Sven Plaga gpgsm at
Mon Nov 25 14:55:05 CET 2013

at my company we are using safesign smartcards for SMIME. Using this 
smartcard with gpgsm, I've noticed that it is not possible to decrypt 
AES encrypted E-Mails.

With the following patch, it is possible to decrypt the AES message:

--- original/gnupg2-2.0.19/sm/decrypt.c 2012-03-27 10:00:38.000000000 
+++ BugReport/gnupg2-2.0.19/sm/decrypt.c        2013-11-25 
14:40:34.760667458 +0100
@@ -73,7 +73,7 @@ prepare_decryption (ctrl_t ctrl, const c
      log_printhex ("pkcs1 encoded session key:", seskey, seskeylen);

-  if (seskeylen == 24)
+  if (1)
        /* Smells like a 3-des key.  This might happen because a SC has
           already done the unpacking. */

As the AES-key has a length of 32 bytes, a possible work-around would 
be the insertion of an additional if-check for seskeylen == 32 -- But I 
am not sure if there are possible collisions with non-unpacked (see [1]) 

Is there an easy way to check if the key is already unpacked?

Kind Regards

Sven Plaga


More information about the Gnupg-devel mailing list