Bad signature when generating key in OpenPGP Java Card Applet

NIIBE Yutaka gniibe at
Tue Apr 12 16:21:56 CEST 2016

On 04/11/2016 10:40 PM, NIIBE Yutaka wrote:
> On 04/06/2016 02:14 AM, Erik Nellessen wrote:
>> Received APDU (57 bytes): 002A9E9A333031300D060960864801650304020105000420265A93D234241BD20BF0773B6011FD037CBE8B985D487116DC08E6914F38DBD100
> This is strange.  I think that this is the cause of your problem.
> It should be:
>     002A9E9A20265A93D234241BD20BF0773B6011FD037CBE8B985D487116DC08E6914F38DBD100
> I mean, scdaemon removes the prefix (which specifies the hash algo)
> 	3031300D060960864801650304020105000420
> before sending card.

Sorry, I was wrong.  The APDU is correct (the prefix is removed and
added again in the code scd/app-openpgp.c).  I didn't read the code
of adding the prefix again, and misunderstood.

I think that your OpenPGPcard implementation does some mistake for the
calculation of length of padding string.

For 2048-bit RSA, the length of octet is 256 (N=256).  I checked
OpenPGPcard specification.  It says (in 7.2.8 PSO: COMPUTE DIGITAL

    The DSI format for RSA:
    According to PKCS #1 the DSI is generated internally by the card
    and has the following structure:

    Description           Length  Value
    Start byte            1       00
    Block type            1       01
    Padding string (PS)   N-3-L   FF...FF
    Separator             1       00
    Data field            L       Digestinfo

With SHA256 hash, L=19+32=51.  So, the length of PS should be 202
(= 256 - 3 - 51).

It seems that it was computed as the length of PS=8 by the applet.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160412/f1762831/attachment.sig>

More information about the Gnupg-devel mailing list