Doug Engert

@alex-nitrokey @niklas-nitrokey Any comments on why this fails?

@Unb0rn I am trying to reproduce your problem using a NitroKey Pro, a certificate from Actalis and a build of OpenSSH from https://github.com/openssh/openssh-portable As you point out NitroKey says in:...

I think I now have my Nitro Pro with 2 keys (both the same value) and one certificate to match @Unb0rn 's token. ``` openpgp-tool -E` /* was used to...

@mouse07410 The NitroKey devices AFAIK do not support PIV. @Unb0rn is using the OpenSSH PKCS11 support and I think that is where the problem is.

@techge Thanks for the update on you status. Do you know if anyone at NitroKey follows OpenSC?

SSH is assuming that there are no duplicate keys by comparing the values of the keys at: https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L1289-L1292 which calls: https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L688-L696 PKCS11 can allow duplicate keys, but PKCS11 expects (but...

As a follow up, Erasing the NitroPro, and installing the Actalis cert as id 03 with no other keys works: ``` openpgp-tool -E openpgp-tool -v -K ./pkcs15-init --id 3 --store-private-key...

All or most of the driver listed above are emulating pkcs15 They already handle decompression. As I have said before PIV driver need to decompress certificates (which are contained in...

EC keys can be used for signature ECDSA and for key derivation ECDH. https://en.wikipedia.org/wiki/Elliptic-curve_Diffie%E2%80%93Hellman sc_format_oid does not format a curvename. You are passing the pointer to the sc_object_id. This needs...

Looks like a proprietary token But it looks like drivers for windows and linux are available. Google for: SAFESIGN Starsign CUT and Google for: StarSign CUT S "linux" https://certificaat.kpn.com/files/drivers/SafeSign/SafeSign%20IC%20Standard%20Version%203.6%20for%20Linux%20Release%20Document.pdf