scute / firefox: cannot connect to GPG agent
Damien Goutte-Gattat
dgouttegattat at incenp.org
Tue Jun 6 14:08:54 CEST 2017
> I'll try to find a way to erase the certificate from the Yubikey.
You may also try the patch below. It should allow Scute to ignore the
data read from the token if it does not look like a proper DER-encoded
certificate. It's not a fool-proof check, but it should already catch
a lot of cases (including yours).
-- >8 --
Subject: Add safety check against bad card certificate.
* src/agent.c (scute_agent_get_cert): Reject card certificate if
it does not start with an ASN.1 sequence tag.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
---
src/agent.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/agent.c b/src/agent.c
index 75d4933..d6615af 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -1284,7 +1284,7 @@ scute_agent_get_cert (int no, struct cert *cert)
err = assuan_transact (agent_ctx, cmd, get_cert_data_cb, &cert_s,
NULL, NULL, NULL, NULL);
/* Just to be safe... */
- if (!err && cert_s.cert_der_len <= 16)
+ if (!err && (cert_s.cert_der_len <= 16 || cert_s.cert_der[0] != 0x30))
{
DEBUG (DBG_INFO, "bad card certificate rejected");
err = gpg_error (GPG_ERR_BAD_CERT);
--
2.9.0
More information about the Gnupg-users
mailing list