Yubico Forum ...visit our web-store at 2016-08-29T02:43:38+01:00 https://forum.yubico.com/feed.php?f=35&t=2386 2016-08-29T02:43:38+01:00 2016-08-29T02:43:38+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8919#p8919 <![CDATA[Re: YubiKey 4 and yubico-piv-tool]]> ChrisHalos wrote:

Max RSA on PIV is still currently 2048 (covered in NIST Special Publication 800-53, believe the newest public version is revision 4).

Even on YubiKey 4? It won't take/generate 3072-bit RSA keys? That's a pity. It's NIST SP 800-73, and yes - the latest revision is 4 (as I understand, YubiKey implements Rev 3).

ChrisHalos wrote:

You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps.

Thank you. But it's not "most likely" (verified by extensive testing against OpenSC.tokend, Thursby PKard, and Centrify Express), and it's not "in OSX" (as Windows-8 did not like this token at all until CCC was set up). Maybe you can squeak by on Linux with "bare" OpenSC, I haven't tried that.

Statistics: Posted by mouse008 — Mon Aug 29, 2016 2:43 am

]]> 2016-08-22T16:57:25+01:00 2016-08-22T16:57:25+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8896#p8896 <![CDATA[Re: YubiKey 4 and yubico-piv-tool]]>
You're most likely correct on that front (CCC in OSX). I will chat with the developer who wrote the instructions and see about updating the steps.

Statistics: Posted by ChrisHalos — Mon Aug 22, 2016 4:57 pm

]]> 2016-08-21T04:47:56+01:00 2016-08-21T04:47:56+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8893#p8893 <![CDATA[Re: YubiKey 4 and yubico-piv-tool]]> ChrisHalos wrote:

(2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096).

Could you clarify - what's the largest RSA key that YubiKey 4 can support now? And that PIV Manager supports too?

ChrisHalos wrote:

(3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html)

Chris, the URL you referred to provides incomplete information. First, you need to add not only CHUID, but also CCC, which can be done with
Code:
yubico-piv-tool -a set-chuid -a set-ccc

Second, standard OpenSC tokend is not likely to work properly - you need an OpenSC fork https://github.com/mouse07410/OpenSC.tokend.git

Statistics: Posted by mouse008 — Sun Aug 21, 2016 4:47 am

]]> 2016-08-08T04:20:55+01:00 2016-08-08T04:20:55+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8859#p8859 <![CDATA[Re: YubiKey 4 and yubico-piv-tool]]>
ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -e -v
debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0
debug1: label <PIV_II (PIV Card Holder pin)> manufacturerID <piv_II> model <PKCS#15 emulate> serial <my serial number?> flags 0x40d
C_GetAttributeValue failed: 18
debug1: X509_get_pubkey failed or no rsa
no keys

Looking at the man pages I see

-D pkcs11
Download the RSA public keys provided by the PKCS#11 shared
library pkcs11. When used in combination with -s, this option
indicates that a CA key resides in a PKCS#11 token (see the
CERTIFICATES section for details).

Based on that it seems ssh-keygen assumes RSA here. I'm going to dig around a bit more looking for a way to get eccp384 to work, but if that fails, I'll just use the rsa2048.

2) Okay, that makes sense.

3) Thanks, I look forward to clarification.

Statistics: Posted by rgurley — Mon Aug 08, 2016 4:20 am

]]> 2016-08-05T00:40:08+01:00 2016-08-05T00:40:08+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8844#p8844 <![CDATA[Re: YubiKey 4 and yubico-piv-tool]]>
(2) That's correct, the PIV specification doesn't list 4096 RSA as a supported algorithm, so the PIV Tool and PIV Manager do not support it either. If NIST adds this as a supported algorithm, we will update both tools to support it as well (obviously only on the YK4, the NEO cannot handle 4096).

(3) I'm not sure, but I can check with the development team. OS X code signing, for example, requires both 9a and 9c (https://developers.yubico.com/yubico-pi ... gning.html)

Statistics: Posted by ChrisHalos — Fri Aug 05, 2016 12:40 am

]]> 2016-08-04T16:41:09+01:00 2016-08-04T16:41:09+01:00 https://forum.yubico.com/viewtopic.php?t=2386&p=8836#p8836 <![CDATA[YubiKey 4 and yubico-piv-tool]]>
1) I tried to use ECCP384 on my 9a slot, but ssh was not successful. Is it possible to configure openssh to accept ECCP384, or am I limited to RSA keys if I want to use the key for ssh authentication?

2) The PIV tool seems unable to generate 4096 bit RSA keys. Are the piv slots limited to 2048 bit keys or is this a limitation of the yubico-piv-tool?

3) In the instructions for configuring the key for Android code signing (https://developers.yubico.com/yubico-pi ... gning.html) indicate slot 9a is to be used. However, the information on certificate slots (https://developers.yubico.com/PIV/Intro ... slots.html) indicate slot 9c is for "signing files and executables." Is the slot used in the Android instructions incorrect?

Statistics: Posted by rgurley — Thu Aug 04, 2016 4:41 pm

]]>