[PATCH GnuPG 0/2] Add support for D-Trust Card 6.1/6.4

Mario Haustein mario.haustein at hrz.tu-chemnitz.de
Sun Jan 4 17:06:18 CET 2026 

Dear GnuPG maintainers,

attached you will find a series of patches which adds support for D-Trust 
electronic Signature and Sealing Cards version 6.1/6.4.

To get the cards working some minor changes on the ISO7816 layer were 
necessary. The PKCS#15 application has to be selected by its AID, but is later 
selected by its file ID to retrieve data about keys, authentication objects, 
certificates and so on. The file ID is retrieved from the FCI response of the 
initial SELECT. This kind of D-Trust Cards (maybe this holds for all cards of 
the underlying STARCOS 3.7 card operating system) doesn't return the file ID 
tag in the FCI. The tag is only returned in the FCP response. Thus I had to 
alter iso7816_select_application_ext() such that it is possible to select 
which response is requested.

With this patch, the PKCS#15 driver will continue to use the FCI and just fall 
back to the FCP if the tag is not present in the FCI. This introduces a bit of 
complexity, but reduces the chance of introducing a regression. According to 
ISO 7816 part 4 the file ID is part of the file parameters so querying just 
the FCP seems to be sufficient from my point. I can prepare a more simpler 
patch for this, but don't have a representative set of cards to prove this 
assumption.

The rest of the driver is implemented straight-forward. Just the encoding of 
the key reference in EF.PrKD made it necessary to introduce a further case in 
do_sign().

The card issuer chose a key reference number whose ASN.1 representation is 3 
byte long. But the current STARCOS-case in do_sign() assumes a 1 byte long 
reference. It further doesn't implement the EC-ciphers. As I am not sure 
whether all STARCOS-cards supports ECC, it was the safest option to introduce 
a new case with hard coded key reference length and implemented ECC support. 
Merging these two cases nevertheless would be possible. But I do not have 
access to other STARCOS-cards for testing.

Kind regards
Mario Haustein


Mario Haustein (2):
  scd: allow to query FCP when selecting an application
  scd:p15: Add support for D-Trust Card 6.1/6.4

 scd/app-p15.c | 150 ++++++++++++++++++++++++++++++++++++++++++++++----
 scd/app-piv.c |   4 +-
 scd/app.c     |   2 +-
 scd/iso7816.c |  15 ++++-
 scd/iso7816.h |   5 ++
 5 files changed, 159 insertions(+), 17 deletions(-)

-- 
2.52.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 870 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260104/26d03922/attachment.sig>

More information about the Gnupg-devel mailing list