Is it possible to force decryption with the wrong key type

Michel Messerschmidt lists at
Mon Jun 15 01:19:35 CEST 2009

On Fri, Jun 05, 2009 at 05:33:07PM +0200, Werner Koch wrote:
> On Fri,  5 Jun 2009 14:41, lists at said:
> > I don't think gpg has problem identifying and finding the secret key, 
> > but it refuses to decrypt a message with a key that had no encryption 
> > capability set during key creation.
> Your secret key is on a card?  Right, then it would not work.  

Several experiments later, I still found no solution. Even if I patch 
scdaemon to skip the fp check and force verification of CHV1 and CHV2, 
the card refuses to decrypt the data:
scdaemon[22828.0] DBG: <- PKDECRYPT D276000124010101000100000A510000/D37D19881B8093EFC6C5C89EFD377E2D96C5988D
2009-06-15 00:54:06 scdaemon[22828] DBG: send apdu: c=00 i=2A p0=80 p1=86 lc=129 le=256 em=0
2009-06-15 00:54:06 scdaemon[22828] DBG:   APDU_data: [...]
2009-06-15 00:54:07 scdaemon[22828] DBG:  response: sw=6985  datalen=0
2009-06-15 00:54:07 scdaemon[22828] operation decipher result: Conditions of use not satisfied
2009-06-15 00:54:07 scdaemon[22828] card_create_signature failed: Conditions of use not satisfied
scdaemon[22828.0] DBG: -> ERR 100663427 Conditions of use not satisfied <SCD>

If I understand the OpenPGP card specification correctly, there is no 
way to select the key to use but this is up to the card OS.
Therefore I will give up on this.

BTW: The error message "card_create_signature failed" in scd/command.c 
is a bit misleading IMHO. I had expected something like "decryption 

Thanks for your help,

More information about the Gnupg-users mailing list