Bug 7600 - Cannot use 4096 bit keys on Aventra MyEID
Summary: Cannot use 4096 bit keys on Aventra MyEID
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.14.0
Assignee: Pierre Ossman
URL:
Keywords: linma_tester, relnotes
Depends on:
Blocks:
 
Reported: 2020-12-04 10:37 CET by Pierre Ossman
Modified: 2021-09-21 16:04 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2020-12-04 10:37:43 CET
Modern Aventra MyEID cards support 4096 bit keys, but unfortunately this does not work out of box with ThinLinc. To use these keys OpenSC 0.20 is required, and we're currently on 0.19. Right now you're getting a "Smart card malfunction" error and this in the log:

> 2020-12-04T10:31:24: SSH agent request: SSH2_AGENTC_SIGN_REQUEST
> 2020-12-04T10:31:24: Preparing signature operation...
> 2020-12-04T10:31:24: Finding certificate with serial 765e71693d6c3e1054350f5339968f8484a710c6
> 2020-12-04T10:31:24: Getting certificates for slot 0
> 2020-12-04T10:31:24: Getting certificate with id 25825104
> 2020-12-04T10:31:24: Certificate found
> 2020-12-04T10:31:24: Logging in...
> 2020-12-04T10:31:24: Querying user for passphrase...
> 2020-12-04T10:31:26: Finding private key...
> 2020-12-04T10:31:26: Signing data...
> 2020-12-04T10:31:26: Signature operation failed (84)
> 2020-12-04T10:31:27: SSH agent response: Failed to produce signature

Using an updated OpenSC with PKCS11_MODULE works just fine though, so we just need to upgrade our bundled OpenSC.

Also note that smaller key sizes using these new cards work just fine as is.
Comment 2 Pierre Ossman cendio 2021-09-15 13:06:40 CEST
OpenSC got upgraded on bug 7764, so this should work now.
Comment 4 Pierre Ossman cendio 2021-09-16 16:28:32 CEST
Confirmed on Fedora 34 with a 4096 bit key on a 4.5.5 card. Doesn't work with ThinLinc 4.13.0, but works fine with the current build.
Comment 5 Linn cendio 2021-09-21 16:04:36 CEST
Tested with client build 2205 and can confirm that 4096 bit keys now works for Aventra 4.5 cards. Tested on the following dists:

  ✓ Fedora 33
  ✓ Windows 10
  ✓ macos 11
  
The relnotes also look good.

Note You need to log in before you can comment on or make changes to this bug.