[PATCH gnupg+libksba 0/2] Fix CSR generation from card-based ECDSA keys.

Damien Goutte-Gattat dgouttegattat at incenp.org
Fri Nov 16 02:27:36 CET 2018

Hi GnuPG folks,

The following patchset intends to fix the generation of CSR from a
card-based ECDSA key (e.g., a key stored on a Gnuk token, or any
other device compliant with version 3+ of the OpenPGP Card

Currently, when generating a CSR GpgSM assumes a card-based key
can only be a RSA key, and the resulting CSR therefore has an
improper signature value [1].

The first patch (against gnupg) makes GpgSM build a 'sig-val'
S-expression corresponding to the actual type of the signature.

The second patch (against libksba) ensures that libksba can
generate a CSR whose signature comprises several values (as is the
case for ECDSA signatures).

(Ultimately the goal would be to make Scute support EdDSA certificates
for client authentication; this is currently not possible [2] but
supporting ECDSA in GpgSM is a first step.)

Comments welcome.



[1] https://dev.gnupg.org/T4092
[2] https://dev.gnupg.org/T4013

More information about the Gnupg-devel mailing list