OpenPGP card and signing

Daniel Hess daniel-gnupg-users at rio-grande.ping.de
Wed Mar 15 18:10:28 CET 2006


Hello,

as my last mail did not get through, here is a new one (maybe the
list-moderators could drop the old one).

On Tue, Mar 14, 2006 at 11:42:52PM +0100, Michael Bienia wrote:
> On 2006-03-14 08:23:58 +0100, Remco Post wrote:
> > Michael Bienia wrote:
> > > does signing with the OpenPGP card only work with SHA1 as digest-algo?
> > > 
> > > With SHA1 and RIPEMD160 gpg asks for the PIN but only SHA1 generates a
> > > working signature. Trying RIPEMD160 I get:
> > > | gpg: checking created signature failed: bad signature
> > > | gpg: signing failed: bad signature
> > > | gpg: signing failed: bad signature
> > > 
> > 
> > From the basiccard website I read that it only supports sha-1, so this
> > might be true. I noticed the same just recently.

The "OpenPGP Card 1.1" specification mentions that ripemd as digest
(page 35).

> A friend who uses his OpenPGP card with enigmail under windows can
> successfully create a RIPEMD160 signature.
> I could also create one if I use gpg with pcscd.

I could do even without pcscd.

> Can someone explain me, why it works if I use gpg with pcscd and not if
> I use gpg alone?

What Michael has not mentioned was, that he (as well as i) do use
gpg-agent.

Using the agent enables openssh to use the key for public-key auth.

When using the --use-agent switch (with gpg), the agent will communicate
to the openpgp card using scdaemon.

To sign a message gpg will send an PKSIGN command along with the Data to
sign (e.g. the fingerprint of an message). What is missing is the
information about which digest (e.g. sha1 or ripemd160) has been used to
create the fingerprint that should be signed by scdaemon. In
scd/command.c PKSIGN gets mapped to the function cmd_pksig which sets
sha1 as digest when calling app_sign. As this information gets part of
the pgp block which contains the signed data a sha1 signature with the
ripemd160 hash is created. This obviously ends in a bad signature.

Altering the call to app_sign by replacing GCRY_MD_SHA1 with
GCRY_MD_RMD160 enables gpg to create valid ripemd160 signatures, but
also make it impossible to create sha1 signatures.

Maybe gpg and gpg-agent could get altered to pass the digest along with
the call to PKSIGN?

This would be a real improvement :)

Hope that one of the gnupg developers can say something about this.

TIA

Daniel



More information about the Gnupg-users mailing list