Adding NFC Key to Card operation, accessible from Edit Key activity.

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/NfcKeyToCardOperation.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright (C) 2015 Joey Castillo <joey@joeycastillo.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.operations;
+
+import android.content.Context;
+
+import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult;
+import org.sufficientlysecure.keychain.operations.results.OperationResult;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing;
+import org.sufficientlysecure.keychain.pgp.Progressable;
+import org.sufficientlysecure.keychain.provider.ProviderHelper;
+import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
+
+public class NfcKeyToCardOperation extends BaseOperation {
+    public NfcKeyToCardOperation(Context context, ProviderHelper providerHelper, Progressable progressable) {
+        super(context, providerHelper, progressable);
+    }
+
+    public NfcKeyToCardResult execute(long subKeyId) {
+        OperationResult.OperationLog log = new OperationResult.OperationLog();
+        int indent = 0;
+        long masterKeyId;
+
+        try {
+            // fetch the indicated master key id
+            masterKeyId = mProviderHelper.getMasterKeyId(subKeyId);
+            CanonicalizedSecretKeyRing keyRing =
+                    mProviderHelper.getCanonicalizedSecretKeyRing(masterKeyId);
+
+            log.add(OperationResult.LogType.MSG_KC_SECRET, indent);
+
+            // fetch the specific subkey
+            CanonicalizedSecretKey subKey = keyRing.getSecretKey(subKeyId);
+
+            switch (subKey.getSecretKeyType()) {
+                case DIVERT_TO_CARD:
+                case GNU_DUMMY: {
+                    throw new AssertionError(
+                            "Cannot export GNU_DUMMY/DIVERT_TO_CARD key to a smart card!"
+                                    + " This is a programming error!");
+                }
+
+                case PIN:
+                case PATTERN:
+                case PASSPHRASE: {
+                    log.add(OperationResult.LogType.MSG_PSE_PENDING_NFC, indent);
+                    return new NfcKeyToCardResult(log, RequiredInputParcel
+                            .createNfcKeyToCardOperation(masterKeyId, subKeyId));
+                }
+
+                default: {
+                    throw new AssertionError("Unhandled SecretKeyType! (should not happen)");
+                }
+
+            }
+        } catch (ProviderHelper.NotFoundException e) {
+            log.add(OperationResult.LogType.MSG_PSE_ERROR_UNLOCK, indent);
+            return new NfcKeyToCardResult(NfcKeyToCardResult.RESULT_ERROR, log);
+        }
+    }
+}

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/operations/results/NfcKeyToCardResult.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2015 Joey Castillo <joey@joeycastillo.com>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+package org.sufficientlysecure.keychain.operations.results;
+
+import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
+
+public class NfcKeyToCardResult extends InputPendingResult {
+    public NfcKeyToCardResult(int result, OperationLog log) {
+        super(result, log);
+    }
+
+    public NfcKeyToCardResult(OperationLog log, RequiredInputParcel requiredInput) {
+        super(log, requiredInput);
+    }
+}

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/CanonicalizedSecretKey.java

@@ -33,6 +33,7 @@ import org.spongycastle.openpgp.operator.PBESecretKeyDecryptor;
 import org.spongycastle.openpgp.operator.PGPContentSignerBuilder;
 import org.spongycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.spongycastle.openpgp.operator.jcajce.JcaPGPContentSignerBuilder;
+import org.spongycastle.openpgp.operator.jcajce.JcaPGPKeyConverter;
 import org.spongycastle.openpgp.operator.jcajce.JcePBESecretKeyDecryptorBuilder;
 import org.spongycastle.openpgp.operator.jcajce.JcePublicKeyDataDecryptorFactoryBuilder;
 import org.spongycastle.openpgp.operator.jcajce.NfcSyncPGPContentSignerBuilder;
@@ -45,6 +46,8 @@ import org.sufficientlysecure.keychain.util.Log;
 import org.sufficientlysecure.keychain.util.Passphrase;
 
 import java.nio.ByteBuffer;
+import java.security.PrivateKey;
+import java.security.interfaces.RSAPrivateCrtKey;
 import java.util.ArrayList;
 import java.util.Date;
 import java.util.HashMap;
@@ -281,6 +284,27 @@ public class CanonicalizedSecretKey extends CanonicalizedPublicKey {
         }
     }
 
+    // For use only in card export; returns the secret key in Chinese Remainder Theorem format.
+    public RSAPrivateCrtKey getCrtSecretKey() throws PgpGeneralException {
+        if (mPrivateKeyState == PRIVATE_KEY_STATE_LOCKED) {
+            throw new PgpGeneralException("Cannot get secret key attributes while key is locked.");
+        }
+
+        if (mPrivateKeyState == PRIVATE_KEY_STATE_DIVERT_TO_CARD) {
+            throw new PgpGeneralException("Cannot get secret key attributes of divert-to-card key.");
+        }
+
+        JcaPGPKeyConverter keyConverter = new JcaPGPKeyConverter();
+        PrivateKey retVal;
+        try {
+            retVal = keyConverter.getPrivateKey(mPrivateKey);
+        } catch (PGPException e) {
+            throw new PgpGeneralException("Error converting private key!", e);
+        }
+
+        return (RSAPrivateCrtKey)retVal;
+    }
+
     public byte[] getIv() {
         return mSecretKey.getIV();
     }

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/remote/OpenPgpService.java

@@ -167,6 +167,7 @@ public class OpenPgpService extends RemoteService {
                                                                Intent data, RequiredInputParcel requiredInput) {
 
         switch (requiredInput.mType) {
+            case NFC_KEYTOCARD:
             case NFC_DECRYPT:
             case NFC_SIGN: {
                 // build PendingIntent for YubiKey NFC operations

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/KeychainIntentService.java

@@ -40,6 +40,7 @@ import org.sufficientlysecure.keychain.operations.CertifyOperation;
 import org.sufficientlysecure.keychain.operations.DeleteOperation;
 import org.sufficientlysecure.keychain.operations.EditKeyOperation;
 import org.sufficientlysecure.keychain.operations.ImportExportOperation;
+import org.sufficientlysecure.keychain.operations.NfcKeyToCardOperation;
 import org.sufficientlysecure.keychain.operations.PromoteKeyOperation;
 import org.sufficientlysecure.keychain.operations.SignEncryptOperation;
 import org.sufficientlysecure.keychain.operations.results.CertifyResult;
@@ -48,6 +49,7 @@ import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult;
 import org.sufficientlysecure.keychain.operations.results.DeleteResult;
 import org.sufficientlysecure.keychain.operations.results.ExportResult;
 import org.sufficientlysecure.keychain.operations.results.ImportKeyResult;
+import org.sufficientlysecure.keychain.operations.results.NfcKeyToCardResult;
 import org.sufficientlysecure.keychain.operations.results.OperationResult;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;
 import org.sufficientlysecure.keychain.operations.results.PromoteKeyResult;
@@ -111,6 +113,8 @@ public class KeychainIntentService extends IntentService implements Progressable
     public static final String ACTION_IMPORT_KEYRING = Constants.INTENT_PREFIX + "IMPORT_KEYRING";
     public static final String ACTION_EXPORT_KEYRING = Constants.INTENT_PREFIX + "EXPORT_KEYRING";
 
+    public static final String ACTION_NFC_KEYTOCARD = Constants.INTENT_PREFIX + "NFC_KEYTOCARD";
+
     public static final String ACTION_UPLOAD_KEYRING = Constants.INTENT_PREFIX + "UPLOAD_KEYRING";
 
     public static final String ACTION_CERTIFY_KEYRING = Constants.INTENT_PREFIX + "SIGN_KEYRING";
@@ -176,6 +180,9 @@ public class KeychainIntentService extends IntentService implements Progressable
     public static final String EXPORT_ALL = "export_all";
     public static final String EXPORT_KEY_RING_MASTER_KEY_ID = "export_key_ring_id";
 
+    // NFC export key to card
+    public static final String NFC_KEYTOCARD_SUBKEY_ID = "nfc_keytocard_subkey_id";
+
     // upload key
     public static final String UPLOAD_KEY_SERVER = "upload_key_server";
 
@@ -532,6 +539,19 @@ public class KeychainIntentService extends IntentService implements Progressable
                 break;
 
             }
+            case ACTION_NFC_KEYTOCARD: {
+                // Input
+                long subKeyId = data.getLong(NFC_KEYTOCARD_SUBKEY_ID);
+
+                // Operation
+                NfcKeyToCardOperation exportOp = new NfcKeyToCardOperation(this, providerHelper, this);
+                NfcKeyToCardResult result = exportOp.execute(subKeyId);
+
+                // Result
+                sendMessageToHandler(MessageStatus.OKAY, result);
+
+                break;
+            }
             case ACTION_SIGN_ENCRYPT: {
 
                 // Input

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/service/input/RequiredInputParcel.java

@@ -13,7 +13,7 @@ import org.sufficientlysecure.keychain.Constants.key;
 public class RequiredInputParcel implements Parcelable {
 
     public enum RequiredInputType {
-        PASSPHRASE, PASSPHRASE_SYMMETRIC, NFC_SIGN, NFC_DECRYPT
+        PASSPHRASE, PASSPHRASE_SYMMETRIC, NFC_SIGN, NFC_DECRYPT, NFC_KEYTOCARD
     }
 
     public Date mSignatureTime;
@@ -87,6 +87,11 @@ public class RequiredInputParcel implements Parcelable {
                 new byte[][] { inputHash }, null, null, null, subKeyId);
     }
 
+    public static RequiredInputParcel createNfcKeyToCardOperation(long masterKeyId, long subKeyId) {
+        return new RequiredInputParcel(RequiredInputType.NFC_KEYTOCARD, null, null, null,
+                masterKeyId, subKeyId);
+    }
+
     public static RequiredInputParcel createRequiredSignPassphrase(
             long masterKeyId, long subKeyId, Date signatureTime) {
         return new RequiredInputParcel(RequiredInputType.PASSPHRASE,

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyActivity.java

@@ -17,6 +17,8 @@
 
 package org.sufficientlysecure.keychain.ui;
 
+import android.app.AlertDialog;
+import android.content.DialogInterface;
 import android.content.Intent;
 import android.os.Bundle;
 import android.support.v4.app.Fragment;
@@ -41,6 +43,7 @@ public class CreateKeyActivity extends BaseNfcActivity {
     public static final String EXTRA_FIRST_TIME = "first_time";
     public static final String EXTRA_ADDITIONAL_EMAILS = "additional_emails";
     public static final String EXTRA_PASSPHRASE = "passphrase";
+    public static final String EXTRA_USE_SMART_CARD_SETTINGS = "use_smart_card_settings";
 
     public static final String EXTRA_NFC_USER_ID = "nfc_user_id";
     public static final String EXTRA_NFC_AID = "nfc_aid";
@@ -53,6 +56,7 @@ public class CreateKeyActivity extends BaseNfcActivity {
     ArrayList<String> mAdditionalEmails;
     Passphrase mPassphrase;
     boolean mFirstTime;
+    boolean mUseSmartCardSettings;
 
     Fragment mCurrentFragment;
 
@@ -68,6 +72,7 @@ public class CreateKeyActivity extends BaseNfcActivity {
             mAdditionalEmails = savedInstanceState.getStringArrayList(EXTRA_ADDITIONAL_EMAILS);
             mPassphrase = savedInstanceState.getParcelable(EXTRA_PASSPHRASE);
             mFirstTime = savedInstanceState.getBoolean(EXTRA_FIRST_TIME);
+            mUseSmartCardSettings = savedInstanceState.getBoolean(EXTRA_USE_SMART_CARD_SETTINGS);
 
             mCurrentFragment = getSupportFragmentManager().findFragmentByTag(FRAGMENT_TAG);
         } else {
@@ -77,6 +82,7 @@ public class CreateKeyActivity extends BaseNfcActivity {
             mName = intent.getStringExtra(EXTRA_NAME);
             mEmail = intent.getStringExtra(EXTRA_EMAIL);
             mFirstTime = intent.getBooleanExtra(EXTRA_FIRST_TIME, false);
+            mUseSmartCardSettings = intent.getBooleanExtra(EXTRA_USE_SMART_CARD_SETTINGS, false);
 
             if (intent.hasExtra(EXTRA_NFC_FINGERPRINTS)) {
                 byte[] nfcFingerprints = intent.getByteArrayExtra(EXTRA_NFC_FINGERPRINTS);
@@ -116,23 +122,45 @@ public class CreateKeyActivity extends BaseNfcActivity {
         byte[] nfcAid = nfcGetAid();
         String userId = nfcGetUserId();
 
