In Kleopatra we could have a whitelist for our supported cards where we know that they can do ECC and in that cases offer to generate ECC keys through the Smartcard Management.
scdaemon should return this information together with other information about the smart card or the key slot.
For PIV I have tested which slot supports which curves with trial and error and then hard-coded this list (see PIVCard::supportedAlgorithms()). But that's nothing that Kleopatra should have to figure out or hard-code.
This (old) task only concerns OpenPGP smart cards resp. the OpenPGP card app, right? Because for PIV ECC has always been offered since PIV is supported. And for other card apps we do not even support generating keys AFAIK.
Right, this is only for the OPENPGP cards. Meanwhile we have
a way to get information on the supported algorithms. For example:
> scd getattr KEY-ATTR-INFO S KEY-ATTR-INFO OPENPGP.1 rsa2048 S KEY-ATTR-INFO OPENPGP.1 rsa3072 S KEY-ATTR-INFO OPENPGP.1 rsa4096 S KEY-ATTR-INFO OPENPGP.1 nistp256 S KEY-ATTR-INFO OPENPGP.1 nistp384 S KEY-ATTR-INFO OPENPGP.1 nistp521 S KEY-ATTR-INFO OPENPGP.1 brainpoolP256r1 S KEY-ATTR-INFO OPENPGP.1 brainpoolP384r1 S KEY-ATTR-INFO OPENPGP.1 brainpoolP512r1 S KEY-ATTR-INFO OPENPGP.2 rsa2048 [...]
This works with Zeitcontrol cards since version 3.4 but it is not
available in current Yubikeys. Thus for now I think it is better to
implement this directly in Kleopatra:
if KEY-ATTR-INFO succeeds allow all listed algorithms else if (Vendor == Yubikey and version >= 5.2.3) Allow: rsa2048 rsa3072 rsa4096 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1 curve25519 else Allow: rsa2048 rsa3072 rsa4096
Note that for "curve25519" is is required to give to the internal APIs
"ed25519" for OpenPGP.1 and OpenPGP.3 but "cv25519" for OpenPGP.2
If support for KEY-ATTR_INFO is too much work right now, if is also
possible to add this condition:
else if (Vendor == Zeitcontrol and version >= 3.4) Allow: rsa2048 rsa3072 rsa4096 brainpoolP256r1 brainpoolP384r1 brainpoolP512r1
Not for this release. This needs changes in GPGME and we should check and parse the KEY-ATTR-INFO directly. My Yubikey 5.4 returns this, too. I think Ingo should implement this properly and well tested.
Btw. Couldn't we check for APPVERSION of the OpenPGP app?
I also got "key-attr" Not supported for this card several times. But then it worked after restarting.