JavaCard with OpenPGP applet fails on second decryption attempt

Dominique Larchey-Wendling dominique.larchey-wendling at
Fri Apr 10 00:29:00 CEST 2015


I am trying to setup a JavaCard (Gemalto IDCore 10 rev C) with 
an OpenPGP applet. My goal is to obtain an equivalent of the 
regular OpenPGP Smartcard (from ZeitControl) which I own as 
well and which works perfectly (so far). 

1/ I tried the Java Card OpenPGP Card (from joeridr) but it was 
impossible to either setup new PINS or verify the default 
one on that applet. Hopefully uninstalling and reinstalling 
the applet reinitialized both PINS retry counters to 3 ... 
At first I was afraid of bricking my JC. 

Btw the Yubikey Neo OpenPGP is nearly the same applet as 
the joeridr one ... doesn't even install on the JC. 

2/ Then I tried the FluffyPGPApplet (from FluffyKaon) and with 
that one, I could setup new PIN and even check them ... gpg2 
basically worked but then I began to try the cryptographic 
functions of the card and a strange behavior appeared. 

Indeed, the first decryption after a PIN check (either on the 
JC hardware or simulated by edit-card verify) works whereas 
subsequents decryption attempts fail. 

Here is a sequence of commands that reproduce the problem. 
Notice that scdaemon logs are attached below. 

It seem to me that the apdu sequence sent on subsequent 
decryption attempts are of the wrong length ... 

Can anyone give my some hints as to want is going on ? 

Thx very much in advance, 



## JavaCard with Fluffy OpenPGP Applet inserted 
## I run gpg -d twice, 

## first attempt, I am asked for the PIN (CHV1) and decryption is a success 

$ gpg2 -d examples.desktop.asc > /dev/null 
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09 
"DomLW (test) <larchey at>" 

## second attempt, I am NOT asked for the PIN and decryption ends in a failure 
## probably because a too short apdu commands is sent to the card (see the logs 
## of scdaemon) 

$ gpg2 -d examples.desktop.asc > /dev/null 
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09 
"DomLW (test) <larchey at>" 
gpg: public key decryption failed: Invalid value 
gpg: decryption failed: No secret key 

## then if I run gpg --card-edit (verify) and after that another decrypt 

## first card-edit and verify the PIN, I am NOT asked for the PIN 

$ gpg2 --card-edit 

Application ID ...: D2760001240102000000000000000000 
Version ..........: 2.0 
Manufacturer .....: test card 
Serial number ....: 00000000 
Name of cardholder: Dominique Larchey-Wendling 
Language prefs ...: fr 
Sex ..............: male 
URL of public key : [not set] 
Login data .......: [not set] 
Signature PIN ....: not forced 
Key attributes ...: 2048R 2048R 2048R 
Max. PIN lengths .: 32 32 32 
PIN retry counter : 3 0 3 
Signature counter : 3 
Signature key ....: 3CB0 9186 9FD6 2670 085A FA64 62FE A0E4 ED4D B6AB 
created ....: 2015-04-09 09:49:26 
Encryption key....: C2B7 66F5 08A4 E8F5 C2B2 40C6 2F46 B077 04F5 3C66 
created ....: 2015-04-09 10:03:07 
Authentication key: 0C69 4EE0 EB99 336D 75E9 C130 490C 3508 30DA 9738 
created ....: 2015-04-09 09:49:26 
General key info..: [none] 

gpg/card> verify 


gpg/card> q 

## now I try another decrypt 
## this third decrypt does NOT ask for the PIN and succeeds 

$ gpg2 -d examples.desktop.asc > /dev/null 
gpg: encrypted with 2048-bit RSA key, ID 04F53C66, created 2015-04-09 
"DomLW (test) <larchey at>" 


The logs of scdaemon (2048) during the previous sequence of commands 
are accessible at 

<script src=""></script> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150410/7911cf72/attachment.html>

More information about the Gnupg-users mailing list