-        try {
+        // If all fingerprint bytes are 0, the card contains no keys.
-            long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints);
+        boolean cardContainsKeys = false;
-            CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId);
+        for (byte b : scannedFingerprints) {
-            ring.getMasterKeyId();
+            if (b != 0) {
+                cardContainsKeys = true;
+                break;
+            }
+        }
 
-            Intent intent = new Intent(this, ViewKeyActivity.class);
+        if (cardContainsKeys) {
-            intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId));
+            try {
-            intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid);
+                long masterKeyId = KeyFormattingUtils.getKeyIdFromFingerprint(scannedFingerprints);
-            intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId);
+                CachedPublicKeyRing ring = new ProviderHelper(this).getCachedPublicKeyRing(masterKeyId);
-            intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints);
+                ring.getMasterKeyId();
-            startActivity(intent);
-            finish();
 
-        } catch (PgpKeyNotFoundException e) {
+                Intent intent = new Intent(this, ViewKeyActivity.class);
-            Fragment frag = CreateKeyYubiKeyImportFragment.createInstance(
+                intent.setData(KeyRings.buildGenericKeyRingUri(masterKeyId));
-                    scannedFingerprints, nfcAid, userId);
+                intent.putExtra(ViewKeyActivity.EXTRA_NFC_AID, nfcAid);
-            loadFragment(frag, FragAction.TO_RIGHT);
+                intent.putExtra(ViewKeyActivity.EXTRA_NFC_USER_ID, userId);
+                intent.putExtra(ViewKeyActivity.EXTRA_NFC_FINGERPRINTS, scannedFingerprints);
+                startActivity(intent);
+                finish();
+
+            } catch (PgpKeyNotFoundException e) {
+                Fragment frag = CreateKeyYubiKeyImportFragment.createInstance(
+                        scannedFingerprints, nfcAid, userId);
+                loadFragment(frag, FragAction.TO_RIGHT);
+            }
+        } else {
+            AlertDialog.Builder builder = new AlertDialog.Builder(this);
+            builder.setTitle("Blank Smart Card / Yubikey Detected")
+                    .setMessage("Would you like to generate a smart card compatible key?")
+                    .setPositiveButton(android.R.string.yes, new DialogInterface.OnClickListener() {
+                        @Override
+                        public void onClick(DialogInterface dialog, int button) {
+                            CreateKeyActivity.this.mUseSmartCardSettings = true;
+                        }
+                    })
+                    .setNegativeButton(android.R.string.no, null).show();
         }
 
     }
@@ -146,6 +174,7 @@ public class CreateKeyActivity extends BaseNfcActivity {
         outState.putStringArrayList(EXTRA_ADDITIONAL_EMAILS, mAdditionalEmails);
         outState.putParcelable(EXTRA_PASSPHRASE, mPassphrase);
         outState.putBoolean(EXTRA_FIRST_TIME, mFirstTime);
+        outState.putBoolean(EXTRA_USE_SMART_CARD_SETTINGS, mUseSmartCardSettings);
     }
 
     @Override

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/CreateKeyFinalFragment.java

@@ -163,12 +163,22 @@ public class CreateKeyFinalFragment extends Fragment {
 
         if (mSaveKeyringParcel == null) {
             mSaveKeyringParcel = new SaveKeyringParcel();
-            mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(
+            if (mCreateKeyActivity.mUseSmartCardSettings) {
-                    Algorithm.RSA, 4096, null, KeyFlags.CERTIFY_OTHER, 0L));
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
-            mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(
+                        2048, null, KeyFlags.SIGN_DATA | KeyFlags.CERTIFY_OTHER, 0L));
-                    Algorithm.RSA, 4096, null, KeyFlags.SIGN_DATA, 0L));
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
-            mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(
+                        2048, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L));
-                    Algorithm.RSA, 4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L));
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
+                        2048, null, KeyFlags.AUTHENTICATION, 0L));
+                mEditText.setText(R.string.create_key_custom);
+            } else {
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
+                        4096, null, KeyFlags.CERTIFY_OTHER, 0L));
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
+                        4096, null, KeyFlags.SIGN_DATA, 0L));
+                mSaveKeyringParcel.mAddSubKeys.add(new SaveKeyringParcel.SubkeyAdd(Algorithm.RSA,
+                        4096, null, KeyFlags.ENCRYPT_COMMS | KeyFlags.ENCRYPT_STORAGE, 0L));
+            }
             String userId = KeyRing.createUserId(
                     new KeyRing.UserId(mCreateKeyActivity.mName, mCreateKeyActivity.mEmail, null)
             );

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/EditKeyFragment.java

@@ -36,12 +36,14 @@ import android.view.ViewGroup;
 import android.widget.AdapterView;
 import android.widget.ListView;
 
+import org.spongycastle.bcpg.PublicKeyAlgorithmTags;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.compatibility.DialogFragmentWorkaround;
 import org.sufficientlysecure.keychain.operations.results.OperationResult;
 import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType;
 import org.sufficientlysecure.keychain.operations.results.SingletonResult;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey;
 import org.sufficientlysecure.keychain.pgp.KeyRing;
 import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException;
 import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing;
@@ -65,6 +67,8 @@ import org.sufficientlysecure.keychain.ui.util.Notify;
 import org.sufficientlysecure.keychain.util.Log;
 import org.sufficientlysecure.keychain.util.Passphrase;
 
