Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key

Werner Koch wk at
Fri Sep 12 13:36:37 CEST 2014

On Tue,  2 Sep 2014 14:17, dgouttegattat at said:

> According to a bug report in Mozilla’s NSS library [1], the change
> introduced by TLS 1.2 is that the data to be signed is no longer a
> "MD5+SHA1 hash" (36 bytes, which is the length expected by GPG-Agent),
> but is instead an ASN.1 structure representing a DigestInfo object (35
> or 51 bytes total, depending on the hash used).

In this case only Scute needs to be changed.  gpg-agent's SETHASH
expects the raw hash and information on the hash algorithm.

The reason why it works anyway with that patch is that some lower level
parts of gpg-agemt/scdaemon have less restrictions than SETHASH and
remove known ASN.1 prefixes from the hash.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list