Constructed data objects on the OpenPGP card

Fabian Henneke fabian at
Fri Sep 22 15:46:43 CEST 2017


in the process of developing Chrome/Chromium extensions that support
decryption and authentication using OpenPGP cards, I may have found an
aspect in which the OpenPGP smart card (the physical device) deviates from
the OpenPGP card specification ( As it is very well possible
that either my interpretation of the spec or my implementation are at
fault, I would like to obtain confirmation in this way.

The OpenPGP card specification in version 2.1 says in Section 4.3.1, "DOs
for GET DATA": "Constructed DOs (C, marked yellow) are returned including
their tag and length.". I take this to mean that if for example I were to
send a GET DATA request for the Application Related Data (Tag 6E), I would
expect to see a single constructed tag 6E in the TLV-encoded response,
which then contains as its value a list of the subtags of this constructed
tag (e.g. the Application Identifier and PW Status Bytes). I found this
interpretation to be consistent with some implementations of the OpenPGP
applet (for example on Yubikeys).
A log of the communication with the card that a user with an OpenPGP smart
card (the physical device, version 2.1) sent me shows that it exhibits a
different behavior: All the "subtags" of constructed tag 6E are returned
sequentially as a list of tags with no encompassing 6E tag.

I would be grateful for any confirmation of the general structure of
constructed tags I should expect as responses to GET DATA requests. I have
ordered an OpenPGP smart card and will also conduct my own experiments.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170922/84bf97f8/attachment.html>

More information about the Gnupg-devel mailing list