Bug 8602 - 4096-bit RSA poorly supported on PIV and Yubikey
Summary: 4096-bit RSA poorly supported on PIV and Yubikey
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-06-09 15:58 CEST by Pierre Ossman
Modified: 2025-06-13 12:48 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2025-06-09 15:58:16 CEST 
Trying to use a PIV card, or Yubikey key, with a 4096-bit RSA certificate results in the client saying "Smart card malfunction. Check your hardware.".

The log states the following:

> 2025-06-09T15:50:20: Signing data...
> 2025-06-09T15:50:20: Signature operation failed (84)
> 2025-06-09T15:50:21: SSH agent response: Failed to produce signature

The problem is that OpenSC doesn't support these large keys yet. Fortunately, it has been fixed upstream:

https://github.com/OpenSC/OpenSC/commit/ec2c3bdbe12280ec4fcc47560acda3daeee7d171

Until then, there are some options:

 * Use 3072 bit keys

 * Use another smart card (confirmed working in e.g. bug 7600)

 * Use the vendor's driver (confirmed working with libykcs11.so.2)
Note You need to log in before you can comment on or make changes to this bug.