Invalid keys when switching smartcard from ed25519 to other curves

Trevor Bentley trevor at
Wed Mar 20 18:29:34 CET 2019

Hi again,

It appears that once the signature or authentication slot of a smartcard 
has been set to ed25519, if you change it to a different curve and 
generate a key it produces an invalid public key.  The only way to 
recover is to bounce the slot key-attr to RSA and back.

This seems to stem from ask_card_keyattr() in card-util.c.  When coming 
from RSA, it sets `algo` specifically to ECDH or ECDSA, and then calls 
ask_curve() which corrects ECDSA to EDDSA if the curve is ed25519. 
However, if the slot was already EC, it just sets `algo` to whatever it 
already was.  ask_curve() does not correct EDDSA back to ECDSA, so the 
slot permanently reports itself as EDDSA.

When this algo is passed on to scdaemon, it eventually ends up in 
ecc_read_pubkey() in app-openpgp.c.  This function incorrectly thinks 
the ECDSA public key is EDDSA, so it prepends an 0x40 byte on the front. 
  I didn't trace all the way to where it fails, but eventually something 
treats it as ECDSA again and fails.



More information about the Gnupg-devel mailing list