Page MenuHome GnuPG
Create Mock
Pholio M9

ECC CSR gen from Yubikey
ClosedPublic
Actions

Mock History

Current Revision

Event Timeline

werner created ECC CSR gen from Yubikey.Jan 13 2023, 10:59 AM
werner added an image: Screenshot_2023-01-13_10-44-51.png.
ikloecker added a subscriber: ikloecker.Jan 13 2023, 11:46 AM

This screenshot looks like you clicked on "Schüssel erneuern". Why is the title "ECC CSR gen from Yubikey"?

ikloecker added a comment.Jan 13 2023, 11:51 AM

What does "SCD GETATTR KEY-ATTR-INFO" give you? What "CARDTYPE" and "CARDVERSION" does "SCD LEARN --force" give you?

werner added a comment.Jan 13 2023, 12:12 PM

These are 2.4 features ...

ikloecker added a comment.Jan 13 2023, 12:22 PM

Yeah, well, then the generation of ECC keys for smart cards is a 2.4 feature. I have implemented what you suggested: https://dev.gnupg.org/T4429#162056
If this suggestion doesn't work with 2.2, then it doesn't work with 2.2.

werner added a comment.Jan 13 2023, 3:16 PM

Backported the needed stuff:

rG398cec3ac7ac6fe3bdc2f27334c3cc9da51ba938
rG2e39fed1091077c6b55b375c1755d06e199ee4e9
rG210ba983557bcbd09208aa5e488e04fda6c1a45f

For de-vs we should limit the capability to create non-compliant keys. This might have happened in Kleopatra already but needs to be checked.

ikloecker added a comment.Jan 13 2023, 5:02 PM

Kleopatra doesn't have any restrictions when generating smart card keys. When generating OpenPGP certificates or CSRs off-card or from card keys, then in de-vs mode only RSA 3072, RSA 4096 or any supported curve (without any restrictions) can be chosen. Except for RSA 2048, Kleopatra doesn't know which algos are compliant or not compliant.

werner added a comment.Jan 14 2023, 3:02 PM

Given that there is now also a restriction for rsa2048 in de-vs mode, can you please also restrict all non-brainpool curves?

ikloecker mentioned this in T6325: Kleopatra: Prevent OpenPGP Cert and CSR creation for RSA-2048 in de-vs mode.Jan 16 2023, 9:29 AM
ebo closed this mock.Apr 24 2023, 11:45 AM