OpenGPG Smart Card v2.1 - unable to create key - card error

NIIBE Yutaka gniibe at fsij.org
Mon Jun 20 01:31:00 CEST 2016 

On 06/20/2016 04:02 AM, Werner Koch wrote:
> I guess that AU9540 Smartcard Reader does not work probably.  I have
> never seen one of their readers to work with modern smartcards.  But
> Gniibe has more experience, maybe he can help.

I fixed a problem of internal ccid-reader fo this specific reader.
The problem was that decryption didn't work (for RSA-2048 key, I
guess).   FYI, please see: https://bugs.g10code.com/gnupg/issue1947

> As a test try to create a 1024 bit key.

I think that it should work with RSA-1024 and RSA-2048.  I'm afraid
the reader doesn't work for RSA-4096.

I suggest try using with PC/SC service.  It's pcscd and libccid on
GNU/Linux.  There is a little possibility it works fine.  If it works,
please let us know.


Let me explain the situation.

The problem is the buffer size of the card reader.  The descriptor
says:

	dwFeatures       000404BE
          Auto configuration based on ATR
          Auto activation on insert
          Auto voltage selection
          Auto clock change
          Auto baud rate change
          Auto PPS made by CCID
          Auto IFSD exchange
          Short and extended APDU level exchange
        dwMaxCCIDMsgLen       272

It supports extended APDU level exchange, good.

However, the size of message is limited by dwMaxCCIDMsgLen=272.  So,
larger message has to be divided into multiple packets.

GnuPG/scdaemon will use larger message for receiving decrypted result,
and/or sending private key to card.  Please note that sending private
key to card occurs for decryption key when "generate" command.

The internal CCID-reader didn't support that multiple packets until
last year.  It was implemented when I handled the issue1947.  I think
that it works now for RSA-2048.

I don't know for RSA-4096.

Please note that I only fixed the driver part.  Still, there is a
fundamental (the card reader's) firmware limitation of the buffer size
of APDU.  In the original CCID class specification, there is no way to
know the buffer size of APDU of the card reader.  So, all that a user
can do is try if it works or not.  It is likely that the supported
APDU size is not so large.

Well, RSA-4096 is considered "huge" from the view point of smartcard.
--

More information about the Gnupg-users mailing list