+import java.nio.ByteBuffer;
+
 
 public class EditKeyFragment extends CryptoOperationFragment implements
         LoaderManager.LoaderCallbacks<Cursor> {
@@ -415,7 +419,7 @@ public class EditKeyFragment extends CryptoOperationFragment implements
                             mSaveKeyringParcel.mRevokeSubKeys.add(keyId);
                         }
                         break;
-                    case EditSubkeyDialogFragment.MESSAGE_STRIP:
+                    case EditSubkeyDialogFragment.MESSAGE_STRIP: {
                         SubkeyChange change = mSaveKeyringParcel.getSubkeyChange(keyId);
                         if (change == null) {
                             mSaveKeyringParcel.mChangeSubKeys.add(new SubkeyChange(keyId, true, null));
@@ -424,6 +428,69 @@ public class EditKeyFragment extends CryptoOperationFragment implements
                         // toggle
                         change.mDummyStrip = !change.mDummyStrip;
                         break;
+                    }
+                    case EditSubkeyDialogFragment.MESSAGE_KEYTOCARD: {
+                        // Three checks to verify that this is a smart card compatible key:
+
+                        // 1. Key algorithm must be RSA
+                        int algorithm = mSubkeysAdapter.getAlgorithm(position);
+                        if (algorithm != PublicKeyAlgorithmTags.RSA_ENCRYPT &&
+                            algorithm != PublicKeyAlgorithmTags.RSA_SIGN &&
+                            algorithm != PublicKeyAlgorithmTags.RSA_GENERAL) {
+                            Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_algo,
+                                    Notify.Style.ERROR).show();
+                            return;
+                        }
+
+                        // 2. Key size must be 2048
+                        if (mSubkeysAdapter.getKeySize(position) != 2048) {
+                            Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_size,
+                                    Notify.Style.ERROR).show();
+                            return;
+                        }
+
+                        // 3. Secret key parts must be available
+                        CanonicalizedSecretKey.SecretKeyType type =
+                                mSubkeysAdapter.getSecretKeyType(position);
+                        if (type == CanonicalizedSecretKey.SecretKeyType.DIVERT_TO_CARD ||
+                                type == CanonicalizedSecretKey.SecretKeyType.GNU_DUMMY) {
+                            Notify.create(getActivity(), R.string.edit_key_error_bad_nfc_stripped,
+                                    Notify.Style.ERROR).show();
+                            return;
+                        }
+
+                        SubkeyChange change;
+                        change = mSaveKeyringParcel.getSubkeyChange(keyId);
+                        if (change == null) {
+                            mSaveKeyringParcel.mChangeSubKeys.add(
+                                    new SubkeyChange(keyId, false, new byte[0])
+                            );
+                        }
+                        final Bundle data = new Bundle();
+                        data.putLong(KeychainIntentService.NFC_KEYTOCARD_SUBKEY_ID, keyId);
+                        Intent intent = new Intent(EditKeyFragment.this.getActivity(),
+                                KeychainIntentService.class);
+                        intent.setAction(KeychainIntentService.ACTION_NFC_KEYTOCARD);
+                        intent.putExtra(KeychainIntentService.EXTRA_DATA, data);
+
+                        ServiceProgressHandler serviceHandler = new ServiceProgressHandler(
+                                getActivity(),
+                                getString(R.string.progress_exporting),
+                                ProgressDialog.STYLE_HORIZONTAL,
+                                ProgressDialogFragment.ServiceType.KEYCHAIN_INTENT) {
+                            public void handleMessage(Message message) {
+                                super.handleMessage(message);
+                                EditKeyFragment.this.handlePendingMessage(message);
+                            }
+                        };
+                        // Create a new Messenger for the communication back
+                        Messenger messenger = new Messenger(serviceHandler);
+                        intent.putExtra(KeychainIntentService.EXTRA_MESSENGER, messenger);
+                        serviceHandler.showProgressDialog(getActivity());
+
+                        getActivity().startService(intent);
+                        break;
+                    }
                 }
                 getLoaderManager().getLoader(LOADER_ID_SUBKEYS).forceLoad();
             }
@@ -593,6 +660,18 @@ public class EditKeyFragment extends CryptoOperationFragment implements
         Intent intent = new Intent(getActivity(), KeychainIntentService.class);
         intent.setAction(KeychainIntentService.ACTION_EDIT_KEYRING);
 
+        for (SubkeyChange change : mSaveKeyringParcel.mChangeSubKeys) {
+            if(change.mDummyDivert != null) {
+                // Convert long key ID to byte buffer
+                byte[] subKeyId = new byte[8];
+                ByteBuffer buf = ByteBuffer.wrap(subKeyId);
+                buf.putLong(change.mKeyId).rewind();
+
+                byte[] cardSerial = cryptoInput.getCryptoData().get(buf);
+                change.mDummyDivert = cardSerial;
+            }
+        }
+
         // fill values for this action
         Bundle data = new Bundle();
         data.putParcelable(KeychainIntentService.EXTRA_CRYPTO_INPUT, cryptoInput);

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/NfcOperationActivity.java

@@ -10,8 +10,13 @@ import android.content.Intent;
 import android.os.Bundle;
 import android.view.WindowManager;
 
+import org.spongycastle.util.Arrays;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKeyRing;
+import org.sufficientlysecure.keychain.provider.KeychainContract;
+import org.sufficientlysecure.keychain.provider.ProviderHelper;
 import org.sufficientlysecure.keychain.remote.CryptoInputParcelCacheService;
 import org.sufficientlysecure.keychain.service.PassphraseCacheService;
 import org.sufficientlysecure.keychain.service.input.CryptoInputParcel;
@@ -21,6 +26,7 @@ import org.sufficientlysecure.keychain.util.Log;
 import org.sufficientlysecure.keychain.util.Preferences;
 
 import java.io.IOException;
+import java.nio.ByteBuffer;
 
 /**
  * This class provides a communication interface to OpenPGP applications on ISO SmartCard compliant
@@ -53,8 +59,11 @@ public class NfcOperationActivity extends BaseNfcActivity {
         mRequiredInput = data.getParcelable(EXTRA_REQUIRED_INPUT);
         mServiceIntent = data.getParcelable(EXTRA_SERVICE_INTENT);
 
