OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features?

Mastercard / pkcs11-tools

A set of tools to manage objects on PKCS#11 cryptographic tokens. Compatible with many PKCS#11 library, including major HSM brands, NSS and softoken.

Other

142 stars 29 forks source link

OpenSSL 1.1.1, Cryptoki 2.40, possibly Cryptoki v3 EdDSA features? #5

Closed nickray closed 4 years ago

nickray commented 5 years ago

Hi Eric, great project! I see in https://github.com/Mastercard/pkcs11-tools/projects/1 that you're planning to support OpenSSL 1.1 and update to Cryptoki 2.40, is this actively being worked on, in the sense having an idea when it will land?

Additionally, it would be great to already have support for EdDSA: it should be included in PKCS#11 version 3, there is a draft that looks close to final, and SoftHSMv2 added support in 2.5.

keldonin commented 5 years ago

Hi Nicolas,

Thank you for your interest. I am planning to work openssl 1.1 support before end of this year (i.e. before end of support of openssl 1.0).

Migrating to 1.1 is actually not straightforward; the reason is because many internal object/APIs of openssl have been obfuscated now, and I will need to change the method for signing a CSR using a PKCS#11 interface; I actually need to write a small openssl engine, inspired from OpenSC/libp11.

Support for EdDSA is a good idea, but this project isn't ready yet with 2.40. Support for v3 is likely to be disruptive, isn't it? I will need to have a look. Alternatively, if possible, we could cherry-pick support for EdDSA, assuming this could work under 2.X.

nickray commented 5 years ago

Thanks for the quick response! Yes indeed openssl 1.1 is a bit disruptive isn't it; on the (non-enterprisey) distributions I use openssl 1.0 isn't even easily available anymore though.

Regards to 25519, from what I can tell it's "just" three new constants plus implementation to cherry-pick this back into 2.40; I'm working on a patch for python-pkcs11. As linked above, SoftHSMv2 added support in their version 2.5, so I assume it there aren't any compatibility issues - it's new functionality.

keldonin commented 5 years ago

Just constants? Do you know which mechanisms this will affect? key pair generation/signature/verification, presumably? I can imagine, also, that another OID must be picked as signature algorithm, ( i.e. EdDSA instead of ECDSA).

python-pkcs11 is another project I have been contributing recently. I'm on the watchers list, I'll check your patch once you have published your PR, to gather the information.

Adding EdDSA as a distinct feature to develop, in my project plan.

Stay tuned.

keldonin commented 4 years ago

Support for PKCS#2.40 fixed in v1.1.0 (commit 2ab2172)

keldonin commented 4 years ago

Support for OpenSSL 1.1+ moved to issue #10
Support for EdDSA curves moved to issue #11

keldonin commented 3 years ago

Hi @nickray,

PKCS#11 3.0, OpenSSL 1.1.1 and Edwards curve is supported as of release v2.1.0.

Regards,