Bug 411849 - RSA4096 option disabled in Kleopatra on newer smartcards
Summary: RSA4096 option disabled in Kleopatra on newer smartcards
Status: RESOLVED FIXED
Alias: None
Product: kleopatra
Classification: Applications
Component: general (show other bugs)
Version: 3.1.8
Platform: Other All
: NOR normal
Target Milestone: ---
Assignee: Andre Heinecke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-12 11:17 UTC by Trevor B
Modified: 2019-09-12 12:38 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Trevor B 2019-09-12 11:17:42 UTC
SUMMARY

I used Kleopatra 3.1.10 installed as part of the Gpg4Win package on Windows 10.

When generating a new key on a smartcard, Kleopatra presents a drop-down box of available RSA key sizes.  The "4096" option is gated behind an incorrect version check, checking that the OpenPGP smartcard's version is exactly "2.1":

```
mIs21 = version == QLatin1String("2.1");
```

```
    sizes.push_back(1024);
    sizes.push_back(2048);
    sizes.push_back(3072);
    // There is probably a better way to check for capabilities
    if (mIs21) {
        sizes.push_back(4096);
    }
```

This means the option doesn't show up on smartcards implementing later versions of the OpenPGP on ISO Smart Card spec, which is up to version 3.4.  This affects the latest YubiKey 5, which reports version 3.4.


STEPS TO REPRODUCE
1. Open Kleopatra
2. Insert YubiKey 5
3. Select 'Manage Smartcards' from menu
4. Click "Generate new Keys" button

OBSERVED RESULT

"4096" not listed as an option

EXPECTED RESULT

"4096" should be listed as an option

SOFTWARE/OS VERSIONS
Windows: Windows 10
macOS: untested
Linux/KDE Plasma:  untested

ADDITIONAL INFORMATION
Comment 1 Trevor B 2019-09-12 11:23:18 UTC
Whoops, I mean Kleopatra 3.1.8 as part of Gpg4win 3.1.10.
Comment 2 Andre Heinecke 2019-09-12 11:39:19 UTC
Yeah on it. Just a sec.
Comment 3 Andre Heinecke 2019-09-12 12:01:06 UTC
Git commit d989c281a64dca7cd9f6ce1081e05f6b4e73f6ab by Andre Heinecke.
Committed on 12/09/2019 at 11:59.
Pushed by aheinecke into branch 'master'.

Fix version check for pgp cards

The check for card version 2.1 should have been only
temporary. Now it is a bit better by refactoring the
code in gnupg-helper for engine versions a bit so that
it generally works with string versions.

This is probably the millionth implementation of version
parsing but it works for me.

M  +62   -10   src/utils/gnupg-helper.cpp
M  +5    -0    src/utils/gnupg-helper.h
M  +3    -1    src/view/pgpcardwidget.cpp

https://commits.kde.org/kleopatra/d989c281a64dca7cd9f6ce1081e05f6b4e73f6ab
Comment 4 Andre Heinecke 2019-09-12 12:04:34 UTC
This was a classical case of a todo that lived too long.

The idea behind this was "I have to talk to Werner and Gniibe how we can detect the capabilities" and in the meantime I do this.

Then we talked about it. Did not reach a conclusion and the code was left.

Btw. As GnuPG master and stable now support generating OpenPGP pubkeys for S/MIME Smartcards I have to rework the card widgets a bit. In this process I'll also add some basic ECC support but that will also only check for the version >.<

I have not tested my commit fully. I only added temporary debug code like "Is 3.0 larger then 2.1" true. To check the basic functionality of the version parsing. The version parsing code is also old and just refactored now. So it should be fine.

Btw. Could you also send me a Yubikey for testing? I know Werner got some but it would help me, too to have one for testing. I only have a 2.0 Test smartcard all  my others are in productive use. If yes please send a quick mail to aheinecke@gnupg.org asking for my address.
Comment 5 Trevor B 2019-09-12 12:33:51 UTC
Thanks for the super-fast fix!  I'll contact you via e-mail about getting keys.

There is a new DO in version 3.4 of the spec, called "Algorithm Information", which returns a table of supported algorithms.  That would be the most correct way to determine what is supported.  But I think it still needs to be plumbed through GPG, and most devices probably don't support it yet.
Comment 6 Andre Heinecke 2019-09-12 12:38:16 UTC
Your bug report was great. Even a bit too detailed like "not tested on MacOS" and you pointed out a shameful piece of "quick hack". And you had the luck that I was working on Kleo today anyway.


Regarding the addition: If it is in the spec GnuPG will support it. I'll make sure of it because I really need something like that. E.g. we want to add Brainpool to GnuK but how could I determine in the GUI if I could offer that?!

It's even so bad in the card edit interface of GnuPG. It offers all the options but if you have a card that does not support it you get strange errors.