private data objects on smartcard

Damien Goutte-Gattat dgouttegattat at incenp.org
Fri Jan 31 00:57:28 CET 2020


On Fri, Jan 31, 2020 at 12:39:11AM +0100, mailing list wrote:
>By the way, is mcl3 the length of the key currently living on the
>smartcard or the maximum key length supported by this card?

Neither of those. It's the maximum length of the "Cardholder certificate 
DO". This is another data object available on a OpenPGP smart card, 
intended to store a X.509 certificate.

You can write to that DO using the (undocumented) writecert command. For 
example, assumimg the cert.der file contains a DER-encoded X.509 
certificate:

  $ gpg --card-edit
  gpg/card> writecert 3 < cert.der

GnuPG allows to write into that DO but does not actually use it. As far 
as I know the only component that makes use of the Cardholder 
certificate DO is Scute [1], for TLS client authentication (and even for 
that the DO is actually dispensable: if Scute does not find the desired 
certificate in that DO, it will obtain it from GpgSM.)


>I just play with a card version 1.1 and mcl3 is 0 there.....

The Cardholder certificate DO was added in version 2.0 of the 
specification, so nothing surprising here.


Cheers,

- Damien


[1] http://scute.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200130/53a8411b/attachment.sig>


More information about the Gnupg-users mailing list