Delete key from OpenPGP card?

Achim Pietig achim at pietig.com
Mon Mar 4 11:35:42 CET 2013


Hi,

OK, i see the problem...

The deletion of a single key was no requirement for the OpenPGP card up to now.
It is assumed that a key for sig, aut and dec will be replaced after expiring.
The import of a key with the header list checks the correctness of the new key so it is not possible to overwrite with zeros etc.

The only way at the moment is to reset the card completely, with loss of all information. If the keys were generated outside and imported, then a restore of the card may be possible.
Deletion of keys is defined for optional functions like secure messaging, but not for the main keys...

If useful and needed we can add this for the next version of the specification.
ISO 7816-8 actual works on commands like Delete key/password...

Regards,
Achim


Am 04.03.2013 10:24, schrieb Nguyễn Hồng Quân:
> Thanks Achim,
> 
> How's about emptying Extended Header List
> I tried to put these data to 004D tag, but none of them works.
> - 4D 08 A400 7F48 00 5F48 00
> (null data to 7848 and 5F48)
> - 4D 10 A400 7F48 08 9100 9200 9300 9500 5F48 00
> (null data to 91 (exponent), 92 (p), 93 (q), 95 (modulus) and null data 
> to 5F48)
> - 4D 13 A400 7F48 0B 9103010001 9200 9300 9500 5F48 00
> (like above, but set default value (010001) for exponent)
> 
> I use 95 as modulus holder, instead of 97, because I look in to GnuPG 
> source and found 95 is used.
> 
> What's the correct APDU, or correct data to reset Extended Header List?
> 
> Thanks.
> 
> On Mon 04 Mar 2013 02:48:50 PM ICT, Nguyễn Hồng Quân wrote:
>> Hello,
>>
>> I'm implementing "delete key" in OpenSC for OpenPGP card.
>> To delete authentication key, for example, I think I have to empty these
>> DOs:
>> - 00C9, containing fingerprint for the key
>> - 00D0, containing creation time for the key
>> and rewrite the Extended header list with 00DB command.
>>
>> However, I failed to empty 00C9. I tried these APDU:
>> 1. 00 DA 00 C9
>> Return error 6700 (Wrong length)
>> 2. 00 DA 00 C9 00
>> Return error 6400 (Execution error)
>>
>> The 1st form, I tried with normal DO, like 005B, and succeeded.
>> The 2nd form, I referenced
>> https://gitorious.org/gnuk/gnuk/blobs/master/tool/gnuk_remove_keys.py#line98
>> (This script is for Gnuk card and success with Gnuk).
>>
>> Why none of these APDU work with OpenPGP card? What is the correct APDU
>> for OpenPGP?
>>
> 
> --
> Regards,
> Quân
> 
> Y!IM: ng_hquan_vn
> GTalk: ng.hong.quan
> 
> 



More information about the Gnupg-devel mailing list