ERR 41 Wrong public key algorithm <Unspecified source>

[pyllyukko]

Ehlo.

I'm getting the following error in my logs and my attempts to use my smart card fails:

gnupg-pkcs11-scd[3885]: chan_0 <- KEYINFO --list
gnupg-pkcs11-scd[3885]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>

I'm using libcryptoki.so provider as described here, so there are quite a lot of variables in this setup.

The error seems to happen with all the KEYINFO commands. My setup was working previously, but clearly some underlying component has updated down the road and now it's broken.

Any advice on where to look to get this sorted out? I'm happy to provide any additional information.

Versions

Software	Version
gpg	2.4.3
libgcrypt	1.10.3
gnupg-pkcs11-scd	3b84225

[alonbl]

Hello, Please test latest release and not a random point in time. Please provide debug log after you have done so. Thanks,

[pyllyukko]

Got it. You probably want the logs with debug-all & verbose. If it's ok, I'll send it via email.

[pyllyukko]

I've narrowed this down a bit. So something has changed between GnuPG versions 2.2 and 2.3 that makes this happen. With GnuPG version 2.2.42 everything works perfectly. I started to go back from version 2.3.0 and got as far as 2.3.0-beta1109 (3c4ab53) where this is already happening and was unable to compile earlier versions/commits.

Here are some log extracts from a decryption operation:

2.2.42 - smart card working

==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:38 gpg-agent[26041] gpg-agent (GnuPG) 2.2.42 started

==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:31:38 gpgsm[26038] encrypted to rsa3072 key ...

==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047.1563801920]: Listening to socket '/tmp/gnupg-pkcs11-scd.1FaTNv/agent.S'
gnupg-pkcs11-scd[26047.1563801920]: accepting connection
gnupg-pkcs11-scd[26047]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26047.1563801920]: processing connection
gnupg-pkcs11-scd[26047]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26047]: chan_0 -> D /tmp/gnupg-pkcs11-scd.1FaTNv/agent.S
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- SERIALNO --demand=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
gnupg-pkcs11-scd[26047]: chan_0 -> S SERIALNO YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY 0
gnupg-pkcs11-scd[26047]: chan_0 -> OK

==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:31:39 gpg-agent[26041] detected card with S/N YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY

==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26047]: chan_0 <- SETDATA ...
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- PKDECRYPT ...
gnupg-pkcs11-scd[26047]: chan_0 -> S PADDING 0
gnupg-pkcs11-scd[26047]: chan_0 -> [ xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx ...(2 byte(s) skipped) ]
gnupg-pkcs11-scd[26047]: chan_0 -> OK
gnupg-pkcs11-scd[26047]: chan_0 <- RESTART
gnupg-pkcs11-scd[26047]: chan_0 -> OK

2.3.0-beta1109 - smart card NOT working

==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:38 gpg-agent[26925] gpg-agent (GnuPG) 2.3.0-beta1109 started

==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:38 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] Note: non-critical certificate policy not allowed
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - issuer: '...'
2024-01-16 21:48:39 gpgsm[26923] DBG: recp 0 - serial: XXXXXXXX

==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930.3407657280]: Listening to socket '/tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S'
gnupg-pkcs11-scd[26930.3407657280]: accepting connection
gnupg-pkcs11-scd[26930]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[26930.3407657280]: processing connection
gnupg-pkcs11-scd[26930]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[26930]: chan_0 -> D /tmp/gnupg-pkcs11-scd.Jyjbtk/agent.S
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- OPTION event-signal=12
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- SERIALNO --all
gnupg-pkcs11-scd[26930]: chan_0 -> S SERIALNO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 0
gnupg-pkcs11-scd[26930]: chan_0 -> OK
gnupg-pkcs11-scd[26930]: chan_0 <- KEYINFO XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
gnupg-pkcs11-scd[26930]: chan_0 -> ERR 41 Wrong public key algorithm <Unspecified source>

At this point GnuPG asks me to insert a smart card, even though it's already inserted.

==> /home/pyllyukko/.gnupg/gpg-agent.log <==
2024-01-16 21:48:58 gpg-agent[26925] smartcard decryption failed: Operation cancelled
2024-01-16 21:48:58 gpg-agent[26925] command 'PKDECRYPT' failed: Operation cancelled <Pinentry>

==> /home/pyllyukko/.gnupg/gpgsm.log <==
2024-01-16 21:48:58 gpgsm[26923] error decrypting session key: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] decrypting session key failed: Operation cancelled
2024-01-16 21:48:58 gpgsm[26923] message decryption failed: Operation cancelled <Pinentry>

==> /home/pyllyukko/.gnupg/gnupg-pkcs11-scd.log <==
gnupg-pkcs11-scd[26930]: chan_0 <- RESTART
gnupg-pkcs11-scd[26930]: chan_0 -> OK

[alonbl]

I would really appreciate if we can first confirm gpg is working before we go to gpgsm. But maybe this is a hint: non-critical certificate policy not allowed

[pyllyukko]

But maybe this is a hint: non-critical certificate policy not allowed

There is a commit in GnuPG which implies it's nothing critical:

commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4
Author: Werner Koch [email protected]
Date: Mon Dec 5 14:31:45 2022 +0100

gpgsm: Silence the "non-critical certificate policy not allowed".

* sm/certchain.c (check_cert_policy): Print non-critical policy
warning only in verbose mode.

[alonbl]

Please send me your certificate.

[saper]

without actual outputs from the smardcard and real KEYINFO values it will be not possible to troubleshoot this. GnuPG 2.4 is generally better with smartcards but maybe there is some edge case there.