NK3C: Unable to generate RSA:4096 SSH key

With a recent nitrokey3 firmware 1.7.0:

pkcs11-tool --login-type so --pin 12345678 --so-pin 12345678 -k --key-type RSA:2048 --slot 0

Works (it uploads an SSH key that I can access with pkcs15-tool --read-public-key 01).

However if I try the same command with a 4096 sized key, it fails:

pkcs11-tool --login-type so --pin 12345678 --so-pin 12345678 -k --key-type RSA:4096 --slot 0
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1)

edit after a factory reset this works, is there some hint has to whats going on?

NK3 needs to be told in advance what kind of key type will be installed in one of the 3 slots provided by the OpenPGP card standard.

I like to use openpgp-tool from OpenSC to check, for example on my card I have the following now:

> /usr/local/bin/openpgp-tool -K
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Aut Algorithm:   EDDSA
Aut Create Date: 2023-12-22 19:13:34
Aut Fingerprint: 2d:95:41:9c:2c:47:7a:bc:a1:e7:dc:d9:c1:4a:88:c5:c3:07:dd:91
Dec Algorithm:   ECDH
Dec Create Date: 2023-12-22 19:13:34
Dec Fingerprint: cb:3d:95:9e:63:62:15:2a:da:d3:9f:c3:56:6d:12:69:b6:52:8e:d3
Sig Algorithm:   EDDSA
Sig Create Date: 2023-12-22 19:13:34
Sig Fingerprint: f2:ee:32:6f:54:2b:78:44:22:b4:fd:10:33:fb:9d:a8:17:64:f4:7a

I guess after the hardware reset it is undefined so you can upload what you want.

You can change the key type with the -t option of the openpgp-tool.

In general, using pkcs11-tool to manage keys on the OpenPGP card can be confusing in my opinion. I prefer openpgp-tool (best to view, can generate only RSA keys) or one of the options to manage cards with gpg2 or gpg-card.

1 Like

Great answer @saper. I use GNUPG and Kleopatra myself. Same breakdown essentially, however.

Thanks. I don’t know what “the same breakdown” could be (please show the commands and the output), but please be aware that you should explicitly change the key type in the slot (Aut, Dec, Sig) and then try to generate something that matches that key type and length.