> I'll try to find a way to erase the certificate from the Yubikey. You may also try the patch below. It should allow Scute to ignore the data read from the token if it does not look like a proper DER-encoded certificate. It's not a fool-proof check, but it should already catch a lot of cases (including yours).
-- >8 -- Subject: Add safety check against bad card certificate. * src/agent.c (scute_agent_get_cert): Reject card certificate if it does not start with an ASN.1 sequence tag. Signed-off-by: Damien Goutte-Gattat <dgouttegat...@incenp.org> --- src/agent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/agent.c b/src/agent.c index 75d4933..d6615af 100644 --- a/src/agent.c +++ b/src/agent.c @@ -1284,7 +1284,7 @@ scute_agent_get_cert (int no, struct cert *cert) err = assuan_transact (agent_ctx, cmd, get_cert_data_cb, &cert_s, NULL, NULL, NULL, NULL); /* Just to be safe... */ - if (!err && cert_s.cert_der_len <= 16) + if (!err && (cert_s.cert_der_len <= 16 || cert_s.cert_der[0] != 0x30)) { DEBUG (DBG_INFO, "bad card certificate rejected"); err = gpg_error (GPG_ERR_BAD_CERT); -- 2.9.0 _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users