Apex Flex Vivokey SmartPGP Issues?

singlerider · October 27, 2022, 5:41am

The “Vivokey SmartPGP” applet in the Fidesmo store claims support for RSA 2048/3072/4096 and ECC 256/384/521. I go to the page listed for more information, “www.vivokey.com/pgp” and there I get pushed to a 404. These attempts are made with a Feitian read/writer.

I am able to successfully flash existing RSA 2048 secret keys (S, E, and A) with both Windows (via GPG4Win, which is a nightmare of an experience) and MacOS using gpg 2.2.27.

When I try to load RSA 4096 S/E/A keys in the following manner, with my subkeys keys prefixed with ssb (indicating the secret key is available for use) in the following way, I get an error:

➜ gpg --edit-key 346001CA
gpg (GnuPG/MacGPG2) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

...

gpg> toggle

...

gpg> key 8

...

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Card error

After keytocard, I enter the password for the key, then the admin pin in the pinentry pop-up, then get the error shown.

When I try with ECC ed25519/cv25519 keys in the following way, with the keys, again prefixed with ssb, I get a different message:

➜ gpg --edit-key 346001CA
gpg (GnuPG/MacGPG2) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

...

gpg> toggle

...

gpg> key 13

...

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Conditions of use not satisfied

Again, it asks for the password, then the admin pin, and I get the above error. I find this one pretty interesting, because it’s not well-documented anywhere. Something something, “change the admin pin to 14-plus characters.”

I searched the Forum and the only information I found that was helpful were some comments I made two years ago in another Topic.

My questions are as follows:

Is RSA 4096 actually supported?
Is ECC actually supported?

If yes, can I get some resources?

Considering the lack of results from my searches, maybe not many people care about using existing keychains, but it’s super worthless to just get a brand-new keychain from OpenKeychain that’s not tied to my long-standing primary key.

StarGate01 · October 30, 2022, 4:40pm

ECC and RSA > 2048 is indeed supported. However, you have to switch the applet into the correct key mode before importing an existing key, see flexsecure-applets/1-pgp.md at master · DangerousThings/flexsecure-applets · GitHub . You can use the tool at SmartPGP/bin at master · ANSSI-FR/SmartPGP · GitHub . Tested algorithms include: p256, p384, p521 and rsa2048, rsa3072, rsa4096 .

singlerider · October 30, 2022, 5:05pm

@StarGate01 , is this hinting that I can install the applet on an Apex Flex without Fidesmo?

StarGate01 · October 30, 2022, 5:25pm

The Apex can only be used via Fidesmo, however the Instructions are written for generic JavaCard development . Stay tuned for future DT product announcements.

singlerider · October 30, 2022, 5:26pm

@StarGate01 , I think my original question is still posed, then:

Can I use anything other than RSA 2048 on my Apex Flex?

StarGate01 · October 30, 2022, 5:49pm

Yes, you can use the configuration procedure independent of what installation method you use.

So just use use the smartpgp CLI tool with your apex.

singlerider · November 26, 2022, 2:32am

@StarGate01 Which mode correlates to ECC:

...

ssb* ed25519/D9DF703B83B9A9B5
     created: 2021-10-20  expires: 2024-05-09  usage: S   

...

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Conditions of use not satisfied

I have tried all the modes found here: SmartPGP/smartpgp-cli at master · ANSSI-FR/SmartPGP · GitHub

git/SmartPGP/bin on  master [?] via 🐍 3.9.0 
➜ ./smartpgp-cli switch-bp512 -p REDACTED
Select OpenPGP Applet
90 00
Verify Admin PIN
90 00
Switch to brainpoolP512r1 (sig)
90 00
Switch to brainpoolP512r1 (dec)
90 00
Switch to brainpoolP512r1 (auth)
90 00

git/SmartPGP/bin on  master [?] via 🐍 3.9.0 
➜ ./smartpgp-cli switch-p521 -p REDACTED
Select OpenPGP Applet
90 00
Verify Admin PIN
90 00
Switch to P-521 (sig)
90 00
Switch to P-521 (dec)
90 00
Switch to P-521 (auth)
90 00

