Unable to import ECCP256 key #36
Description
I'm trying to import an ECCP256 key to a J3H145 card running the latest PivApplet release (PivApplet-0.8.1-jc304-REePSAx.cap). Importing RSA keys works fine, but importing EC keys fails with yubico-piv-tool:
$ yubico-piv-tool -r '' -a import-key -i ec.key -s 82 -A ECCP256 -v2
Connect reader 'Alcor Micro AU9560 00 00' matching ''.
> 00 a4 04 00 05 a0 00 00 03 08
< 61 71 4f 0b a0 00 00 03 08 00 00 10 00 01 00 79 0d 4f 0b a0 00 00 03 08 00 00 10 00 01 00 50 17 50 69 76 41 70 70 6c 65 74 20 76 30 2e 38 2e 31 2f 52 45 65 50 53 41 5f 50 26 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 61 72 65 6b 69 6e 61 74 68 2f 50 69 76 41 70 70 6c 65 74 ac 11 80 01 03 80 01 06 80 01 07 80 01 11 80 01 14 06 00 90 00
> 00 fd 00 00 00
< 05 03 00 90 00
> 00 f8 00 00 00
< 98 b0 9a fb 90 00
Authenticating since action 'import-key' needs that.
<censored>
Successful application authentication.
Now processing for action 'import-key'.
Going to send 34 bytes in this go.
> <censored>
< 6a 80
Unable to import private key
pivy-tool fails in a similar manner:
$ pivy-tool -a eccp256 import 82 < ec.key
pivy-tool: error occurred while executing 'import'
Caused by cmd_import: failed to import key
in cmd_import() at pivy-tool.c:1354
Caused by APDUError: Card replied with SW=6a80 (WRONG_DATA) to INS_IMPORT_ASYM(82)
in ykpiv_import() at piv.c:2532
Meanwhile pivy-tool -a eccp256 generate 82 works. However, the import attempt leaves the slot in a wonky state: if an RSA key is not generated first in the same slot, the ECC generate fails with APDUError: Card replied with SW=6a81 (FUNC_NOT_SUPPORTED) to INS_GEN_ASYM. After generating an RSA key in the slot first an eccp256 key can be generated on the card.
ssh-keygen -f ec.key -y on the private key I'm attempting to import produces the expected public key. openssl ec output:
ASN1 OID: prime256v1
NIST CURVE: P-256
Is there something wrong with my key or PivApplet? (This key has been successfully imported to a Yubikey 5 with ykman.)