Mailing List Archive: GnuPG: users

OpenPGP Card "CHV* failed: general error"

Index | Next | Previous | View Threaded

gnupg at lists

Aug 9, 2011, 1:31 PM

Post #1 of 6 (327 views)
Permalink

*OpenPGP Card "CHV failed: general error"**

Hi,

My OpenPGP Card (v2) has been working fine for a couple of days now, but
it has stopped tonight.

Simply trying to sign some text gives the following error:

========================================================================
mike [at] Fuzzbut:~$ date|gpg --clearsign
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tue Aug 9 21:19:53 BST 2011
gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
gpg: signatures created so far: 32

Please enter the PIN
[sigs done: 32]
gpg: verify CHV1 failed: general error
gpg: signing failed: general error
gpg: [stdin]: clearsign failed: general error
mike [at] Fuzzbut:~$
========================================================================

The output of "gpg --card-status" is:

========================================================================
mike [at] Fuzzbut:~$ gpg --card-status
gpg: detected reader `Lenovo Integrated Smart Card Reader 00 00'
Application ID ...: D276000124010200000500000D580000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000D58
Name of cardholder: Mike Cardwell
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Private DO 1 .....: [not set]
Private DO 2 .....: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 32
Signature key ....: 9845 7968 9D81 214F 1171 CDA2 9D26 2301 C1D1 E704
created ....: 2011-07-22 12:24:32
Encryption key....: 5ACB CDDD 3FE6 C24D 0FDB C157 FA37 2B88 0711 5CE9
created ....: 2011-07-22 12:25:33
Authentication key: DF22 F678 083E 1025 5750 A4A0 124D 48BF 4D72 5086
created ....: 2011-08-09 15:04:19
General key info..: pub 2048R/C1D1E704 2011-07-22 Mike Cardwell
<mike.cardwell [at] grepular>
sec# 4096R/0018461F created: 2010-11-02 expires: 2015-11-01
ssb 4096R/01DE408F created: 2010-11-02 expires: 2015-11-01
ssb> 2048R/C1D1E704 created: 2011-07-22 expires: 2012-07-21
card-no: 0005 00000D58
ssb> 2048R/07115CE9 created: 2011-07-22 expires: 2012-07-21
card-no: 0005 00000D58
mike [at] Fuzzbut:~$
========================================================================

If I try to run any admin commands like "passwd" after doing a gpg
--card-edit, I get the same sort of error, eg:

gpg: verify CHV2 failed: general error

The only thing that I can think I've changed is that I added an
authentication subkey earlier. Previously, I was just using encryption
and signing subkeys. I'm sure it worked for at least a little while
after that though...

Any ideas what it could be? Here is some more info which might be useful:

========================================================================
mike [at] Fuzzbut:~$ gpg --version|head -1
gpg (GnuPG) 1.4.11
mike [at] Fuzzbut:~$ gpg-agent --version|head -1
gpg-agent (GnuPG) 2.0.14
mike [at] Fuzzbut:~$ pcscd --version|head -1
pcsc-lite version 1.7.0.
mike [at] Fuzzbut:~$ ps auxwww|egrep -i 'pcsc|gpg|gnupg'
mike 2239 0.0 0.0 13128 1056 pts/0 S+ 21:26 0:00 egrep
--color=auto -i pcsc|gpg|gnupg
mike 4946 0.0 0.0 52072 1476 ? Sl 20:50 0:00 pcscd
mike 6038 0.0 0.0 12092 284 ? Ss 20:57 0:00
/usr/bin/ssh-agent /usr/bin/gpg-agent --daemon --sh
--write-env-file=/home/mike/.gnupg/gpg-agent-info-Fuzzbutt
/usr/bin/dbus-launch --exit-with-session gnome-session
--session=classic-gnome
mike 6039 0.0 0.0 18668 1220 ? Ss 20:57 0:00
/usr/bin/gpg-agent --daemon --sh
--write-env-file=/home/mike/.gnupg/gpg-agent-info-Fuzzbutt
/usr/bin/dbus-launch --exit-with-session gnome-session
--session=classic-gnome
mike [at] Fuzzbut:~$
========================================================================

--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Aug 10, 2011, 12:49 AM

Post #2 of 6 (323 views)
Permalink

*Re: OpenPGP Card "CHV failed: general error"** [In reply to]

On Tue, 9 Aug 2011 22:31, gnupg [at] lists said:

> gpg: verify CHV1 failed: general error
> gpg: signing failed: general error
> gpg: [stdin]: clearsign failed: general error

I suggest that you use gpg2 and not gpg. You should also update GnuPG
to at least 2.0.17. 2.0.14 is quite problematic because it has a
regression which may lead to unaccessible keys created with that
version. However, I don't think that is the cause of the problem.

