Page MenuHome GnuPG
Create Task
Maniphest T6277

Kleopatra: Support NetKey v15
Closed, ResolvedPublic
Actions

Description

Currently, Kleopatra refuses any NetKey cards with version != 3. Excluding v2 cards makes sense, but newer cards should be supported. Hopefully, they work out of the box. Tentatively, we will make Kleopatra accept all NetKey cards with version 3 or later.

Revisions and Commits

rKLEOPATRA Kleopatra
rKLEOPATRA4e7cd9bd41f8 Only reject NetKey cards with version < 3

Event Timeline

ikloecker claimed this task.Nov 16 2022, 9:27 AM
ikloecker triaged this task as Normal priority.
ikloecker created this task.
ikloecker added projects: Restricted Project, kleopatra.
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.
ikloecker added a commit: rKLEOPATRA4e7cd9bd41f8: Only reject NetKey cards with version < 3.Nov 16 2022, 9:38 AM
ikloecker removed ikloecker as the assignee of this task.Nov 16 2022, 9:39 AM
ikloecker moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.

This can now be tested with NetKey v15 cards (and with other versions).

ebo changed the task status from Open to Testing.Sep 25 2023, 8:32 AM
ebo added a subscriber: ebo.Oct 9 2023, 1:48 PM

TeleSec NetKey v3 cards are accepted, for NetKey v2 you get the error message "NetKey v2 cards are not supported".

A NetKey-v15-card Signature Card V2.0 and a GeNUA PKCS#15 Card are read, too.

aheinecke added a project: vsd32.Nov 15 2023, 9:43 AM
aheinecke added a subscriber: aheinecke.

So if you tested this with the signature cards this can be resolved? My signature card still has the nullpin. I should probably set that to test it myself but if you have one and tested this why not resolved?

ebo added a comment.Nov 15 2023, 9:58 AM

Well, the above mentioned cards are all with expired certificates and I did not use the cards. I could only check if some info about the certificates on the card is displayed in the smart card tab.
Is this is all necessary for the test if Kleopatra "accepts" those cards? That their contends are displayed? In that case you might count the ticket as resolved.
But I'm lacking a representative sample of testcards and don't feel comfortable declaring that all Netkey v15 cards are accepted on such cursory tests.

ebo moved this task from Backlog to QA on the vsd32 board.Nov 15 2023, 10:41 AM
aheinecke closed this task as Resolved.Nov 15 2023, 10:50 AM
aheinecke claimed this task.

I set the pin on my card, so this still works in kleo :)
When I had not set the pin, pinentry informed me correctly that the pin was not yet set and I got as an error "Nutzungsvorraussetzungen nicht erfüllt" so this works nicely.
With faked system time I was able to sign with a vs-nfd compliant brainpool key.

I was unable to sign with a non compliant key, which is also expected as we currently do not allow that.

I was able to encrypt and decrypt to non vs-nfd compliant with nistp keys.

The only thing that did not work was decrypting with the vs-nfd compliant brainpool key on that card, this returned invalid ID. But that is a GnuPG issue.

So I am confidently setting this issue to resolved as everything on the Kleopatra side worked perfectly.

ebo moved this task from QA to vsd-3.2.0 on the vsd32 board.Nov 15 2023, 11:02 AM
ebo edited projects, added vsd32 (vsd-3.2.0); removed vsd32.
ebo moved this task from Restricted Project Column to Restricted Project Column on the Restricted Project board.