Invalid keys when switching smartcard from ed25519 to other curves
trevor at yubico.com
Wed Mar 20 18:29:34 CET 2019
It appears that once the signature or authentication slot of a smartcard
has been set to ed25519, if you change it to a different curve and
generate a key it produces an invalid public key. The only way to
recover is to bounce the slot key-attr to RSA and back.
This seems to stem from ask_card_keyattr() in card-util.c. When coming
from RSA, it sets `algo` specifically to ECDH or ECDSA, and then calls
ask_curve() which corrects ECDSA to EDDSA if the curve is ed25519.
However, if the slot was already EC, it just sets `algo` to whatever it
already was. ask_curve() does not correct EDDSA back to ECDSA, so the
slot permanently reports itself as EDDSA.
When this algo is passed on to scdaemon, it eventually ends up in
ecc_read_pubkey() in app-openpgp.c. This function incorrectly thinks
the ECDSA public key is EDDSA, so it prepends an 0x40 byte on the front.
I didn't trace all the way to where it fails, but eventually something
treats it as ECDSA again and fails.
More information about the Gnupg-devel