fluffykaon / openpgp-card Goto Github PK

First of all many thanks for sharing such a nice project

using GnuPG 2.0.22 loading keys to the card completes with a success (card status also shows that the keys are loaded and returns correct fingerprints) , but later when trying to perform encryption or signing operation, file not found status is returned (6A82) ... this error code is thrown when the RSA Private key is not initialized...

Hi,

First of all, thx for sharing this project. I am trying to understand the logic behind the management of apdu command chaining in your applet. It seems to me that sometimes the chain is reinitialized when
it should not. I join a message I sent on the gnupg-users mailing list but I am more and more convinced that the problem I am spotting lies in the management of adpu chaining of your applet.

Basically, what I am able to reproduce is that in two consecutive decryption attempts of the same file (gpg -d), the second always fails unless some other commands are inserted in between the two attempts (like gpg --edit-card would produce) ... in the logs of scdaemon, it turns out that the decryption attempt produces a chain of 2 apdu (1 long, 1 very short). In the case of the second decryption attempt, the applet throws ISO7816.SW_WRONG_LENGTH before reading the remaining second APDU of the chain, hence the second APDU is not even sent to the applet of the JC.

Below some precise description of the problem,

Thx in advance for any hint on how to correct the problem.

DomLW

Hi,

I am trying to setup a JavaCard (Gemalto IDCore 10 rev C) with
an OpenPGP applet. My goal is to obtain an equivalent of the
regular OpenPGP Smartcard (from ZeitControl) which I own as
well and which works perfectly (so far).

1/ I tried the Java Card OpenPGP Card (from joeridr) but it was
impossible to either setup new PINS or verify the default
one on that applet. Hopefully uninstalling and reinstalling
the applet reinitialized both PINS retry counters to 3 ...
At first I was afraid of bricking my JC.

Btw the Yubikey Neo OpenPGP is nearly the same applet as
the joeridr one ... doesn't even install on the JC.

2/ Then I tried the FluffyPGPApplet (from FluffyKaon) and with
that one, I could setup new PIN and even check them ... gpg2
basically worked but then I began to try the cryptographic
functions of the card and a strange behavior appeared.

Indeed, the first decryption after a PIN check (either on the
JC hardware or simulated by edit-card verify) works whereas
subsequents decryption attempts fail.

Here is a sequence of commands that reproduce the problem.
Notice that scdaemon logs are attached below.

It seem to me that the apdu sequence sent on subsequent
decryption attempts are of the wrong length ...

Can anyone give my some hints as to want is going on ?

Thx very much in advance,

DomLW

JavaCard with Fluffy OpenPGP Applet inserted

then I run gpg -d twice,

first attempt, I am asked for the PIN (CHV1) and decryption is a success

$ gpg2 -d examples.desktop.asc > /dev/null
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09
"DomLW (test) [email protected]"

second attempt, I am NOT asked for the PIN and decryption ends in a failure

probably because a too short apdu command is sent to the card (see the logs of scdaemon)

$ gpg2 -d examples.desktop.asc > /dev/null
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09
"DomLW (test) [email protected]"
gpg: public key decryption failed: Invalid value
gpg: decryption failed: No secret key

then if I run gpg --card-edit (verify) and after that another decrypt

first card-edit and verify the PIN, I am NOT asked for the PIN

$ gpg2 --card-edit

Application ID ...: D2760001240102000000000000000000
Version ..........: 2.0
Manufacturer .....: test card
Serial number ....: 00000000
Name of cardholder: Dominique Larchey-Wendling
Language prefs ...: fr
Sex ..............: male
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 3
Signature key ....: 3CB0 9186 9FD6 2670 085A FA64 62FE A0E4 ED4D B6AB
created ....: 2015-04-09 09:49:26
Encryption key....: C2B7 66F5 08A4 E8F5 C2B2 40C6 2F46 B077 04F5 3C66
created ....: 2015-04-09 10:03:07
Authentication key: 0C69 4EE0 EB99 336D 75E9 C130 490C 3508 30DA 9738
created ....: 2015-04-09 09:49:26
General key info..: [none]

gpg/card> verify

...

gpg/card> q

now I try another decrypt

this third decrypt does NOT ask for the PIN and succeeds

$ gpg2 -d examples.desktop.asc > /dev/null
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09
"DomLW (test) [email protected]"

The logs of scdaemon (2048) during the previous sequence of commands
are accessible at https://gist.github.com/DmxLarchey/62abeaf53040b8c19cbb

GPPro is easier to use for novices and works with more cards, including SCP03 support. https://github.com/martinpaljak/GlobalPlatformPro