Algorithm support

[sosthene-nitrokey]

Asymmetric keys

• RSA 2048
• RSA 3072 and 4096 (not standard)
• RSA 1024 (Not planned)
• nistp256
• nistp384
• nistp521
• Curve 25519 (not standard, see https://github.com/go-piv/piv-go/blob/66ce787eec2b47673aebac019f248a3552d9783e/piv/piv.go#L68)

Symmetric keys (management)

• AES 256
• TDES (not recommended)

[sosthene-nitrokey]

From @stv0g:

We should support the new PIV Card Algorithm Identifiers from NIST SP 800-78-5 ipd (Initial Public Draft):

Algorithm Identifier	Algorithm – Mode
0x00	3 Key Triple DES – ECB (deprecated)
0x03	3 Key Triple DES – ECB (deprecated)
0x05	RSA 3072 bit modulus, 65537 ≤ exponent ≤ 2256 - 1
0x06	RSA 1024 bit modulus, 65537 ≤ exponent ≤ 2256 - 1
0x07	RSA 2048 bit modulus, 65537 ≤ exponent ≤ 2256 - 1
0x08	AES-128 – ECB
0x0A	AES-192 – ECB
0x0C	AES-256 – ECB
0x11	ECC: Curve P-256
0x14	ECC: Curve P-384
0x27	Cipher Suite 2
0x2E	Cipher Suite 7

RSA 3072, RSA 4096, X25519 and Ed25519 are now also supported by YubiKeys with firmware versions 5.7.0 and newer:

They use the following non-standard identifiers:

Algorithm Identifier	Algorithm – Mode
0x16	RSA 4096 bit modulus, 65537 ≤ exponent ≤ 2256 - 1
0xE0	Ed25519
0xE1	X25519

See: YubiKey 5.7 Firmware Specifics

Please note that 0xE0 and 0xE1 are clashing with piv-authenticators current non-standard ids:

https://github.com/Nitrokey/piv-authenticator/blob/efb4632b3f498af6732fc716354af746f3960038/tests/command_response.rs#L58-L72