NitrokeyPRO2: OpenSC vs PKCS11 vs OpenPGP card vs GPG

Nitrokeys
1

Hello,

Can you please clarify relationship between methods of accessing private keys of Nitrokey PRO2 like:

OpenSC vs PKCS11 vs PGP ?

While I slightly understand what is OpenPGP Card specification and how it is implemented in Nitrokey Start (GNUK2) I am not sure how it is done in Nitrokey PRO2.

Are there two or three different methods of accessing keys from OpenSSH:

  1. Using PKCS11 without OpenSC like (for Yubiko):
    ssh -I XXX/libykcs11.so user@remote.example.com
    What is the syntax for Nitrokey to achieve the same task?
    Or Nitrokey cannot work directly without OpenSC?

  2. Using OpenSC.
    ssh -I opensc-pkcs11.so
    Does OpenSC accesses PKCS11 too by itself?
    Is RSA 4096 available via OpenSC?
    What is the syntax for the same idea for Yubikey now? Or is it depricated for Yubikey?

  3. I am not clear at all how GPG/PGP accesses the key.
    Does GPG work only with OpenPGP card interface or with something else?
    Is OpenPGP card available via PKCS11 or OpenSC or its own protocol?
    Does GPG access keys via PKCS11 or OpenSC or some other interface?
    Why it provides access to long RSA4096 keys where PKCS11 fails to do this from SSH?
    Can OpenSSH use RSA4096 keys with PGP agent working in ssh-agent compatibility mode?

2

It seems I have found some clarification at:

Scenario C - without SCD-PKCS#11, but with gnupg-pkcs11-scd:

    USB token
      |-- pcscd
            |-- CCID driver
                  |-- PKCS#11 provider (e.g. opensc-pkcs11.so)
                        |-- client app (Firefox, SSH, ...)
                        |-- gnupg-pkcs11-scd (alternative scdaemon)
                              |-- gpg-agent -- GnuPG
3

Please also explain how and in what applications can ed25519 key from Nitrokey Start be used.

Can it be used for authentication in OpenSSH via anything except PGP?
via which interface?
Do OpenSC and PKCS11 support ed25519 keys? Even ECDSA appeared not to far ago in OpenSC.

4

Found a few links about SSH → PGP agent → ed25519 :

https://dokuwiki.nausch.org/doku.php/fedora:nitrokey:start#nitrokey_start_und_secure_shell

5

OpenSC is a set of software tools and libraries to work with smart cards, with the focus on smart cards with cryptographic capabilities. OpenSC facilitate the use of smart cards in security applications such as authentication, encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API.

So OpenSC implements PKCS11 API for usage from other programs? Then it could be named something like PKCS11 driver for hardware cryptography tokens?
OpenSC is not a special protocol or API by itself but rather just a open source implementation of PKCS 11 for some hardware tokens.

Therefore programs like Firefox use PKCS11 API implemented in OpenSC or other implementations like Yubikey libykcs11.so? There is no a specific need just for OpenSC, but for any PKCS 11 provider?
Where all PKCS11 providers are accounted and listed? Which utility can list all installed PKCS11 providers from some registry or config file on Linux? Or they are being accessed just by their path even from browsers?

6

Exactly that. Since the libraries are considered like any other, user have to identify and supply the name by himself. I do not think any listing tools are available.

Support depends on the applications. I do not have actual list unfortunately, but GnuPG surely. Not sure about OpenSC.

7

Wondering if OpenSSH can use ed25519 key supplied by gpg-agent ?