Key usage of ECC keys on PKCS#15 smartcards doesn't allow decryption?
Werner Koch
wk at gnupg.org
Sun Feb 18 17:46:11 CET 2024
On Fri, 16 Feb 2024 15:12, Mario Haustein said:
> Is it likely that the `derive` check was just forgotten at this place? I
> cannot judge the consequences of this change, which is the reason for asking
Well, not forgotten but I have never seen that used by cards. I'll
check tomorrow whether I can see any problems with your suggestion.
FWIW, in gpgsm we had a somewhat related problem with RSA cards:
/* Telesec RSA cards produced for NRW in 2022 came with only the
* keyAgreement bit set. This flag allows their use for encryption
* anyway. Example cert:
* Issuer: /CN=DOI CA 10a/OU=DOI/O=PKI-1-Verwaltung/C=DE
* key usage: digitalSignature nonRepudiation keyAgreement
* policies: 1.3.6.1.4.1.7924.1.1:N:
*/
#define COMPAT_ALLOW_KA_TO_ENCR 1
However, this was clearly wrong. Thanks for testing with the D-TRUST
cards. I have had always problems working with the Bundesdruckerei ;-)
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240218/985bfbcb/attachment.sig>
More information about the Gnupg-devel
mailing list