OpenPGP Smart card V2.1 returns truncated RSA signatures if leading bytes of signature are 0
Closed, InvalidPublic

Description

Dear GnuPGP Team,

first please take my apologizes if this is not the right bug tracker for the OpenPGP card as such (rather than its support by GPG).

I have an issue with the functionality of the OpenPGP card V 2.1 as described in section "7.2.8 PSO: COMPUTE DIGITAL SIGNATURE" of the OpenPGP smart card manual V 2.1.1.

If a 4096 bit RSA key is used for signing and the resulting signature has leading zero bytes, the card omits the leading zeros in its response and return e.g. just 511 instead of 512 bytes for the signature. One can argue that a RSA signature is a variable length number and if it has leading 0s, these are omitted, but I think this is a bit unexpected and should at least be documented in the spec. A result of this is e.g. that pkcs15-crypt returns signatures which don't work with OpenSSL unless the missing 0 bytes are prepended. See https://github.com/OpenSC/OpenSC/issues/1283.

Can you please clarify if this is intended behavior or a bug in the OpenPGP smart card? In any can you please document it in the manual?

Logs which show the effect are available at https://github.com/OpenSC/OpenSC/issues/1283.

Best regards,

Michael

Details

External Link
https://github.com/OpenSC/OpenSC/issues/1283
Version
OpenPGP smart card V2.1
gniibe added a subscriber: gniibe.Apr 2 2018, 7:16 AM

You describe it as 'manual'. AFAIK, it's the specification for the functionality.
I have an experience implementing the functionality, following the specification.
And my own implementation does always return 512 bytes for RSA-4096. So, I could support your opinion.

On the other hand, in case of GnuPG, under the context of OpenPGP, MPI may be shorter. And it results no problem with GnuPG.
Considering this background, I guess that it's a kind of intended behavior.

I was referring to this document:

https://www.g10code.com/docs/openpgp-card-2.1.pdf

This manual/specification does not specify what should happen in the case of leading zeros, which is unfortunate since it did lead to a wrong implementation and useless discussions on interpretations of the specification.

Did I understand you right, that there is some higher level documentation which specifies how smart cards in general should behave hear (rather than the OpenPGP card 2.1 specifically). Do you have a link to such documentation?

Sorry, I don't know much about smart cards, I am just a user and want it to work ...

gniibe added a comment.Apr 3 2018, 1:30 AM

Yes, I meant the document. Please note that I am also one of users of the specification (for GnuPG, and for Gnuk Token). I am not defending, but try to explain the current situation.

What I meant by "the context of OpenPGP" is: https://tools.ietf.org/html/rfc4880#section-3.2
It's the specification of OpenPGP format, which GnuPG uses.

I'd suggest OpenSC to support shorter RSA packet generated by the OpenPGP card.

werner edited projects, added Not A Bug; removed Bug Report.Apr 17 2018, 8:33 PM
werner closed this task as Invalid.