APDU to do decipher in OpenPGP card?
Nguyễn Hồng Quân
quannguyen at mbm.vn
Wed Jul 18 11:27:57 CEST 2012
Thank Achim, Martin and Peter,
I imported same private key to DEC key and it works!
It also means that my code to import key with OpenSC works correctly.
On 07/18/2012 01:47 PM, Achim Pietig wrote:
> the card supports 3 keys - SIG, DEC and AUT.
> Each key is related to a special function:
> SIG: PSO:Sign
> DEC: PSO:Decrypt
> AUT: INTERNAL AUTHENTICATE
> The 3rd key for AUT and the certificate storage cannot be used with Decrypt.
> But you can import the AUT-key into the Dec-Key also.
> But this will not run with GnuPG, because GnuPG occupies the SIG and DEC keys for mail.
> The AUT key and the certificate DO is not used by GnuPG and can be used for client server authentication with other software.
> In the next version of the OpenPGP card I will add certificate DOs for SIG and DEC as well.
> Am 18.07.2012 05:23, schrieb Quan Nguyen:
>> Thanks Achim,
>> It looks like my input data is correct.
>> I have 2048-bit key in the card and the encrypted message is 256 bytes long:
>> 00 2A 80 86 00 01 01 # CLA, INS, P1P2, Lc = 257
>> 00 # Indicator
>> DB 2D 96 07 B0 17 7A 4D # Message 256 bytes
>> BF 54 C8 1A 2C 0D 1A 98 32 31 D4 CD E3 0B FE EB
>> 96 74 00 D2 FC 7A 4C B6 60 E5 CE 4F 80 EC 9F 9A
>> 22 40 F6 88 CD 7F D9 1E F3 FA 1D AF C9 F8 F7 17
>> 9B 14 73 E0 49 F4 47 E1 9C FF 4D EB AE 60 5B 71
>> 8D 03 BB 7C 73 62 25 2B B0 E1 8B A7 55 96 B4 1C
>> 89 8D 84 27 04 5A 33 BF 26 B4 D1 EF 5B 68 2B 9C
>> 42 F0 2E 0F E7 94 3F 23 81 DC D2 CD 9F 6B 6C E0
>> D1 12 6B B7 EA DF 01 2F 8D 9A F8 19 7E 60 57 33
>> 78 BD B1 96 58 08 4E E8 23 CB 46 97 5A 43 BA 25
>> 63 50 4F 03 EE 24 5C 24 61 C0 1F 04 6D B4 EB 39
>> EC 66 82 26 E2 2C 0C FC 5C 39 D1 9C 3C E9 DA 6A
>> 01 A0 1F 01 9A F4 A2 77 51 2C 30 91 3C 4C 9A 7D
>> 24 E4 88 DE D8 A9 67 C0 F3 EF BA 14 21 FD 4E 12
>> 60 09 BC BF BD 4E D1 4A F0 C5 78 23 B3 62 9A 5A
>> 66 6F 06 BB 52 5D 79 FF CC 49 36 DF 11 BB C9 9C
>> 41 D7 0B B7 57 4B 78 1D
>> 01 00 # Le
>> I stored a pairs of key & certificate to the card (using my code in
>> OpenSC), then used the certificate to encrypt one email and now I'm
>> trying to decrypt it with the private key bound with that certificate.
>> When doing DECIPHER, how the card know which key to be used if the
>> card contains more than 1 key with the same modulus length (currently
>> my card contains 2 keys of the same 2048-bit length)?
>> On Tue, Jul 17, 2012 at 6:52 PM, Achim Pietig <achim at pietig.com> wrote:
>>> Hello Quân,
>>> the error 6A88 occurs if no decrypt key is present in the card.
>>> You should import a key first with PUT DATA.
>>> The plain text of the cryptogram shall be formatted in compliance with PKCS#1, as decribed on page 40 of the OpenPGP card specification.
>>> Then the plain text is encrypted with the DEC key and the result has the same length than the modulus of the DEC key.
>>> The cryptogram is sent with a leading 00 byte (padding indicator), so the complete length of the command data is modulus + 1.
>>> For key length > 1024 you have to use extended length format for the APDU.
More information about the Gnupg-devel