Change Details

I tried to use Gnuk (Nitrokey Start) keychain with Ed25519/Cv25519 keys to secure SSH setup using gpg-agent's --enable-ssh-support option to let it talk the ssh-agent protocol with ssh and ssh-keygen. This works very well for signing authentication tokens (ssh public key authentication) but it turns out signing anything larger than 255 bytes fails. This results in ssh-keygen -U … invocation failing with: ``` Couldn't certify key ssh_host_ed25519_key.pub via agent: agent refused operation ``` I traced down the passing of payload to be signed through gpg-agent to scdaemon: ``` < SETDATA <hex-payload> > OK < PKAUTH OPENPGP. > scdaemon[14551]: app_auth failed: Invalid value > ERR 100663351 Invalid value <SCD> < RESTART ``` and further down to iso7816_internal_authenticate() and apdu_send_le() in scdaemon itself. What I find baffling is that the payload is at not point hashed (SSH Ed25519 uses SHA-512 pre-hash as per rfc8709) so it seems it's sent to the keycard in full. Furthermore PKAUTH command isn't documented in [[ https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Protocol.html | Scdaemon manual's protocol section ]]. Since GPG can generally sign larger amounts of data I suspect this issue is due to gpg-agent or opensc mishandling the card rather than inherent limitation of Gnuk tokens. Specifically I think it should be possible to pre-hash the payload in gpg-agent and ask smartcard to use signature version without pre-hash. (I haven't been able to find OpenPGP SmartCard specification covering Ed25519 to ascertain that is the case though.)

I tried to use Gnuk (Nitrokey Start) keychain with Ed25519/Cv25519 keys to secure SSH setup using gpg-agent's --enable-ssh-support option to let it talk the ssh-agent protocol with ssh and ssh-keygen. This works very well for signing authentication tokens (ssh public key authentication) but it turns out signing anything larger than 255 bytes fails. This results in ssh-keygen -U … invocation failing with: ``` Couldn't certify key ssh_host_ed25519_key.pub via agent: agent refused operation ``` I traced down the passing of payload to be signed through gpg-agent to scdaemon: ``` < SETDATA <hex-payload> > OK < PKAUTH OPENPGP.3 > scdaemon[14551]: app_auth failed: Invalid value > ERR 100663351 Invalid value <SCD> < RESTART ``` and further down to iso7816_internal_authenticate() and apdu_send_le() in scdaemon itself. What I find baffling is that the payload is at not point hashed (SSH Ed25519 uses SHA-512 pre-hash as per rfc8709) so it seems it's sent to the keycard in full. Furthermore PKAUTH command isn't documented in [[ https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Protocol.html | Scdaemon manual's protocol section ]]. Since GPG can generally sign larger amounts of data I suspect this issue is due to gpg-agent or opensc mishandling the card rather than inherent limitation of Gnuk tokens. Specifically I think it should be possible to pre-hash the payload in gpg-agent and ask smartcard to use signature version without pre-hash. (I haven't been able to find OpenPGP SmartCard specification covering Ed25519 to ascertain that is the case though.)

I tried to use Gnuk (Nitrokey Start) keychain with Ed25519/Cv25519 keys to secure SSH setup using gpg-agent's --enable-ssh-support option to let it talk the ssh-agent protocol with ssh and ssh-keygen. This works very well for signing authentication tokens (ssh public key authentication) but it turns out signing anything larger than 255 bytes fails. This results in ssh-keygen -U … invocation failing with: ``` Couldn't certify key ssh_host_ed25519_key.pub via agent: agent refused operation ``` I traced down the passing of payload to be signed through gpg-agent to scdaemon: ``` < SETDATA <hex-payload> > OK < PKAUTH OPENPGP.3 > scdaemon[14551]: app_auth failed: Invalid value > ERR 100663351 Invalid value <SCD> < RESTART ``` and further down to iso7816_internal_authenticate() and apdu_send_le() in scdaemon itself. What I find baffling is that the payload is at not point hashed (SSH Ed25519 uses SHA-512 pre-hash as per rfc8709) so it seems it's sent to the keycard in full. Furthermore PKAUTH command isn't documented in [[ https://www.gnupg.org/documentation/manuals/gnupg/Scdaemon-Protocol.html | Scdaemon manual's protocol section ]]. Since GPG can generally sign larger amounts of data I suspect this issue is due to gpg-agent or opensc mishandling the card rather than inherent limitation of Gnuk tokens. Specifically I think it should be possible to pre-hash the payload in gpg-agent and ask smartcard to use signature version without pre-hash. (I haven't been able to find OpenPGP SmartCard specification covering Ed25519 to ascertain that is the case though.)