In Kleopatra we could have a whitelist for our supported cards where we know that they can do ECC and in that cases offer to generate ECC keys through the Smartcard Management.
Revisions and Commits
|rKLEOPATRA32b28d3a063b Offer ECC with Curve25519 only if the curve is supported|
|rKLEOPATRA47b723e36c3d Allow selecting ECC with supported curves when generating new keys|
|rKLEOPATRA1148dfc288ca Exclude curve secp256k1 from the list of supported algorithms|
|rKLEOPATRAa3d6a7be6566 Defer mapping the generic algorithm IDs to specific ones|
|rKLEOPATRA434563868a65 Ask the smart cards for the supported algorithms|
|rKLEOPATRA02ef04c27daf Allow setting/retrieving supported algorithms of OpenPGP smart cards|
|rKLEOPATRAb3dcee2709ef Add simple struct for information on algorithms|
|rKLEOPATRA770f60e9a685 Set supported algorithms of a few OpenPGP smart cards|
|rKLEOPATRA311a86798e36 Allow (re-)generating individual keys of OpenPGP smart cards|
|rMd9ac13859502 cpp: Allow setting the curve to use when generating ECC keys|
scdaemon should return this information together with other information about the smart card or the key slot.
For PIV I have tested which slot supports which curves with trial and error and then hard-coded this list (see PIVCard::supportedAlgorithms()). But that's nothing that Kleopatra should have to figure out or hard-code.
This (old) task only concerns OpenPGP smart cards resp. the OpenPGP card app, right? Because for PIV ECC has always been offered since PIV is supported. And for other card apps we do not even support generating keys AFAIK.
Right, this is only for the OPENPGP cards. Meanwhile we have
a way to get information on the supported algorithms. For example:
> scd getattr KEY-ATTR-INFO S KEY-ATTR-INFO OPENPGP.1 rsa2048 S KEY-ATTR-INFO OPENPGP.1 rsa3072 S KEY-ATTR-INFO OPENPGP.1 rsa4096 S KEY-ATTR-INFO OPENPGP.1 nistp256 S KEY-ATTR-INFO OPENPGP.1 nistp384 S KEY-ATTR-INFO OPENPGP.1 nistp521 S KEY-ATTR-INFO OPENPGP.1 brainpoolP256r1 S KEY-ATTR-INFO OPENPGP.1 brainpoolP384r1 S KEY-ATTR-INFO OPENPGP.1 brainpoolP512r1 S KEY-ATTR-INFO OPENPGP.2 rsa2048 [...]
This works with Zeitcontrol cards since version 3.4 but it is not
available in current Yubikeys. Thus for now I think it is better to
implement this directly in Kleopatra:
if KEY-ATTR-INFO succeeds allow all listed algorithms else if (Vendor == Yubikey and version >= 5.2.3) Allow: rsa2048 rsa3072 rsa4096 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1 curve25519 else Allow: rsa2048 rsa3072 rsa4096
Note that for "curve25519" is is required to give to the internal APIs
"ed25519" for OpenPGP.1 and OpenPGP.3 but "cv25519" for OpenPGP.2
If support for KEY-ATTR_INFO is too much work right now, if is also
possible to add this condition:
else if (Vendor == Zeitcontrol and version >= 3.4) Allow: rsa2048 rsa3072 rsa4096 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1
Not for this release. This needs changes in GPGME and we should check and parse the KEY-ATTR-INFO directly. My Yubikey 5.4 returns this, too. I think Ingo should implement this properly and well tested.
Btw. Couldn't we check for APPVERSION of the OpenPGP app?
I also got "key-attr" Not supported for this card several times. But then it worked after restarting.