On 10/5/2010 10:04 AM, Martin Paljak wrote: > Hello > On Thu, Sep 30, 2010 at 18:07, Douglas E. Engert<deeng...@anl.gov> wrote: > >> With OpenSSL-1.0.0a pkcs11-tool -M shows: >> >> Supported mechanisms: >> RSA-PKCS-KEY-PAIR-GEN, keySize={1024,3072}, keypairgen > >> >> Without OPenSSL, pkc11-tool -M >> RSA-PKCS, keySize={1024,3072}, sign, unwrap, decrypt >> >> Note that verify is not listed without OpenSSL, as the >> pkcs11/openssl.c adds the OpenSSL hash and verify functions. > > Interesting. RSA-PKCS-KEY-PAIR-GEN should have nothing to do with > OpenSSL.
Looks like pkcs11/framework-pkcs15.c line 1348 has #ifdef ENABLE_OPENSSL that will add this mech. Also, OpenSC (and most smart cards) currently only do > properly keys up to 2048 bits. The NIST 800-73-1 (March 2006) specs called for the PIV applet to optionally support 3072 bit keys. So that is what the driver says is available. Since the ordinary user can not generate a key on the card, and the only keys that can be used are tied to certificates, the actual size of the key is determined from the certificate. > opensc.h has #define SC_CARD_CAP_RSA_2048, JavaCard 2.2.2 has only > KeyBuilder.LENGTH_RSA_2048 > > The suggested key sizes apparently only double over years, so 4096 > seems more popular than 3072 for some reason :) NIST 800-78-2 February 2010, has a nice chart of required key sizes and 1024 bit keys are to be gone by 12/31/2013, in all cases. There is no mention of 3072 bit keys, and I don't think there are any PIV cards that support them today, but i don't think it hurt to say the card supports 3072. But 800-78-2 is also pushing for ECDSA p-256 and p-384 for certificates, and ECDH for Key Management. So the trend appears to be to use EC keys rather then larger and larger RSA keys. > > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel