scd: change_keyattr_from_string for ECC.

NIIBE Yutaka gniibe at
Sat Jul 18 04:25:33 CEST 2015


This message is Cc-ed to gnupg-devel.

I'm going to implement changing key attribute by scdaemon of GnuPG.

For the existing OpenPGPcard implementation (of v2.0), GnuPG only
partially supports changing the key attribute.  That is, it only
changes the length of key for RSA.  To do so, scdaemon asks the card
about key attribute DO, changes the bit, and sends back it to the

Now, it will be expected to change the attribute fully for ECC.

On 07/17/2015 01:07 PM, NIIBE Yutaka wrote:
> With OpenPGPcard version 3.0, it is possible to change key attribute.
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 nistp256" /bye
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 nistp256" /bye
> $ gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye

While this (change to ECC) works, I wonder how we could implement
changing back to RSA from ECC.

For RSA, the last byte of key attribute specifies the format of RSA

There is no information in the host about the format of RSA of the
card, when its key attribute is ECC.  I think that it would be not
good for host to try all possible cases until it successes.  Also, it
would not be good to detect manufacturer and change the behavior.

It would be cleaner if host could just compose the value of '00' for
the RSA format specifier and send this DO for the key attribute, and
it's up to the card to change the value accordingly.

I'm afraid if it conforms ISO 7816 or card things.

More information about the Gnupg-devel mailing list