OpenSC is the library that talks to the (physical) device and exposes the standard PKCS#11 interface.
YubiKey 5, firmware >= 5.3.x supports OpenPGP 3.4 (X25519 support).
For YubiKeys two types of PKCS#11 interfaces exists; OpenPGP mode and PIV_II mode. By default PIV_II mode is selected. To use OpenPGP set:
export OPENSC_DRIVER=openpgpIf you are using PC/SC (pcscd) then GnuPG will take an exclusive lock on the device, which means other processes can't interact with the Smart Card (and you will see weird errors!)
. Fix this by adding line pcsc-shared to ~/.gnupg/scdaemon.conf. While at it, you probably also want to add disable-ccid. Note: This requires a restart of the daemon.
$ gpg --card-edit
card-edit -> admin -> factory-reset
card-edit -> admin -> key-attr -> [2->1->12345678]^3
card-edit -> admin -> generate -> 0 -> y -> wg-test^3 -> O
If using scdaemon (Fedora), then make sure the line pcsc-shared is in ~/.gnupg/scdaemon.conf. This allows other processes to "lock" the card (over USB). Otherwise the PKCS11 tools will not work while the daemon is running.
Woops:
$ src/tools/pkcs15-init -vvv --insecure --so-pin 12345678 --id 3 --generate-key EC:curve25519
free(): double free detected in tcache 2
Aborted (core dumped)
Looks like there are two problems. The ED25519/CV25519 support is not listed in "algorithms" for the card. If patched out, then it fails with:
card-openpgp.c:2009:pgp_put_data_plain: Card returned error: -1211 (Security status not satisfied)
card-openpgp.c:2072:pgp_put_data: Please verify PIN first.
$ pkcs11-tool -l --login-type so --so-pin 12345678 --keypairgen --key-type EC:X25519 --id 03```
error: Generate EC key mechanism 1056 not supported
$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -O --login --pin 123456 --list-objects --type pubkey
The key with label Authentication key is not your signing key(!). It has usage=verify and not the OID for id-X25519.