I'd be also interested what is the new chip inside of Yubikey 4.
Regarding the PKCS#11: PKCS#11 is only the C interface, there is no "internal PKCS#11" signature generation. Maybe you mean the PIV applet that is compatible with PKCS#11.
Here is some info from pkcs11-tool from
OpenSC using the latest Yubikey Neo (with initialized PIV applet), I'd guess it will be similar in Yubikey 4 just with the RSA-4096. Strangely it claims RSA-3072 support, but there's apparently bug in the PIV applet I guess.
Someone may try this with Yubikey 4 and post comparison (I unfortunately ordered second Neo just few days before Yubikey 4 was announced).
With latest Yubikey Neo you'll get:
Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -T
Available slots:
Slot 0 (0x1): Yubikey Neo+U2F 00 00
token label : PIV_II (PIV Card Holder pin)
token manufacturer : piv_II
token model : PKCS#15 emulated
token flags : rng, login required, PIN initialized, token initialized
hardware version : 0.0
firmware version : 0.0
serial num : 00000000
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -M
Using slot 1 with a present token (0x1)
Supported mechanisms:
SHA-1, digest
SHA256, digest
SHA384, digest
SHA512, digest
MD5, digest
RIPEMD160, digest
GOSTR3411, digest
ECDSA, keySize={256,384}, hw, sign, other flags=0x1800000
ECDSA-SHA1, keySize={256,384}, hw, sign, other flags=0x1800000
ECDH1-COFACTOR-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
ECDH1-DERIVE, keySize={256,384}, hw, derive, other flags=0x1800000
RSA-X-509, keySize={1024,3072}, hw, decrypt, sign, verify
RSA-PKCS, keySize={1024,3072}, hw, decrypt, sign, verify
SHA1-RSA-PKCS, keySize={1024,3072}, sign, verify
SHA256-RSA-PKCS, keySize={1024,3072}, sign, verify
MD5-RSA-PKCS, keySize={1024,3072}, sign, verify
RIPEMD160-RSA-PKCS, keySize={1024,3072}, sign, verify
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -t -l -p MYPIN
Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (PIV AUTH key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
testing key 0 (PIV AUTH key)
RSA-X-509: OK
RSA-PKCS: OK
No errors
Note that if you try to use functionality like sign/decrypt directly from pkcs11-tool, you'll need to specify exact mechanism (cipher), for some reason ECDSA signing breaks, but RSA works:
Code:
$ pkcs11-tool --module /usr/lib64/pkcs11/opensc-pkcs11.so -m RSA-X-509 -s -l -p MYPIN <<< "Stuff to sign"
Using slot 1 with a present token (0x1)
Using signature algorithm RSA-X-509
....binary stuff...
Login
FAQ
Search
