Ability to import an RSA/4096 key?

[rpavlik]

Thanks for this great work! (And sorry for breaking your issue-free streak, hopefully it's just user error :wink: ) I've managed to get it going with an on-card generated 4096-bit RSA key and OpenSC as follows:

• gp --install GidsApplet.cap --default
• Cycle the card
• gids-tool --initialize
• pkcs15-init -v -v --verify-pin --generate-key rsa/4096 --auth-id 80 --key-usage sign --label test

However, if I replace that last step with pkcs15-init -v -v --verify-pin --store-private-key pyprivate_ca.pem --auth-id 80 --key-usage sign --label test where pyprivate_ca.pem is a 4096-bit private key (dumped from py crypto), I eventually get this from OpenSC:

P:2735428; T:0x140230475139136 11:02:20.472 [pkcs15-init] card-gids.c:1537:gids_import_key: unable to put the private key - key greater than 2048 bits ?: -1217 (Not enough memory on card)
Failed to store private key: Not enough memory on card

I'm using a 180K J3R180 card https://www.amazon.com/dp/B0CFFCJ9W1 so I would think the actual card space is OK, though perhaps the applet doesn't allocate enough.

Strangely, after I do this, pkcs15-tool --dump seems to suggest the key is there anyway:

PKCS#15 Card [GIDS card]:
    Version        : 2
    Serial number  : f5e011e64b2b0dd153d85205f3f1fd86
    Manufacturer ID: www.mysmartlogon.com
    Flags          : 

PIN [UserPIN]
    Object Flags   : [0x03], private, modifiable
    ID             : 80
    Flags          : [0x12], local, initialized
    Length         : min_len:4, max_len:15, stored_len:0
    Pad char       : 0x00
    Reference      : 128 (0x80)
    Type           : ascii-numeric
    Tries left     : 3

Private RSA Key [test]
    Object Flags   : [0x01], private
    Usage          : [0x04], sign
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    Algo_refs      : 0
    ModLength      : 4096
    Key ref        : 129 (0x81)
    Native         : yes
    Auth ID        : 80
    ID             : 00
    MD:guid        : 4bd0fb77-a08c-5848-733e-98a23e7df51c

Public RSA Key [test]
    Object Flags   : [0x00]
    Usage          : [0x40], verify
    Access Flags   : [0x02], extract
    ModLength      : 4096
    Key ref        : 129 (0x81)
    Native         : yes
    Path           : 3fffb081
    ID             : 00

I did not try actually using it yet. I did find I could not delete it with pkcs15-init without gp --uninstall GidsApplet.cap.

Updates:

• Unfortunately it does not show up in Key Store Explorer (over PKCS#11), and trying to import the key using that also returns an error that looks like a memory/size error ("CKR_DEVICE_MEMORY").
• Hmm, maybe not showing up in key store explorer is not a big deal, the generated key doesn't either. That said, using the key via pkcs11 in Java is my main use case, so if it doesn't do that, I probably need to pick a different applet.-
• OK, if I generate a 4096 in KSE, it shows up fine and appears to work fine.
• Importing a RSA/2048 (from a combined p12 file with both the private key and the cert) also works fine and shows up in KSE: pkcs15-init -v -v --verify-pin --store-private-key merged.p12 --format pkcs12 --auth-id 80 --key-usage sign --label testimportopenssl so there may be two issues here.
  • a - Keys generated on-card with pkcs15-init do not show up using pkcs11. (Might be user error?)
  • b - Cannot import anything bigger than RSA/2048 (Seems unlikely to be user error but I can't see where in the code the limit is.)
• OK, I think the limit is related to the FLASH_BUF_SIZE in TransmitManager.java
• OK, got it working. Had to set FLASH_BUF_SIZE = 3072 - 2047 was not enough. No idea if this will work on a cheaper/older card, but it appears to work on this (jc 3.0.4) card.

[rpavlik]

OK, I did a little binary search until I got tired of re-flashing the card :wink: . 2372 is enough buffer, but 2364 is not, so it's somewhere in between there. I suppose this makes sense, a little bit less than double the buffer needed for 2048 (some overhead is presumably not duplicated). My change is here: https://github.com/rpavlik/GidsApplet/tree/increase-buf-size

In case you couldn't tell, this is definitely not something I am experienced at, so the buffer size is about all I will be messing around with at this time. That said, it would be nice to see some of the comment and security fixes from https://github.com/JavaCardSpot-dev/GidsApplet picked into this tree. There are also some differences from the IsoApplet that I'm not sure whose code is better - there are a few places where they've added transactions, etc. even in the "old version" branch.

[rpavlik]

Closing since #21 was merged. thanks!