg --list-secret-keys --with-keygrip | grep -B 1 22BD35D43F4D748110C935CC6B8D13575306F89B
> ssb>  rsa4096 2016-12-25 [A]
>       Keygrip = 22BD35D43F4D748110C935CC6B8D13575306F89B

However, the newly created certificate seams to be valid:

$ gpgsm --list-secret-keys --with-keygrip --with-validation 'scute test' 
> [...]
>        Issuer: /CN=scute test/C=AT
>       Subject: /CN=scute test/C=AT
>      validity: 2017-06-05 16:40:48 through 2063-04-05 17:00:00
>      key type: 4096 bit RSA
>     key usage: digitalSignature nonRepudiation
>  chain length: unlimited
>   fingerprint: 0E:1F:DC:B0:43:FD:1B:93:70:76:C0:2A:B1:22:8E:3A:B0:8B:D4:52
>       keygrip: 22BD35D43F4D748110C935CC6B8D13575306F89B
>      card s/n: D276000[...]
>   [certificate is good]

Anyway, Scute still logs the same error message:

> scute: scute_agent_get_cert: got certificate from card with length 259
> scute: asn1_get_element: wrong element in lookup path
> scute: scute_attr_prv: rejecting certificate: could not get subject: General error
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </pipermail/attachments/20170605/4511a85f/attachment-0001.sig>

More information about the Gnupg-users mailing list