Doug Engert

Does your Yubico have certificates and keys in the PIV applet? Or just in the GPG (OpenPGP) applet? Right now, OpenSC selects a card driver for a token. By default...

Yes, but if you are using the PIV with FireFox, you have to put up with FireFox calling the OpenSC PKCs11 module even when it is not needed. I would...

> Any idea how to debug/log this so we can submit something to Mozilla? For me this still happens when using gpg-agent and Firefox. @Thaodan See https://support.mozilla.org/en-US/kb/file-bug-report-or-feature-request-mozilla

Using an RSA 1024 bit key is not considered secure these days. When it was considered secure, these was no SHA-512. SHA-512 is normally used with 4096 bit keys. Depending...

Based on @popovec APDU of `00 22 41 B6 0A 80 01 02 81 02 4B 01 84 01 00 ` SHA-512 is not involved at all. It is doing...

Correction : Best I can tell, the driver does **NOT** check for the 40% limitation

You said: "Discovered when trying to use SHA512 as the hash algorithm." So does this only happen when the user specifies a specific hash? Or doe it default to this?

Your patch looks like a nice addition. The PKCS11 "hw" bit means the mechanism is done in hardware. But there is no clear way to map this to what some...

Removing SC_ALGORITHM_RSA_HASH_SHA1 is reasonable, but that is only my option. The 40% size is enforced by the card when doing PKCS1. I am not convinced this is to thwart a...

What happens if you add SC_ALGORITHM_RSA_HASH_SHA256 to the flags in the card driver and 128, 384 and 512. pkcs11/framework-pkcs15.c register_mechanisms is where the PKCS11 Mechanisms are created from see https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/framework-pkcs15.c#L5726...