I was unable to try any of this until now. How can I get ECC to work?

singlerider · November 26, 2022, 2:49am

While I’m at it, RSA 4096 isn’t working, either:

...

ssb* rsa4096/94D41DFC6D43CE9C
     created: 2017-08-12  expires: 2024-05-09  usage: S   
...

gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg: KEYTOCARD failed: Card error

git/SmartPGP/bin on  master [!?] via 🐍 3.9.0 
➜ vim ../src/fr/anssi/smartpgp/Constants.java

…

    protected static final short INTERNAL_BUFFER_MAX_LENGTH =¬                  
        (short)0x730;

git/SmartPGP/bin on  master [!?] via 🐍 3.9.0 
➜ ./smartpgp-cli switch-rsa4096 -p REDACTED                         
Select OpenPGP Applet
90 00
Verify Admin PIN
90 00
Switch to RSA4096 (sig)
90 00
Switch to RSA4096 (dec)
90 00
Switch to RSA4096 (auth)
90 00

I’m decently-technical and have been using gpg etc for years now. I simply don’t understand what I’m supposed to do, apparently?

singlerider · November 26, 2022, 3:08am

I’ve even tried this:

./smartpgp-cli put-sign-certificate -i ~/git/key/stubs/rsa4096signing.asc -p REDACTED

...
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
65 81
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
90 00
Sending SIGN certificate chunk
65 81
Sending SIGN certificate chunk
90 00

I don’t know what I’m supposed to do.

StarGate01 · November 26, 2022, 11:32am

Are you using the version distributed via Fidesmo or did you compile the applet from source?

Then, the curve your ECC key uses (ed25519) is not supported by the applet. Only NIST-P and Brainpool curves are.

As for RSA, Ill try to reproduce your issue. I had occasional problems when the wireless connection wasnt rock solid, the PGP process just fails if the connection is flaky sometimes.

The command ´./smartpgp-cli switch-p256´ works for me for example on a fresh applet installation.

singlerider · November 26, 2022, 1:21pm

Because it is an Apex Flex, I have no choice but to install via Fidesemo, unfortunately.

Ginger_Feelings · November 28, 2022, 2:17am

Then, the curve your ECC key uses (ed25519) is not supported by the applet. Only NIST-P and Brainpool curves are.

That seems like…a massive issue? Guidance for Choosing an Elliptic Curve Signature Algorithm in 2022 - Dhole Moments

TL;DR Ed25519 is great. NIST P-256 and P-384 are okay (with caveats). Anything else is questionable, and their parameter selection should come with a clear justification.

StarGate01 · November 28, 2022, 9:35pm

See Support of Curve25519 · Issue #10 · ANSSI-FR/SmartPGP · GitHub for the status of ed25519 in the PGP applet implementation.

Javacard (3.0.x) does not offer native support for Curve25519 and does not offer enough low-level primitives to implement it at the applet level (encryption - Using Curve25519 on javacard - Stack Overflow)

The newly released Java Card 3.1 specification supports x25519 and Ed25519.

SmartPGP will support Curve25519 on cards compliant with JavaCard 3.1 only.

The NXP P71 which powers the Apex supports Javacard 3.0.5 at maximum. SmartPGP is also yet missing the actual implementation. So maybe in a future Apex interation it might be a possibility, but not on the current one.

Please understand that the world of hardware-based, especially Javacards, moves slowly. There are still many cards which don’t even support ECC. I agree that ed25519 should be preferred over NIST-P and Brainpool, but then again think about your threat model and the resources of a potential attacker, and whether a large ECC key might be good enough for you on these other curves; most of the payment networks, cryptocurrencies and even FIDO run on the NIST P-256 curve (secp256r1).