write certificate to openpgp applet

[Exordian]

gnupg has a hidden command called "writecert/readcert 3" to write certificates to the openpgp card

i've tried that w/ the yubikey applet

gpg/card> writecert 3 < /tmp/1024.der
gpg: error writing certificate to card: object is too big

is this supported at all atm? if not, is it planned to? since storing certificates on a yubikey neo should be possible with opensc/piv applet anyway

since most smartcard vendors only ship their driver with CAL's (Client Access Licenses) using smartcards in coperate enviroments is very expensive there is already an opensource openpgp card driver which works with the yubikey neo (at least it's correctly detected by windows as an openpgp card) http://www.mysmartlogon.com/products/openpgp-card-mini-driver.html it would be still impossible to directly enroll to the openpgp applet but it would be a nice feature anyway to support that

[klali]

Hello,

I don't think it's been tested by anyone at Yubico, but it should work.

Though it looks like the sizes for the certificates are set quite small: https://github.com/Yubico/ykneo-openpgp/blob/master/applet/src/openpgpcard/OpenPGPApplet.java#L59 https://github.com/Yubico/ykneo-openpgp/blob/master/applet/src/openpgpcard/OpenPGPApplet.java#L74

So either using a quite small certificate or increasing those sizes and reload the applet, I'm unsure about what a reasonable certificate size would be.

/klas

[packwidth]

I'm finding a certificate to be just under 1 kB.

Is there any reason why just changing those two values to, say, 0x800 and 2048 wouldn't work? It compiled fine, but I lost my key backups and want to be sure before I do the subkey revoke and regen dance.

[klali]

It should work fine to increase those up to the size of BUFFER_MAX_LENGTH (or actually a 5 bytes less or so) since that will hit then and require to be increased. The only issue with increasing these sizes is that the applet will use more flash space.

/klas

[jas4711]

Let's 1) bump ram buffer to 2k, and 2) allocate the certificate buffer dynamically to avoid wasting 2k flash for certificate storage which is a rare feature.

Going beyond 2k is probably going to be challenging. Maybe we can reach 3k..

[klali]

the actual size will be lower than 2k since we need to keep two ram arrays of the same size around, it looks like we'll get about 1.2k

[omnihil0]

Is there a way to adjust this? There is no way to fit an X509v3 certificate with 4096bit RSA issuer and subject in 1.2k. 2k would be enough.