Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue Sep 2 14:17:40 CEST 2014


Hello,

> The two patches below against gpg-agent (gnupg2-2.0.26)  [1] and 
> scute-1.4.0 [2] allow ssl/tls auth using an opengpg card with 2048 
> rsa key.

First of all, your patches work for me and I thank you for that, I was
struggling to make Scute work with a recent Firefox.

But, are you sure this has anything to do with the size of the RSA key?

It seems that the problem you are addressing is rather caused by a
change between TLS 1.1 (or less) and TLS 1.2.

Indeed, disabling TLS 1.2 in Firefox (by setting the variable
security.tls.version.max to "2" instead of "3" in about:config) is
enough to make Scute work for me, even with a 2048-bit RSA key and even
without your patches.

According to a bug report in Mozilla’s NSS library [1], the change
introduced by TLS 1.2 is that the data to be signed is no longer a
"MD5+SHA1 hash" (36 bytes, which is the length expected by GPG-Agent),
but is instead an ASN.1 structure representing a DigestInfo object (35
or 51 bytes total, depending on the hash used).


Damien


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=970913#c8

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140902/656049bb/attachment.sig>


More information about the Gnupg-devel mailing list