Bad signature when generating key in OpenPGP Java Card Applet
Erik Nellessen
erik.nellessen at informatik.hu-berlin.de
Tue Apr 5 19:14:45 CEST 2016
Hi everybody,
I am running an OpenPGP Java card applet on an Android Smartphone via HCE. So for the PC side, this looks like a normal Java card. The communication with GnuPG works fine (i.e. gpg2 --card-status works), until I generate a key on the card (via gpg2 --card-edit, then "admin", then "generate"). I also tried the ykneo-openpgp-applet, which resulted in the same error.
I get the following error on the PC:
DBG: rsa_verify data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042026 \
DBG: 5a93d234241bd20bf0773b6011fd037cbe8b985d487116dc08e6914f38dbd1
DBG: rsa_verify sig:+060c442ed6074b6b7dba6dcac223be83d251c7230f34d62cd81c5f38d8146f88 \
DBG: 14b477b3d9e60106cfb01fc372e9cf82929b1de4d760c74550b53559de717b20 \
DBG: 48b264ad1116e035fd0de5c8c2a43cbcf3d84fabc76a84500fc2b2652dcde19b \
DBG: 7a46f32d5e4871913bd5b8f3051fb4ca9a00a32542e6e194553b98ce6843c8b4 \
DBG: 3ba5049f78a7957dcce6a272f939d2016bc33d48819976ce89a3bf7d7d335eaa \
DBG: e0bbc913c011e8dfea8c6b2e506b59d8214eeae1ed4abe1e9ed6bf32475a3c65 \
DBG: 373eea3c9caa1058c5c11a506c931e26fc34ced607a8afb57ca1f69ccdfa24cf \
DBG: 8f3d062cff8685db11e7a3f60f98cbede2f116ab0d89bc0eab275cd90b79b1a1
DBG: rsa_verify n:+b81244edd096c6646a1c6d9a91142f01919cc71f4f289696572fe933f9c69aed \
DBG: 87752404f460e03c2768f285e491fdf074b6439293f8d58695e6e1af993f4046 \
DBG: a9a31c5633e464009a96e6c0481c1f894eb6b04f1c2ea34cb2ece43a7b832973 \
DBG: 0cb4ce384de20e1e5a5b48617293f76fad3ea56abbb2f932540d4176a9afcb47 \
DBG: 5c973904f8c96381ee736e73fa631966ca1f5746a3703662a48fb0aeb89824cc \
DBG: 75637e8cef57cd08a93c685455055b8c2e62e3b450d5880e8138cf4c6cdc15ff \
DBG: 3716edcd96b96946b387abe38a0df1abeeeb53462f5038bfffc853bb55a3e66d \
DBG: 2ae50003b1bdd89357b168aad127fdfe474d78f57020f517ddc0f02b204fda99
DBG: rsa_verify e:+010001
DBG: rsa_verify cmp:+01ffffffffffffffff003031300d060960864801650304020105000420265a93 \
DBG: d234241bd20bf0773b6011fd037cbe8b985d487116dc08e6914f38dbd1000000 \
DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
DBG: 0000000000000000000000000000000000000000000000000000000000000000 \
DBG: 00000000000000000000000000000000000000000000000000000000000000
DBG: rsa_verify => Falsche Unterschrift
gpg: Prüfung der erstellten Signatur ist fehlgeschlagen: Falsche Unterschrift
gpg: Beglaubigung fehlgeschlagen: Falsche Unterschrift
gpg: make_keysig_packet failed: Falsche Unterschrift
Schlüsselerzeugung fehlgeschlagen: Falsche Unterschrift
(The last four lines say, that the verification of the signature has failed, "Bad signature". Sorry, my gpg2 produces german error messages.)
As you can see, the "data" and the "cmp" part are totally equal except for the (I guess PKCS1) padding (I checked this via diff and meld, it really is the same). So I think that the difference in the paddings is the reason for which the signature verification fails. I guess, that the data given to the rsa_verify function is not padded as it should be. The logs from the smartphone show, that the data has been transferred to the PC without padding:
Received APDU (57 bytes): 002A9E9A333031300D060960864801650304020105000420265A93D234241BD20BF0773B6011FD037CBE8B985D487116DC08E6914F38DBD100
Sending APDU (257 bytes): 060C442ED6074B6B7DBA6DCAC223BE83D251C7230F34D62CD81C5F38D8146F8814B477B3D9E60106CFB01FC372E9CF82929B1DE4D760C74550B53559DE717B2048B264AD1116E035FD0DE5C8C2A43CBCF3D84FABC76A84500FC2B2652DCDE19B7A46F32D5E4871913BD5B8F3051FB4CA9A00A32542E6E194553B98CE6843C8B43BA5049F78A7957DCCE6A272F939D2016BC33D48819976CE89A3BF7D7D335EAAE0BBC913C011E8DFEA8C6B2E506B59D8214EEAE1ED4ABE1E9ED6BF32475A3C65373EEA3C9CAA1058C5C11A506C931E26FC34CED607A8AFB57CA1F69CCDFA24CF8F3D062CFF8685DB11E7A3F60F98CBEDE2F116AB0D89BC0EAB275CD90B79B16101
Received APDU (5 bytes): 00C0000001
Sending APDU (3 bytes): A19000
I think, the data received from the card and the data generated to be compared must be padded in the same way. Or even better, the padding (and the trailing zeros) should be removed before verifying the signature.
I am running gpg (GnuPG) 2.0.26 libgcrypt 1.6.3 on Debian Jessie. Using gpg (GnuPG) 1.4.18 results in the same error.
Can anyone reproduce this error (using a normal Java Card instead of the Android smartphone should not change anything)? Or am I missing something here?
Kind regards,
Erik Nellessen
More information about the Gnupg-devel
mailing list