OpenGPG Smart Card v2.1 - unable to create key - card error
NIIBE Yutaka
gniibe at fsij.org
Mon Jun 20 01:31:00 CEST 2016
On 06/20/2016 04:02 AM, Werner Koch wrote:
> I guess that AU9540 Smartcard Reader does not work probably. I have
> never seen one of their readers to work with modern smartcards. But
> Gniibe has more experience, maybe he can help.
I fixed a problem of internal ccid-reader fo this specific reader.
The problem was that decryption didn't work (for RSA-2048 key, I
guess). FYI, please see: https://bugs.g10code.com/gnupg/issue1947
> As a test try to create a 1024 bit key.
I think that it should work with RSA-1024 and RSA-2048. I'm afraid
the reader doesn't work for RSA-4096.
I suggest try using with PC/SC service. It's pcscd and libccid on
GNU/Linux. There is a little possibility it works fine. If it works,
please let us know.
Let me explain the situation.
The problem is the buffer size of the card reader. The descriptor
says:
dwFeatures 000404BE
Auto configuration based on ATR
Auto activation on insert
Auto voltage selection
Auto clock change
Auto baud rate change
Auto PPS made by CCID
Auto IFSD exchange
Short and extended APDU level exchange
dwMaxCCIDMsgLen 272
It supports extended APDU level exchange, good.
However, the size of message is limited by dwMaxCCIDMsgLen=272. So,
larger message has to be divided into multiple packets.
GnuPG/scdaemon will use larger message for receiving decrypted result,
and/or sending private key to card. Please note that sending private
key to card occurs for decryption key when "generate" command.
The internal CCID-reader didn't support that multiple packets until
last year. It was implemented when I handled the issue1947. I think
that it works now for RSA-2048.
I don't know for RSA-4096.
Please note that I only fixed the driver part. Still, there is a
fundamental (the card reader's) firmware limitation of the buffer size
of APDU. In the original CCID class specification, there is no way to
know the buffer size of APDU of the card reader. So, all that a user
can do is try if it works or not. It is likely that the supported
APDU size is not so large.
Well, RSA-4096 is considered "huge" from the view point of smartcard.
--
More information about the Gnupg-users
mailing list