Max cert length still too small

[jmwilson]

I saw that the max buffer size and cert length were increased to:

private static short BUFFER_MAX_LENGTH = 1221;
private static short CERT_MAX_LENGTH = 1216;

It turns out the certificate I want to load is 1345 bytes long.

1. Is there a reason these numbers were picked?
2. Could they be increased, and to what limit?
3. If it's a waste of space for the common case, would it still work if I forked it to increase the size of these two constants for my own use?

[klali]

The limit we run into is the amount of RAM available to store the incoming cert in before writing to storage. Fixing this to support even larger cert would require some thinking and refactoring.

You're welcome to play with it and try to get more data in there, remember to change the size in EXTENDED_CAP as well.

[omnihil0]

Note that an X509v3 certificate using 4096bit RSA keys for the issuer and subject will easily be around 1.9k. Other OpenPGP implementations seem to choose 2k for this size limit. It doesn't seem like 4096bit keys are really fully supported if 4096bit certificates are too large to store.

[tofurky]

i've run into the same issue on a yubikey 4. maybe the applet there shares code with this? anyhow, 1216 bytes seems to be the limit. major bummer as was already mentioned, that is useless for 4096 bit (e.g. self-signed using advertised the "RSA 4096 (PGP)" support) issuers. i have a hard time believing that this is a real hardware limitation on the 4, but rather the applet was used as-is on that card without accommodating the revised chipset's actual capabilities.