RSA 3072 or 4096

[tex0l]

Hi, I would like to use a Yubico 5C CSPN on Android to generate and operate a CA certificate with an RSA private key. The ANSSI specifies in the RGS that RSA keys with a modulus size of 2048 bits cannot be used after 2030.

Is it possible to use RSA 3072 or 4096 under these conditions ?

The YubiHSM2 is not possible in my use case, I need it to work on Android.

[dainnilsson]

The next version of this SDK (already in main) will include support for the OpenPGP application which supports RSA sizes up to 4096. Unfortunately the PIV application only supports up to 2048, so you'd have to use this new module.

[dainnilsson]

OpenPGP support is now available in the latest release.

[Sanmilie]

Please ajust you library for the futur and respect the key discovery form the https://csrc.nist.gov/pubs/sp/800/73/4/upd1/final at page 48 say: "If the algorithm type, as determined in Step 1, is RSA then the key size is determined by the public key’s modulus. The public key appears in the subjectPublicKey field of subjectPublicKeyInfo and is encoded as a sequence that includes both the key’s modulus and public exponent." This is not complete because you not respect the key discovery mecanism form the norm.