Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key
Damien Goutte-Gattat
dgouttegattat at incenp.org
Tue Sep 2 14:17:40 CEST 2014
Hello,
> The two patches below against gpg-agent (gnupg2-2.0.26) [1] and
> scute-1.4.0 [2] allow ssl/tls auth using an opengpg card with 2048
> rsa key.
First of all, your patches work for me and I thank you for that, I was
struggling to make Scute work with a recent Firefox.
But, are you sure this has anything to do with the size of the RSA key?
It seems that the problem you are addressing is rather caused by a
change between TLS 1.1 (or less) and TLS 1.2.
Indeed, disabling TLS 1.2 in Firefox (by setting the variable
security.tls.version.max to "2" instead of "3" in about:config) is
enough to make Scute work for me, even with a 2048-bit RSA key and even
without your patches.
According to a bug report in Mozilla’s NSS library [1], the change
introduced by TLS 1.2 is that the data to be signed is no longer a
"MD5+SHA1 hash" (36 bytes, which is the length expected by GPG-Agent),
but is instead an ASN.1 structure representing a DigestInfo object (35
or 51 bytes total, depending on the hash used).
Damien
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=970913#c8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140902/656049bb/attachment.sig>
More information about the Gnupg-devel
mailing list