Let's debug it. Please put the lines

verbose
debug 2048
log-file /foo/scdaemon.log

into ~/.gnupg/scdaemon.conf and kill a running scdaemon. Then run your
signing command again. In the log file you should find output similar
to this:

scdaemon[17805]: DBG: send apdu: c=00 i=20 p1=00 p2=81 lc=6 le=-1 em=0
scdaemon[17805]: DBG: raw apdu: 00 20 00 81 06 3x 3x 3x 3x 3x 3x

This is a command as send to the card. The c=00 i=20 indicates the
verify command which fails for you. If it works the next line would be
a

scdaemon[17805]: DBG: response: sw=9000 datalen=0

However your SW will be different. What is it?

In this example above I redacted the actual pin using an 'x'. You
should do the same if you want to mail the log snippet: Look at the raw
apdu:

00 20 00 81 06 3x 3x 3x 3x 3x 3x
! ! ! ! ! !~~~~~~~~~~~~~~~!---- The PIN in hex format (redacted)
! ! ! ! !----------------------- The length of the PIN
! ! ! !-------------------------- Parameter P2
! ! !----------------------------- Parameter P1
! !---------------------------------Instruction byte
!------------------------------------Class byte

However, most important to see is the status word (sw) which is the
response of the card.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg at lists

Aug 10, 2011, 2:23 AM

Post #3 of 6 (311 views)
Permalink

*Re: OpenPGP Card "CHV failed: general error"** [In reply to]

On 10/08/11 08:49, Werner Koch wrote:

> I suggest that you use gpg2 and not gpg.

I have now done this.

> Let's debug it. Please put the lines
>
> verbose
> debug 2048
> log-file /foo/scdaemon.log
>
> into ~/.gnupg/scdaemon.conf and kill a running scdaemon. Then run your
> signing command again. In the log file you should find output similar
> to this:
>
> scdaemon[17805]: DBG: send apdu: c=00 i=20 p1=00 p2=81 lc=6 le=-1 em=0
> scdaemon[17805]: DBG: raw apdu: 00 20 00 81 06 3x 3x 3x 3x 3x 3x
>
> This is a command as send to the card. The c=00 i=20 indicates the
> verify command which fails for you. If it works the next line would be
> a
>
> scdaemon[17805]: DBG: response: sw=9000 datalen=0
>
> However your SW will be different. What is it?

6581:

2011-08-10 10:16:02 scdaemon[5153] DBG: response: sw=6581 datalen=0

Regards,

--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Aug 10, 2011, 3:38 AM

Post #4 of 6 (310 views)
Permalink

*Re: OpenPGP Card "CHV failed: general error"** [In reply to]

On Wed, 10 Aug 2011 11:23, gnupg [at] lists said:

> 2011-08-10 10:16:02 scdaemon[5153] DBG: response: sw=6581 datalen=0

Ooops,

SW_EEPROM_FAILURE = 0x6581,

it may be that you had no luck and got a faulty chip. Contact the
supplier for a replacement.

Or did you run a series of automated tests and the eeprom wore out?
EEPROMs usually allow only for something in the range of 10000 write
cycles. How many verify operations did you run on the card? A verify
needs to write to the eeprom to decrement the bad pin counter before the
verification and increment it later (so that you can't mount power
glitch attacks).

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

gnupg at lists

Aug 10, 2011, 4:39 AM

Post #5 of 6 (315 views)
Permalink

*Re: OpenPGP Card "CHV failed: general error"** [In reply to]

On 10/08/11 11:38, Werner Koch wrote:

>> 2011-08-10 10:16:02 scdaemon[5153] DBG: response: sw=6581 datalen=0
>
> Ooops,
>
> SW_EEPROM_FAILURE = 0x6581,
>
> it may be that you had no luck and got a faulty chip. Contact the
> supplier for a replacement.
>
> Or did you run a series of automated tests and the eeprom wore out?
> EEPROMs usually allow only for something in the range of 10000 write
> cycles. How many verify operations did you run on the card? A verify
> needs to write to the eeprom to decrement the bad pin counter before the
> verification and increment it later (so that you can't mount power
> glitch attacks).

Damn. I didn't run any automated tests... What other operations can only
be performed a limited number of times with one of these cards? If I
were to PGP sign or decrypt 10,000 emails would that eventually kill the
card too?

--
Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Aug 10, 2011, 5:17 AM

Post #6 of 6 (313 views)
Permalink

*Re: OpenPGP Card "CHV failed: general error"** [In reply to]

On Wed, 10 Aug 2011 13:39, gnupg [at] lists said:

> Damn. I didn't run any automated tests... What other operations can only
> be performed a limited number of times with one of these cards? If I
> were to PGP sign or decrypt 10,000 emails would that eventually kill the
> card too?

Should not because those operations are all run in RAM. Maybe except
for signing which bumps the signature counter. To be sure, let me ask
the vendor...

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads