Bad signature when generating key in OpenPGP Java Card Applet
Erik Nellessen
erik.nellessen at informatik.hu-berlin.de
Wed Apr 6 17:29:06 CEST 2016
I could reproduce the error today on another system. I also got the
error messages in English:
gpg: checking created signature failed: Bad signature
gpg: signing failed: Bad signature
gpg: make_keysig_packet failed: Bad signature
Key generation failed: Bad signature
Today's system is openSUSE 13.2 (Harlequin) (x86_64) with gpg (GnuPG)
2.0.26 libgcrypt 1.6.1. The debian system was i386, by the way.
Any kind of help would be appreciated!
Kind regards,
Erik Nellessen
Am 05.04.2016 um 19:14 schrieb Erik Nellessen:
> Hi everybody,
>
> I am running an OpenPGP Java card applet on an Android Smartphone via HCE. So for the PC side, this looks like a normal Java card. The communication with GnuPG works fine (i.e. gpg2 --card-status works), until I generate a key on the card (via gpg2 --card-edit, then "admin", then "generate"). I also tried the ykneo-openpgp-applet, which resulted in the same error.
>
> I get the following error on the PC:
>
> DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
> DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042026 \
> DBG: 5a93d234241bd20bf0773b6011fd037cbe8b985d487116dc08e6914f38dbd1
> DBG: rsa_verify sig:+060c442ed6074b6b7dba6dcac223be83d251c7230f34d62cd81c5f38d8146f88 \
> DBG: 14b477b3d9e60106cfb01fc372e9cf82929b1de4d760c74550b53559de717b20 \
> DBG: 48b264ad1116e035fd0de5c8c2a43cbcf3d84fabc76a84500fc2b2652dcde19b \
> DBG: 7a46f32d5e4871913bd5b8f3051fb4ca9a00a32542e6e194553b98ce6843c8b4 \
> DBG: 3ba5049f78a7957dcce6a272f939d2016bc33d48819976ce89a3bf7d7d335eaa \
> DBG: e0bbc913c011e8dfea8c6b2e506b59d8214eeae1ed4abe1e9ed6bf32475a3c65 \
> DBG: 373eea3c9caa1058c5c11a506c931e26fc34ced607a8afb57ca1f69ccdfa24cf \
> DBG: 8f3d062cff8685db11e7a3f60f98cbede2f116ab0d89bc0eab275cd90b79b1a1
> DBG: rsa_verify n:+b81244edd096c6646a1c6d9a91142f01919cc71f4f289696572fe933f9c69aed \
> DBG: 87752404f460e03c2768f285e491fdf074b6439293f8d58695e6e1af993f4046 \
> DBG: a9a31c5633e464009a96e6c0481c1f894eb6b04f1c2ea34cb2ece43a7b832973 \
> DBG: 0cb4ce384de20e1e5a5b48617293f76fad3ea56abbb2f932540d4176a9afcb47 \
> DBG: 5c973904f8c96381ee736e73fa631966ca1f5746a3703662a48fb0aeb89824cc \
> DBG: 75637e8cef57cd08a93c685455055b8c2e62e3b450d5880e8138cf4c6cdc15ff \
> DBG: 3716edcd96b96946b387abe38a0df1abeeeb53462f5038bfffc853bb55a3e66d \
> DBG: 2ae50003b1bdd89357b168aad127fdfe474d78f57020f517ddc0f02b204fda99
> DBG: rsa_verify e:+010001
> DBG: rsa_verify cmp:+01ffffffffffffffff003031300d060960864801650304020105000420265a93 \
> DBG: d234241bd20bf0773b6011fd037cbe8b985d487116dc08e6914f38dbd1000000 \
> DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
> DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
> DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
> DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
> DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
> DBG: 00000000000000000000000000000000000000000000000000000000000000
> DBG: rsa_verify => Falsche Unterschrift
> gpg: Prüfung der erstellten Signatur ist fehlgeschlagen: Falsche Unterschrift
> gpg: Beglaubigung fehlgeschlagen: Falsche Unterschrift
> gpg: make_keysig_packet failed: Falsche Unterschrift
> Schlüsselerzeugung fehlgeschlagen: Falsche Unterschrift
>
> (The last four lines say, that the verification of the signature has failed, "Bad signature". Sorry, my gpg2 produces german error messages.)
>
> As you can see, the "data" and the "cmp" part are totally equal except for the (I guess PKCS1) padding (I checked this via diff and meld, it really is the same). So I think that the difference in the paddings is the reason for which the signature verification fails. I guess, that the data given to the rsa_verify function is not padded as it should be. The logs from the smartphone show, that the data has been transferred to the PC without padding:
>
> Received APDU (57 bytes): 002A9E9A333031300D060960864801650304020105000420265A93D234241BD20BF0773B6011FD037CBE8B985D487116DC08E6914F38DBD100
> Sending APDU (257 bytes): 060C442ED6074B6B7DBA6DCAC223BE83D251C7230F34D62CD81C5F38D8146F8814B477B3D9E60106CFB01FC372E9CF82929B1DE4D760C74550B53559DE717B2048B264AD1116E035FD0DE5C8C2A43CBCF3D84FABC76A84500FC2B2652DCDE19B7A46F32D5E4871913BD5B8F3051FB4CA9A00A32542E6E194553B98CE6843C8B43BA5049F78A7957DCCE6A272F939D2016BC33D48819976CE89A3BF7D7D335EAAE0BBC913C011E8DFEA8C6B2E506B59D8214EEAE1ED4ABE1E9ED6BF32475A3C65373EEA3C9CAA1058C5C11A506C931E26FC34CED607A8AFB57CA1F69CCDFA24CF8F3D062CFF8685DB11E7A3F60F98CBEDE2F116AB0D89BC0EAB275CD90B79B16101
> Received APDU (5 bytes): 00C0000001
> Sending APDU (3 bytes): A19000
>
> I think, the data received from the card and the data generated to be compared must be padded in the same way. Or even better, the padding (and the trailing zeros) should be removed before verifying the signature.
>
> I am running gpg (GnuPG) 2.0.26 libgcrypt 1.6.3 on Debian Jessie. Using gpg (GnuPG) 1.4.18 results in the same error.
>
> Can anyone reproduce this error (using a normal Java Card instead of the Android smartphone should not change anything)? Or am I missing something here?
>
> Kind regards,
> Erik Nellessen
>
> _______________________________________________
> Gnupg-devel mailing list
> Gnupg-devel at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-devel
>
More information about the Gnupg-devel
mailing list