-        // obtain passphrase for this subkey
+        if (mRequiredInput.mType == RequiredInputParcel.RequiredInputType.NFC_KEYTOCARD) {
-        obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput));
+            obtainKeyExportPassphrase(RequiredInputParcel.createRequiredPassphrase(mRequiredInput));
+        } else {
+            obtainYubiKeyPin(RequiredInputParcel.createRequiredPassphrase(mRequiredInput));
+        }
     }
 
     @Override
@@ -85,6 +94,44 @@ public class NfcOperationActivity extends BaseNfcActivity {
                 }
                 break;
             }
+            case NFC_KEYTOCARD: {
+                ProviderHelper providerHelper = new ProviderHelper(this);
+                CanonicalizedSecretKeyRing secretKeyRing;
+                try {
+                    secretKeyRing = providerHelper.getCanonicalizedSecretKeyRing(
+                            KeychainContract.KeyRings.buildUnifiedKeyRingsFindBySubkeyUri(mRequiredInput.getSubKeyId())
+                    );
+                } catch (ProviderHelper.NotFoundException e) {
+                    throw new IOException("Couldn't find subkey for key to card operation.");
+                }
+                CanonicalizedSecretKey key = secretKeyRing.getSecretKey(mRequiredInput.getSubKeyId());
+
+                long keyGenerationTimestampMillis = key.getCreationTime().getTime();
+                long keyGenerationTimestamp = keyGenerationTimestampMillis / 1000;
+                byte[] timestampBytes = ByteBuffer.allocate(4).putInt((int) keyGenerationTimestamp).array();
+                byte[] cardSerialNumber = Arrays.copyOf(nfcGetAid(), 16);
+
+                if (key.canSign() || key.canCertify()) {
+                    nfcPutKey(0xB6, key);
+                    nfcPutData(0xCE, timestampBytes);
+                    nfcPutData(0xC7, key.getFingerprint());
+                } else if (key.canEncrypt()) {
+                    nfcPutKey(0xB8, key);
+                    nfcPutData(0xCF, timestampBytes);
+                    nfcPutData(0xC8, key.getFingerprint());
+                } else if (key.canAuthenticate()) {
+                    nfcPutKey(0xA4, key);
+                    nfcPutData(0xD0, timestampBytes);
+                    nfcPutData(0xC9, key.getFingerprint());
+                } else {
+                    throw new IOException("Inappropriate key flags for smart card key.");
+                }
+
+                byte[] subKeyId = new byte[8];
+                ByteBuffer buf = ByteBuffer.wrap(subKeyId);
+                buf.putLong(mRequiredInput.getSubKeyId());
+                inputParcel.addCryptoData(subKeyId, cardSerialNumber);
+            }
         }
 
         if (mServiceIntent != null) {

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/adapter/SubkeysAdapter.java

@@ -116,6 +116,21 @@ public class SubkeysAdapter extends CursorAdapter {
         }
     }
 
+    public int getAlgorithm(int position) {
+        mCursor.moveToPosition(position);
+        return mCursor.getInt(INDEX_ALGORITHM);
+    }
+
+    public int getKeySize(int position) {
+        mCursor.moveToPosition(position);
+        return mCursor.getInt(INDEX_KEY_SIZE);
+    }
+
+    public SecretKeyType getSecretKeyType(int position) {
+        mCursor.moveToPosition(position);
+        return SecretKeyType.fromNum(mCursor.getInt(INDEX_HAS_SECRET));
+    }
+
     @Override
     public Cursor swapCursor(Cursor newCursor) {
         hasAnySecret = false;

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/BaseNfcActivity.java

@@ -19,7 +19,9 @@
 package org.sufficientlysecure.keychain.ui.base;
 
 import java.io.IOException;
+import java.math.BigInteger;
 import java.nio.ByteBuffer;
+import java.security.interfaces.RSAPrivateCrtKey;
 
 import android.app.Activity;
 import android.app.PendingIntent;
@@ -32,9 +34,12 @@ import android.os.Bundle;
 import android.widget.Toast;
 
 import org.spongycastle.bcpg.HashAlgorithmTags;
+import org.spongycastle.util.Arrays;
 import org.spongycastle.util.encoders.Hex;
 import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.R;
+import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey;
+import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
 import org.sufficientlysecure.keychain.pgp.exception.PgpKeyNotFoundException;
 import org.sufficientlysecure.keychain.provider.CachedPublicKeyRing;
 import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings;
@@ -54,12 +59,16 @@ import org.sufficientlysecure.keychain.util.Preferences;
 
 public abstract class BaseNfcActivity extends BaseActivity {
 
-    public static final int REQUEST_CODE_PASSPHRASE = 1;
+    public static final int REQUEST_CODE_PIN = 1;
+    public static final int REQUEST_CODE_PASSPHRASE = 2;
 
     protected Passphrase mPin;
+    protected Passphrase mAdminPin;
+    protected Passphrase mPassphrase; // For key export
     protected boolean mPw1ValidForMultipleSignatures;
     protected boolean mPw1ValidatedForSignature;
     protected boolean mPw1ValidatedForDecrypt; // Mode 82 does other things; consider renaming?
+    protected boolean mPw3Validated;
     private NfcAdapter mNfcAdapter;
     private IsoDep mIsoDep;
 
@@ -127,6 +136,15 @@ public abstract class BaseNfcActivity extends BaseActivity {
         enableNfcForegroundDispatch();
     }
 
+    protected void obtainKeyExportPassphrase(RequiredInputParcel requiredInput) {
+
+        Intent intent = new Intent(this, PassphraseDialogActivity.class);
+        intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT,
+                RequiredInputParcel.createRequiredPassphrase(requiredInput));
+        startActivityForResult(intent, REQUEST_CODE_PASSPHRASE);
+
+    }
+
     protected void obtainYubiKeyPin(RequiredInputParcel requiredInput) {
 
         Preferences prefs = Preferences.getPreferences(this);
@@ -138,7 +156,7 @@ public abstract class BaseNfcActivity extends BaseActivity {
         Intent intent = new Intent(this, PassphraseDialogActivity.class);
         intent.putExtra(PassphraseDialogActivity.EXTRA_REQUIRED_INPUT,
                 RequiredInputParcel.createRequiredPassphrase(requiredInput));
-        startActivityForResult(intent, REQUEST_CODE_PASSPHRASE);
+        startActivityForResult(intent, REQUEST_CODE_PIN);
 
     }
 
@@ -149,7 +167,7 @@ public abstract class BaseNfcActivity extends BaseActivity {
     @Override
     protected void onActivityResult(int requestCode, int resultCode, Intent data) {
         switch (requestCode) {
-            case REQUEST_CODE_PASSPHRASE:
+            case REQUEST_CODE_PIN: {
                 if (resultCode != Activity.RESULT_OK) {
                     setResult(resultCode);
                     finish();
@@ -158,6 +176,18 @@ public abstract class BaseNfcActivity extends BaseActivity {
                 CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT);
                 mPin = input.getPassphrase();
                 break;
+            }
+
+            case REQUEST_CODE_PASSPHRASE: {
+                if (resultCode != Activity.RESULT_OK) {
+                    setResult(resultCode);
+                    finish();
+                    return;
+                }
+                CryptoInputParcel input = data.getParcelableExtra(PassphraseDialogActivity.RESULT_CRYPTO_INPUT);
+                mPassphrase = input.getPassphrase();
+                break;
+            }
 
             default:
                 super.onActivityResult(requestCode, resultCode, data);
@@ -208,6 +238,10 @@ public abstract class BaseNfcActivity extends BaseActivity {
         mPw1ValidForMultipleSignatures = (pwStatusBytes[0] == 1);
         mPw1ValidatedForSignature = false;
         mPw1ValidatedForDecrypt = false;
+        mPw3Validated = false;
+
+        // TODO: Handle non-default Admin PIN
+        mAdminPin = new Passphrase("12345678");
 
         onNfcPerform();
 
@@ -460,13 +494,21 @@ public abstract class BaseNfcActivity extends BaseActivity {
         return Hex.decode(decryptedSessionKey);
     }
 
-    /** Verifies the user's PW1 with the appropriate mode.
+    /** Verifies the user's PW1 or PW3 with the appropriate mode.
      *
-     * @param mode This is 0x81 for signing, 0x82 for everything else
+     * @param mode For PW1, this is 0x81 for signing, 0x82 for everything else.
+     *             For PW3 (Admin PIN), mode is 0x83.
      */
     public void nfcVerifyPIN(int mode) throws IOException {
-        if (mPin != null) {
+        if (mPin != null || mode == 0x83) {
-            byte[] pin = new String(mPin.getCharArray()).getBytes();
+            byte[] pin;
+
+            if (mode == 0x83) {
+                pin = new String(mAdminPin.getCharArray()).getBytes();
+            } else {
+                pin = new String(mPin.getCharArray()).getBytes();
+            }
+
             // SW1/2 0x9000 is the generic "ok" response, which we expect most of the time.
             // See specification, page 51
             String accepted = "9000";
@@ -488,10 +530,207 @@ public abstract class BaseNfcActivity extends BaseActivity {
                 mPw1ValidatedForSignature = true;
             } else if (mode == 0x82) {
                 mPw1ValidatedForDecrypt = true;
+            } else if (mode == 0x83) {
+                mPw3Validated = true;
             }
         }
     }
 
+    /** Modifies the user's PW1 or PW3. Before sending, the new PIN will be validated for
+     *  conformance to the card's requirements for key length.
+     *
+     * @param pw For PW1, this is 0x81. For PW3 (Admin PIN), mode is 0x83.
+     * @param newPinString The new PW1 or PW3.
+     */
+    public void nfcModifyPIN(int pw, String newPinString) throws IOException {
+        final int MAX_PW1_LENGTH_INDEX = 1;
+        final int MAX_PW3_LENGTH_INDEX = 3;
+
+        byte[] pwStatusBytes = nfcGetPwStatusBytes();
+        byte[] newPin = newPinString.getBytes();
+
+        if (pw == 0x81) {
+            if (newPin.length < 6 || newPin.length > pwStatusBytes[MAX_PW1_LENGTH_INDEX]) {
+                throw new IOException("Invalid PIN length");
+            }
+        } else if (pw == 0x83) {
+            if (newPin.length < 8 || newPin.length > pwStatusBytes[MAX_PW3_LENGTH_INDEX]) {
+                throw new IOException("Invalid PIN length");
+            }
+        } else {
+            throw new IOException("Invalid PW index for modify PIN operation");
+        }
+
+        byte[] pin;
+
+        if (pw == 0x83) {
+            pin = new String(mAdminPin.getCharArray()).getBytes();
+        } else {
+            pin = new String(mPin.getCharArray()).getBytes();
+        }
+
+        // Command APDU for CHANGE REFERENCE DATA command (page 32)
+        String changeReferenceDataApdu = "00" // CLA
+                + "24" // INS
+                + "00" // P1
+                + String.format("%02x", pw) // P2
+                + String.format("%02x", pin.length + newPin.length) // Lc
+                + getHex(pin)
+                + getHex(newPin);
+        if (!nfcCommunicate(changeReferenceDataApdu).equals("9000")) { // Change reference data
+            handlePinError();
+            throw new IOException("Failed to change PIN");
+        }
+    }
+
+    /**
+     * Stores a data object on the card. Automatically validates the proper PIN for the operation.
+     * Supported for all data objects < 255 bytes in length. Only the cardholder certificate
+     * (0x7F21) can exceed this length.
+     *
+     * @param dataObject The data object to be stored.
+     * @param data The data to store in the object
+     */
+    public void nfcPutData(int dataObject, byte[] data) throws IOException {
+        if (data.length > 254) {
+            throw new IOException("Cannot PUT DATA with length > 254");
+        }
+        if (dataObject == 0x0101 || dataObject == 0x0103) {
+            if (!mPw1ValidatedForDecrypt) {
+                nfcVerifyPIN(0x82); // (Verify PW1 for non-signing operations)
+            }
+        } else if (!mPw3Validated) {
+            nfcVerifyPIN(0x83); // (Verify PW3)
+        }
+
+        String putDataApdu = "00" // CLA
+                + "DA" // INS
+                + String.format("%02x", (dataObject & 0xFF00) >> 8) // P1
+                + String.format("%02x", dataObject & 0xFF) // P2
+                + String.format("%02x", data.length) // Lc
+                + getHex(data);
+
+        String response = nfcCommunicate(putDataApdu);
+        if (!response.equals("9000")) {
+            throw new IOException("Failed to put data for tag "
+                    + String.format("%02x", (dataObject & 0xFF00) >> 8)
+                    + String.format("%02x", dataObject & 0xFF)
+                    + ": " + response);
+        }
+    }
+
+    /**
+     * Puts a key on the card in the given slot.
+     *
+     * @param slot The slot on the card where the key should be stored:
+     *             0xB6: Signature Key
+     *             0xB8: Decipherment Key
+     *             0xA4: Authentication Key
+     */
+    public void nfcPutKey(int slot, CanonicalizedSecretKey secretKey)
+            throws IOException {
+        if (slot != 0xB6 && slot != 0xB8 && slot != 0xA4) {
+            throw new IOException("Invalid key slot");
+        }
+
+        RSAPrivateCrtKey crtSecretKey = null;
+        try {
+            secretKey.unlock(mPassphrase);
+            crtSecretKey = secretKey.getCrtSecretKey();
+        } catch (PgpGeneralException e) {
+            throw new IOException(e.getMessage());
+        }
+
+        // Shouldn't happen; the UI should block the user from getting an incompatible key this far.
+        if (crtSecretKey.getModulus().bitLength() > 2048) {
+            throw new IOException("Key too large to export to smart card.");
+        }
+
+        // Should happen only rarely; all GnuPG keys since 2006 use public exponent 65537.
+        if (!crtSecretKey.getPublicExponent().equals(new BigInteger("65537"))) {
+            throw new IOException("Invalid public exponent for smart card key.");
+        }
+
+        if (!mPw3Validated) {
+            nfcVerifyPIN(0x83); // (Verify PW1 with mode 83)
+        }
+
+        byte[] header= Hex.decode(
+                "4D82" + "03A2"      // Extended header list 4D82, length of 930 bytes. (page 23)
+                + String.format("%02x", slot) + "00" // CRT to indicate targeted key, no length
+                + "7F48" + "15"      // Private key template 0x7F48, length 21 (decimal, 0x15 hex)
+                + "9103"             // Public modulus, length 3
+                + "928180"           // Prime P, length 128
+                + "938180"           // Prime Q, length 128
+                + "948180"           // Coefficient (1/q mod p), length 128
+                + "958180"           // Prime exponent P (d mod (p - 1)), length 128
+                + "968180"           // Prime exponent Q (d mod (1 - 1)), length 128
+                + "97820100"         // Modulus, length 256, last item in private key template
+                + "5F48" + "820383");// DO 5F48; 899 bytes of concatenated key data will follow
+        byte[] dataToSend = new byte[934];
+        byte[] currentKeyObject;
+        int offset = 0;
+
+        System.arraycopy(header, 0, dataToSend, offset, header.length);
+        offset += header.length;
+        currentKeyObject = crtSecretKey.getPublicExponent().toByteArray();
+        System.arraycopy(currentKeyObject, 0, dataToSend, offset, 3);
+        offset += 3;
+        // NOTE: For a 2048-bit key, these lengths are fixed. However, bigint includes a leading 0
+        // in the array to represent sign, so we take care to set the offset to 1 if necessary.
+        currentKeyObject = crtSecretKey.getPrimeP().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128);
+        Arrays.fill(currentKeyObject, (byte)0);
+        offset += 128;
+        currentKeyObject = crtSecretKey.getPrimeQ().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128);
+        Arrays.fill(currentKeyObject, (byte)0);
+        offset += 128;
+        currentKeyObject = crtSecretKey.getCrtCoefficient().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128);
+        Arrays.fill(currentKeyObject, (byte)0);
+        offset += 128;
+        currentKeyObject = crtSecretKey.getPrimeExponentP().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128);
+        Arrays.fill(currentKeyObject, (byte)0);
+        offset += 128;
+        currentKeyObject = crtSecretKey.getPrimeExponentQ().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 128, dataToSend, offset, 128);
+        Arrays.fill(currentKeyObject, (byte)0);
+        offset += 128;
+        currentKeyObject = crtSecretKey.getModulus().toByteArray();
+        System.arraycopy(currentKeyObject, currentKeyObject.length - 256, dataToSend, offset, 256);
+
+        String putKeyCommand = "10DB3FFF";
+        String lastPutKeyCommand = "00DB3FFF";
+
+        // Now we're ready to communicate with the card.
+        offset = 0;
+        String response;
+        while(offset < dataToSend.length) {
+            int dataRemaining = dataToSend.length - offset;
+            if (dataRemaining > 254) {
+                response = nfcCommunicate(
+                        putKeyCommand + "FE" + Hex.toHexString(dataToSend, offset, 254)
+                );
+                offset += 254;
+            } else {
+                int length = dataToSend.length - offset;
+                response = nfcCommunicate(
+                        lastPutKeyCommand + String.format("%02x", length)
+                        + Hex.toHexString(dataToSend, offset, length));
+                offset += length;
+            }
+
+            if (!response.endsWith("9000")) {
+                throw new IOException("Key export to card failed");
+            }
+        }
+
+        // Clear array with secret data before we return.
+        Arrays.fill(dataToSend, (byte) 0);
+    }
+
     /**
      * Prints a message to the screen
      *

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/base/CryptoOperationFragment.java

@@ -43,6 +43,7 @@ public abstract class CryptoOperationFragment extends Fragment {
     private void initiateInputActivity(RequiredInputParcel requiredInput) {
 
         switch (requiredInput.mType) {
+            case NFC_KEYTOCARD:
             case NFC_DECRYPT:
             case NFC_SIGN: {
                 Intent intent = new Intent(getActivity(), NfcOperationActivity.class);

OpenKeychain/src/main/java/org/sufficientlysecure/keychain/ui/dialog/EditSubkeyDialogFragment.java

@@ -35,6 +35,7 @@ public class EditSubkeyDialogFragment extends DialogFragment {
     public static final int MESSAGE_CHANGE_EXPIRY = 1;
     public static final int MESSAGE_REVOKE = 2;
     public static final int MESSAGE_STRIP = 3;
+    public static final int MESSAGE_KEYTOCARD = 4;
 
     private Messenger mMessenger;
 
@@ -76,6 +77,9 @@ public class EditSubkeyDialogFragment extends DialogFragment {
                     case 2:
                         sendMessageToHandler(MESSAGE_STRIP, null);
                         break;
+                    case 3:
+                        sendMessageToHandler(MESSAGE_KEYTOCARD, null);
+                        break;
                     default:
                         break;
                 }

OpenKeychain/src/main/res/values-cs/strings.xml

@@ -424,6 +424,7 @@
     <item>Změnit expiraci</item>
     <item>Zneplatnit podklíč</item>
     <item>Strip podklíč</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nový podklíč</string>
   <string name="edit_key_select_flag">Prosím vyberte alespoň jeden příznak!</string>

OpenKeychain/src/main/res/values-de/strings.xml

@@ -555,6 +555,7 @@
     <item>Ablaufdatum ändern</item>
     <item>Unterschlüssel widerrufen</item>
     <item>Unterschlüssel kürzen</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">neuer Unterschlüssel</string>
   <string name="edit_key_select_flag">Mindestens ein Attribut wählen!</string>

OpenKeychain/src/main/res/values-es/strings.xml

@@ -555,6 +555,7 @@
     <item>Cambiar expiración</item>
     <item>Revocar subclave</item>
     <item>Desnudar subclave</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nueva subclave</string>
   <string name="edit_key_select_flag">¡Por favor, seleccione al menos un indicador!</string>

OpenKeychain/src/main/res/values-fr/strings.xml

@@ -555,6 +555,7 @@
     <item>Changer l\'expiration</item>
     <item>Révoquer la sous-clef</item>
     <item>Dépouiller la sous-clef</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nouvelle sous-clef</string>
   <string name="edit_key_select_flag">Veuillez sélectionner au moins un drapeau !</string>

OpenKeychain/src/main/res/values-it/strings.xml

@@ -409,6 +409,7 @@ Permetti accesso?\n\nATTENZIONE: Se non sai perche\' questo schermata e\' appars
     <item>Cambia Scadenza</item>
     <item>Revoca Sottochiave</item>
     <item>Pulisci Sottochiave</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nuova sottochiave</string>
   <string name="edit_key_select_flag">Per favore seleziona almeno una spunta!</string>

OpenKeychain/src/main/res/values-ja/strings.xml

@@ -547,6 +547,7 @@
     <item>期限の変更</item>
     <item>副鍵の破棄</item>
     <item>副鍵のストリップ</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">新しい副鍵</string>
   <string name="edit_key_select_flag">最低1つフラグを選択してください!</string>

OpenKeychain/src/main/res/values-nl/strings.xml

@@ -555,6 +555,7 @@
     <item>Vervaldatum veranderen</item>
     <item>Subsleutel intrekken</item>
     <item>Subsleutel strippen</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nieuwe subsleutel</string>
   <string name="edit_key_select_flag">Gelieve minstens een vlag te selecteren!</string>

OpenKeychain/src/main/res/values-pl/strings.xml

@@ -472,6 +472,7 @@ OSTRZEŻENIE: Jeżeli nie wiesz, czemu wyświetlił się ten komunikat, nie zezw
     <item>Zmień wygaśnięcie</item>
     <item>Unieważnij Pod-klucz</item>
     <item>Usuń Pod-klucz</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nowy pod-klucz</string>
   <string name="edit_key_select_flag">Prosimy o wybranie przynajmniej jeden flagi!</string>

OpenKeychain/src/main/res/values-ru/strings.xml

@@ -456,6 +456,7 @@
     <item>Изменить срок годности</item>
     <item>Отозвать доп. ключ</item>
     <item>Отделить доп. ключ</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">новый доп. ключ</string>
   <string name="edit_key_select_flag">Пожалуйста, выберите хотя бы один флаг!</string>

OpenKeychain/src/main/res/values-sl/strings.xml

@@ -587,6 +587,7 @@
     <item>Spremeni datum poteka</item>
     <item>Prekliči podključ</item>
     <item>Razstavi podključ</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">nov podključ</string>
   <string name="edit_key_select_flag">Izberite vsaj eno oznako!</string>

OpenKeychain/src/main/res/values-sr/strings.xml

@@ -542,6 +542,7 @@
     <item>Измени истицање</item>
     <item>Опозови поткључ</item>
     <item>Оголи поткључ</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">нови поткључ</string>
   <string name="edit_key_select_flag">Изаберите бар једну заставицу!</string>

OpenKeychain/src/main/res/values-zh-rTW/strings.xml

@@ -465,6 +465,7 @@
     <item>變更到期日</item>
     <item>撤銷子金鑰</item>
     <item>Strip Subkey</item>
+    <item>"Move Subkey to Yubikey / Smart Card"</item>
   </string-array>
   <string name="edit_key_new_subkey">新增子金鑰</string>
   <string name="edit_key_error_add_identity">新增至少一組身分識別！</string>

OpenKeychain/src/main/res/values/strings.xml

@@ -621,11 +621,15 @@
         <item>"Change Expiry"</item>
         <item>"Revoke Subkey"</item>
         <item>"Strip Subkey"</item>
+        <item>"Move Subkey to Yubikey / Smart Card"</item>
     </string-array>
     <string name="edit_key_new_subkey">"new subkey"</string>
     <string name="edit_key_select_flag">"Please select at least one flag!"</string>
     <string name="edit_key_error_add_identity">"Add at least one identity!"</string>
     <string name="edit_key_error_add_subkey">"Add at least one subkey!"</string>
+    <string name="edit_key_error_bad_nfc_algo">"Algorithm not supported by smart card!"</string>
+    <string name="edit_key_error_bad_nfc_size">"Key size not supported by smart card!"</string>
+    <string name="edit_key_error_bad_nfc_stripped">"Cannot move stripped / diverted key to smart card!"</string>
 
     <!-- Create key -->
     <string name="create_key_upload">"Synchronize with the cloud"</string>