Private data objects

NIIBE Yutaka gniibe at
Mon Mar 4 01:01:52 CET 2019

Daniel Manrique <dmanriq at> wrote:
> One thing that I've noted is that gnuk doesn't seem to implement the
> private data objects (DO1-4) from the openpgp card specification. In my
> case that's what currently prevents me to fully adopt gnuk instead of still
> relying on a smartcard.
> My question is: are there plans to implement the private data objects? how
> difficult would be to do it?

Please note that Gnuk doesn't implement all (possible) features of
OpenPGPcard specification.  Keeping out some feature(s) makes sense.
Keeping the implementation stupid and simpler is also important.

Well, for example, I somehow regret my adding support of ACK button
feature (though I don't have any idea removing that).  I did that
because the feature was added in V3 specification, and I was not sure if
it were useful.  For six-month experience, my own judgement is that it's
not that useful for my use case.

Back to the specific feature, let me explain about DO1-4 and certificate
object(s).  I don't support those objects because of three reasons;
there is no good definition how those can be used and useful.
Implementing those objects interferes lower-level communication, and
there may be not enough room to keep those objects in flash memory

Certificate object support is now compile time option.  Until V2
specification, it is a single object.  In V3 specification, it is
enhanced to three objects.  Gnuk can support one, but writing the object
is supported incompatible way while reading is compatible.

If you want to support DO1-4 objects (with the limitation of less than
256 bytes), I'd suggest start your experiment from enhancing Gnuk by
adding support of read-only compile-time defined objects.  Then, you can
proceed adding flash memory management for those objects... to support
writing objects.

Supporting larger size, I think that we need to modify our
implementation of communication protocol (of ISO 7816), or we need to
support larger-size object by introducing some
peculiar/incompatible/ugly method like we did for certificate object.
The former would require larger surgery of implementation.

More information about the Gnuk-users mailing list