-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add supported algorithms for OpenPGP Card (Fixes #1432) #1442
Conversation
Look good to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, but from the specification I don't understand your notion of current. Specifically, https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf it defines the following:
4.4.3.8 Supported algorithms
An OpenPGP smart card V3.0 or higher shall support the following algorithms with their
specific details.
Mandatory:
RSA 2048 or higher for PSO:CDS, PSO:DEC and INTERNAL AUTHENTICATE
(and nothing more), i.e. a minimal v3 card needs to only support rsa 2048. I'd like to keep the detection mechanism as is.
would it be possible to modify |
Well, it just does not detect the algorithms which can be used on the card, but only which are configured right now. Therefore it is not really useful to look for these only. In fact, using Please see 4.4.3.7 of the specification which states
You are right that it is up to the manufacturer what algorithms are actually implemented. But as a) we don't have a proper way to find out the supported algorithm without just testing them, b) the card is supposed to refuse a algorithm it does not support anyway and c) these still seem to be the regularly supported algorithms, I would prefer to have these implemented than leave the user alone with a workaround to do the exact thing manually. In fact, openpgp-tool already does this: it just assumes that an algorithm is working, sends the information to the card and if it refuses to use this one, the user gets a proper error message. pkcs15-init on the other checks the card->algorithms first (which only includes these already configured, as stated above) and therefore fails.
I don't see how this would be different to this approach? This would be an assumption about the supported algorithms, too. And it would not apply to other tools which may access the same information (card->algorithms). Or did I misunderstood? Please let me know, if anything is unclear or you have another idea. This is the best I could come up with. As far as I can see there just is not extensive list on card... |
@frankmorgner alex-nitrokey is right: according to my reading of the specs there is no on-card information about the algorithms supported by the card. |
The problem I see is that in PKCS#11 all of the registered (but possibly unsupported) algorithms will be populated to the application: OpenSC/src/pkcs11/framework-pkcs15.c Lines 4955 to 4982 in 336b282
Please just try to make a simple comparison for your hack whether you're actually running inside Lines 450 to 454 in 4de0d06
|
I don't want to be too insisting here (thus, I added the requested limitation), but can you please elaborate why this could be a problem? Having the restriction to pkcs15-init implemented, the user can not use this code for e.g. listing all supported algorithms with I don't like the situation either. I just feel like this makes it a bit better. Of course I will totally accept your decision ;-) |
Some PKCS#11 applications are confused when seeing RSA3096 bit support without a key/certificate |
Okay, thanks. |
I just realized, that I used the wrong indentation, shall I fix this minor problem before this get merged? |
Yes, please fix this and we're good to merge. |
Tested with Nitrokey Pro (OpenPGP Card v2), Nitrokey Pro 2 (OpenPGP Card v3) and Nitrokey Start (Gnuk based).
Currently only used algorithms are list in card capabilities of OpenPGP Card based devices, instead of listing all supported algorithms. Now all possible RSA algorithm types are stored.