How to import a 4096 bit RSA to Nitrokey Pro?

Hello everyone!

I could not import a 4096 bit RSA key from a p12 file to Nitrokey Pro so far, but as far as I understand Nitrokey Pro should support 4096 bit keys.

I tried to following methods:

Compiled OpenSC on OSX El Capitan 10.11.2 from the GitHub repository (as the newest OpenSC 0.15 release is too old to support Nitrokey Pro) and if I run “pkcs11-tool -M” it gives the following result:

RSA-X-509, keySize={2048,2048}, hw, decrypt, sign, verify RSA-PKCS, keySize={2048,2048}, hw, decrypt, sign, verify ... RSA-PKCS-KEY-PAIR-GEN, keySize={2048,2048}, generate_key_pair

It looks like it only supports 2048 bits, but not 4096.

If I run “pkcs15-init --store-private-key sign4096.privkey.pem --auth-id 3 --id 3” it says the key length is not supported:

Using reader with a card: Nitrokey Nitrokey Pro
Failed to store private key: Key length/algorithm not supported by card

If I try to import the key with “pkcs11-tool -v --write-object sign4096.privkey.der --type privkey --id 02 -l” it also results in error:

[code]Using slot 1 with a present token (0x1)
Logging in to “OpenPGP card (User PIN (sig))”.
Please enter User PIN:
error: PKCS11 function C_CreateObject failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting.
[/code]

Importing 2048 bit RSA keys works with pkcs11-tool and pkcs15-init too.

I tried to import the private key on Windows too with the MiniDriver, but it looks like it cannot import keys at all.

So my question is: if the NitroKey Pro really supports 4096 bit RSA keys, how can I import one from a p12, der or pem format?

It is not a GPG private key, but a private key for a X509 certificate. Is there any chance I can import this key via the GnuPG tool?

Any experience or insights on the topic would be really appreciated!

Thanks!

I also tried to run “gpg2 --card-status” and it showed that

“Key attributes …: 2048R 2048R 2048R”

So I became really uncertain whether my Nitrokey Pro (Firmware version: 0.7) supports 4096 bit keys (the only reason I bought it) or not…

Same result on a Debian machine:

uname -a

gpg2 --version

[code]gpg (GnuPG) 2.0.26
libgcrypt 1.6.3
Copyright © 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA, RSA, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2[/code]
gpg2 --card-status

scdaemon[2561]: reading public key failed: Missing item in object scdaemon[2561]: reading public key failed: Missing item in object Application ID ...: D276000124010201000500003B110000 Version ..........: 2.1 Manufacturer .....: ZeitControl Serial number ....: 00003B11 Name of cardholder: [not set] Language prefs ...: de Sex ..............: unspecified URL of public key : [not set] Login data .......: [not set] Signature PIN ....: forced Key attributes ...: 2048R 2048R 2048R Max. PIN lengths .: 32 32 32 PIN retry counter : 3 0 3 Signature counter : 0 Signature key ....: [none] Encryption key....: [none] Authentication key: xxx created ....: 2016-01-20 16:59:37 General key info..: [none] scdaemon[2561]: updating slot 0 status: 0x0000->0x0007 (0->1)

Although I don’t want to add a GPG key, but as this seems to be the most supported use-case, as a last effort, I tried to add a GPG key to the card, but that failed too:

gpg --edit-key 6B6A5C8F

gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/6B6A5C8F  created: 2016-01-21  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/70D0F009  created: 2016-01-21  expires: never       usage: E
sub  4096R/A84B1334  created: 2016-01-21  expires: never       usage: S
[ultimate] (1). test test (no comment...) <test@example.com>

gpg> toggle

sec  4096R/6B6A5C8F  created: 2016-01-21  expires: never
ssb  4096R/70D0F009  created: 2016-01-21  expires: never
ssb  4096R/A84B1334  created: 2016-01-21  expires: never
(1)  test test (no comment...) <test@example.com>

gpg> key 2

sec  4096R/6B6A5C8F  created: 2016-01-21  expires: never
ssb  4096R/70D0F009  created: 2016-01-21  expires: never
ssb* 4096R/A84B1334  created: 2016-01-21  expires: never
(1)  test test (no comment...) <test@example.com>

gpg> keytocard
gpg: detected reader `Crypto Stick Crypto Stick v1.4 (00003B110000000000000000) 00 00'
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1

You need a passphrase to unlock the secret key for
user: "test test (no comment...) <test@example.com>"
4096-bit RSA key, ID A84B1334, created 2016-01-21

gpg: writing new key
gpg: RSA modulus missing or not of size 2048 bits
gpg: error writing key to card: bad secret key

[quote=“koczkatamas”]I also tried to run “gpg2 --card-status” and it showed that

“Key attributes …: 2048R 2048R 2048R”
[/quote]

And before that did you copy 4096 bit OpenPGP keys to the card?

[quote=“koczkatamas”]I also tried to run “gpg2 --card-status” and it showed that

“Key attributes …: 2048R 2048R 2048R”

So I became really uncertain whether my Nitrokey Pro (Firmware version: 0.7) supports 4096 bit keys (the only reason I bought it) or not…[/quote]

You need to change the setting of the Nitrokey to 4096 using “gpg --card-edit” and then enter “admin”. When you use OpenSC instead of GnuPG, you would need to change the key length first. You can do this by generating a 4096bit key first, deleting it and importing your actual key afterwards. There may be a more elegant way too. See: github.com/OpenSC/OpenSC/wiki/OpenPGP-card

Last time I checked OpenSC’s Minidriver was read-only and didn’t support “writing”. However, there have been recent work on that part and it might worth checking its latest progress.

I solved it with generating a new 4096 bit key with gpg2. Thanks for the info!

What exact admin command do I need to run? Here are the ones that are displayed by the “help” command and none of them seem relevant to me:

quit
admin
help
list
name
url
fetch
login
lang
sex
cafpr
forcesig
generate
passwd
verify
unblock

Thanks!

Use “generate” for new keys. That will prompt you to choose the desired key size.