Closed rpavlik closed 10 months ago
OK, I did a little binary search until I got tired of re-flashing the card :wink: . 2372 is enough buffer, but 2364 is not, so it's somewhere in between there. I suppose this makes sense, a little bit less than double the buffer needed for 2048 (some overhead is presumably not duplicated). My change is here: https://github.com/rpavlik/GidsApplet/tree/increase-buf-size
In case you couldn't tell, this is definitely not something I am experienced at, so the buffer size is about all I will be messing around with at this time. That said, it would be nice to see some of the comment and security fixes from https://github.com/JavaCardSpot-dev/GidsApplet picked into this tree. There are also some differences from the IsoApplet that I'm not sure whose code is better - there are a few places where they've added transactions, etc. even in the "old version" branch.
Closing since #21 was merged. thanks!
Thanks for this great work! (And sorry for breaking your issue-free streak, hopefully it's just user error :wink: ) I've managed to get it going with an on-card generated 4096-bit RSA key and OpenSC as follows:
gp --install GidsApplet.cap --default
gids-tool --initialize
pkcs15-init -v -v --verify-pin --generate-key rsa/4096 --auth-id 80 --key-usage sign --label test
However, if I replace that last step with
pkcs15-init -v -v --verify-pin --store-private-key pyprivate_ca.pem --auth-id 80 --key-usage sign --label test
wherepyprivate_ca.pem
is a 4096-bit private key (dumped from py crypto), I eventually get this from OpenSC:I'm using a 180K J3R180 card https://www.amazon.com/dp/B0CFFCJ9W1 so I would think the actual card space is OK, though perhaps the applet doesn't allocate enough.
Strangely, after I do this,
pkcs15-tool --dump
seems to suggest the key is there anyway:I did not try actually using it yet. I did find I could not delete it with pkcs15-init without
gp --uninstall GidsApplet.cap
.Updates:
pkcs15-init -v -v --verify-pin --store-private-key merged.p12 --format pkcs12 --auth-id 80 --key-usage sign --label testimportopenssl
so there may be two issues here.FLASH_BUF_SIZE = 3072
- 2047 was not enough. No idea if this will work on a cheaper/older card, but it appears to work on this (jc 3.0.4) card.