New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Authentication fails with curve25519 subkey on security token #1272
Comments
@fmeum the exception is |
Should I report this to OpenKeychain itself instead, then? |
No it's more likely that we regressed this on our end, once Fabian has had a chance to review they'll let you know if OpenKeychain needs to be notified. |
@MoritzMaxeiner The bug you are seeing has already been reported upstream as open-keychain/open-keychain#2538 and open-keychain/open-keychain#2589. I will try to fix it myself when I have time, but it is not a high priority as our new Keystore-backed SSH authentication serves more or less the same purpose (albeit it is slightly less convenient to set up as you need to add a new public key to your server). |
@msfjarvis I felt like we needed a |
@fmeum I see, thanks. FWIW: The key is shown as healthy and capable of signing (In contrast to open-keychain/open-keychain#2589). |
Just to add to this, using a yubikey is completely broken atm, to keep things secure and not storing ssh private keys on my phone goes against the convention. |
I don't know if this is related or not, but I feel like it might be.
Mine works fine when I attempt to decrypt
If I push, edit in terminal, and pull, I am able to open it again. I know the PIN is correct because the counter does not decrement, and I can use the same PIN with other entries and *nix
Traceback:
Some bugs with the same exception:
Unfortunately I am no guru so leafing through the packets does not reveal much about why this might be happening. Android-Password-Store packets:
GnuPG on Linux packets:
Relevant prefs from
The only change made was a newline removed from the end of the file, and the only visible differences in the packets to my untrained eyes is that I use compression on Linux, and the file has a name on Android. Otherwise they appear identical. |
This is definitely an OpenKeychain bug, but their development has been too unreliable to rely on them for fixing these things. Forking introduces a rather large maintenance burden which I am not entirely confident that I want to take on, but sooner than later it might become a necessity. Increasing priority in the mean time. |
Ultimately it seems their support for |
It looks like there is a pull request for fixing this specific bug, I've generated a release build for people willing to test it (source for it is available at https://github.com/android-password-store/open-keychain). You'll need to uninstall the Play Store/F-Droid version of OpenKeychain before installing this one. |
@DS6 Are you using a YubiKey 5 with firmware version 5.2.6 by any chance? This is not a bug in OpenKeychain, but rather a hardware bug in the YubiKey 5 series before firmware version 5.2.8 (not yet released). I informed Yubico about this issue in September 2020 (see https://bugs.chromium.org/p/chromium/issues/detail?id=1120933#c10), but they have not released a fix yet. Once a fixed firmware version is available, you should be able to get a replacement from Yubico. That said, the fix is simply to retry the OID lookup with the last byte stripped off if it fails the first time. I am running this locally and have had no issues with my YubiKey 5 NFC since. |
Thank you, but both your linked APK, as well as building OpenKeychain myself from master branch and applying the linked fix to it yield a different error: |
That's weird... Can you also try out the development branch of APS? If it still fails, please try to get a logcat. |
Not sure if this is the same bug, but today I created an EdDSA subkey for authentication in OpenKeychain, exported it to my ssh server, then tried to use it in PasswordStore, and authentication fails. No security token is necessary to trigger the bug. Authentication works when using an RSA 3072 bit subkey. |
OpenKeychain v5.6 is out, can the people who've reported bugs here check if any of their problems are fixed? |
Using:
I also get the unknown key format error mentioned here, logcat captured using Android Studio default settings here: So, the initial error relating to the yubikey's hardware bug is solved, but the other one remains. |
Thanks for the log, I'll take a look. |
New APK with this PR included, source pushed to android-password-store/open-keychain, and the signature is the same as the APS binaries from Google Play and GitHub Releases. Should fix ED25519 support, please let me know here and drop a comment in the linked PR if it solves things for you. |
Added the PR to my own build (I had already built open-keychain/open-keychain#2631 myself earlier), can confirm it works with Yubikey 5C NFC |
Works for me (also Yubikey 5C NFC). Thank you :) |
Yep, everything is resolved with these series of patches. I finally feel that I can safely use my YubiKey on all my devices thanks to this setup solving it in Termux w/ OkcAgent for Thank you everyone for your hard work. |
The fix for the Yubikey bug has landed upstream 🎉 |
Excellent. But open-keychain/open-keychain#2662 is still not merged, so I think I will be sticking to the fork for a while longer. |
open-keychain/open-keychain#2662 has now been merged so this issue can be closed as soon as a new release is published for OpenKeychain. |
OpenKeychain v5.7 has been tagged. |
Describe the bug
Trying to clone a remote repository with OpenKeychain-provided curve25519 authentication subkey located on security token falls back on password authentication due null object reference in signing operation.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The pin prompt for the security token should have popped up.
Screenshots
Device information (please complete the following information):
Additional context
logcat.txt
The text was updated successfully, but these errors were encountered: