Support key import

[klali]

The applet should support key import to be more usable.

There is two ways forward to support this:

1. Support key import of ALG_RSA type in the applet and convert the key to CRT format for storage in the card. (reuires math to transform the key)
2. Implement import of RSA_CRT format in gnupg.

[mickflemm]

Is there any hw limitation on what key type we can use ? We could re-initialize the keypair when importing the keys based on what we got from the host (e.g. if we only get exponent and modulus, use ALG_RSA , if we get dp1, dq1 etc use ALG_RSA_CRT).

No matter what gnupg does, we should implement the openpgp standard anyway. Also by implementing key import with ALG_RSA, opensc will also be able to add a pkcs#12 pair and use the card also as a pkcs#11 module, using the certificate + auth key (that'll be a lot of fun).

[klali]

Not any limitation as such, but ALG_RSA is quite slow (a couple of secconds for signatures, and much worse wireless) in this chip, so if possible I think we want to stick with ALG_RSA_CRT.

[mickflemm]

How about porting this in javacard ? http://rsaconverter.svn.sourceforge.net/viewvc/rsaconverter/Trunk/src/

[klali]

Yes, something along those lines would be needed to be able to transform the key. It should be noted that we don't have access to any bignum implementation from the platform, so those have to be written or imported from some other source.

[mickflemm]

What about javacardx.framework.math.BigNumber ?

[klali]

Unfortunately not implemented in this chip (at least as far as I can tell, trying to use it in an applet fails to load the applet at all)..

There is a third-party library called bignat that might be useful for implementing this though..

[brocktice]

Is there anything I can do to help make this happen? Maybe some beer money for enjoying beer while this is coded, or more serious pay for consulting time opportunity cost? If I could do a proper keytocard with my YubiKey Neo, it would spare me having to also carry my CryptoStick, so I'm willing to put up a few hundred USD or some BTC for this.

[jbrechtel]

Hi @klali

I see there were recent commits and notes about importing keys. Is version 1.0.3 able to do this yet or is that functionality still in progress?

[jas4711]

We have a script that allows you to import keys -- we'll test it a bit more and publish it shortly. It doesn't work via GnuPG but require opensc-tool, but at least allows you to import your GnuPG keys.

[brocktice]

Excellent, that would make my day!

[sjuerges]

Any news on the script ?

[brocktice]

I'd be happy to test the script as it is now. Please post?

[jas4711]

I received the attached script from Tom and it is unclear how much testing it had gone under. I had hoping to test it myself, but never found time. So BIG WARNINGS! But maybe you get the idea from the script. You need to have the latest openpgp applet loaded on the NEO, I believe we found bugs in the applet code when experimenting with key import here. And some tools needs to be installed on the system as well.

[jas4711]

Github didn't support attaching non-images to issues, so I committed the script into the repository. See util/gpgkeytoneo.py.

[jas4711]

For the record, the script does not implement either 1) or 2) as discussed in the first post of this issue. Instead, it is a crude workaround pending implementation of either 1) or 2).

[neersighted]

Thanks, :1:!

[klali]

With the changes from pull request #10 now merged and support for RSA_CRT_N added into gnupg I'm closing this as fixed.

[kalkin]

Could you please make a release, which includes this feature? This would be great! :+1:

[klali]

The 1.0.5 version released on 2013-10-10 contains that code.