Support 4096 bit RSA keys for Yubikey 4

[ribbons]

It would be great to be able to generate and import 4096 bit RSA keys with this tool, now that the Yubikey 4 supports 4096 bit RSA keys.

[ebourg]

I wonder what PIV algorithm identifier they've used for RSA 4096. Is there a specification for that extension?

https://github.com/Yubico/yubikey-manager/commit/70e11d77942acd5c5f7c627e398cf5119c64fc55

Got it, they use 0x16 for RSA 4096

[qpernil]

New PIV algorithm identifiers RSA 3072: 0x05 RSA 4096: 0x16 ED25519: 0xe0 X25519: 0xe1

[cqjjjzr]

Hi folks,

I'm trying to import my RSA4096 SSH key to my Yubikey with the latest 5.7.1 firmware, using the instructions from https://developers.yubico.com/PIV/Guides/SSH_with_PIV_and_PKCS11.html . The instructions do state that RSA 4096 keys are not support, but I suppose that the situation has changed since the release of 5.7 firmwares.

The import process went smoothly, but it fails to authenticate to the server, reporting "The smart card cannot perform the requested operation".

When I did a certutil -scinfo, I noticed:

正在执行  公钥匹配测试...
公钥匹配测试成功
  密钥容器 = 403dd68d-7071-2678-f6c6-882e075fc105
  提供程序 = Microsoft Smart Card Key Storage Provider
  提供程序类型 = 0
  标志 = 1
    0x1 (1)
  KeySpec = 0 -- XCN_AT_NONE
私钥验证
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(RSA:CNG) 测试失败: 找不到可用于解密的证书和私钥。 0x8009200c (-2146885620 CRYPT_E_NO_DECRYPT_CERT)

Suggesting a private key corrosponding to the certificate is not available.

I wonder if RSA4096 for authentication (slot 9a) is currently supported in the 5.7 firmwares. Thanks.

[mouse07410]

Sorry, but if it is Yubikey 4, it doesn't have 5.7.1 firmware. Same is true for older Yubikey 5.

Unfortunately, you cannot upgrade firmware on a Yubikey - only buy a new one. ☹️

[cqjjjzr]

Mine was a 5 NFC bought this month, and it was indeed indicated as 5.7.1 firmware in the Yubikey Manager.

[mouse07410]

Apologies then. But the subject of your issue says "Yubikey 4".