Page MenuHome GnuPG

Kleopatra: Support NetKey v15
Closed, ResolvedPublic

Description

Currently, Kleopatra refuses any NetKey cards with version != 3. Excluding v2 cards makes sense, but newer cards should be supported. Hopefully, they work out of the box. Tentatively, we will make Kleopatra accept all NetKey cards with version 3 or later.

Revisions and Commits

Event Timeline

ikloecker triaged this task as Normal priority.
ikloecker created this task.
ikloecker added projects: Restricted Project, kleopatra.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

This can now be tested with NetKey v15 cards (and with other versions).

ebo changed the task status from Open to Testing.Sep 25 2023, 8:32 AM

TeleSec NetKey v3 cards are accepted, for NetKey v2 you get the error message "NetKey v2 cards are not supported".

A NetKey-v15-card Signature Card V2.0 and a GeNUA PKCS#15 Card are read, too.

aheinecke added a subscriber: aheinecke.

So if you tested this with the signature cards this can be resolved? My signature card still has the nullpin. I should probably set that to test it myself but if you have one and tested this why not resolved?

Well, the above mentioned cards are all with expired certificates and I did not use the cards. I could only check if some info about the certificates on the card is displayed in the smart card tab.
Is this is all necessary for the test if Kleopatra "accepts" those cards? That their contends are displayed? In that case you might count the ticket as resolved.
But I'm lacking a representative sample of testcards and don't feel comfortable declaring that all Netkey v15 cards are accepted on such cursory tests.

aheinecke claimed this task.

I set the pin on my card, so this still works in kleo :)
When I had not set the pin, pinentry informed me correctly that the pin was not yet set and I got as an error "Nutzungsvorraussetzungen nicht erfüllt" so this works nicely.
With faked system time I was able to sign with a vs-nfd compliant brainpool key.

I was unable to sign with a non compliant key, which is also expected as we currently do not allow that.

I was able to encrypt and decrypt to non vs-nfd compliant with nistp keys.

The only thing that did not work was decrypting with the vs-nfd compliant brainpool key on that card, this returned invalid ID. But that is a GnuPG issue.

So I am confidently setting this issue to resolved as everything on the Kleopatra side worked perfectly.

ebo edited projects, added vsd32 (vsd-3.2.0); removed vsd32.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.