SECP256k1 support

[anubnair]

I am trying to create secp256k1. The following template is working(for secp256r1), if I give secp256k1, i get invalid curve. secp256k1 is supporting?

publicKey: { keyType: graphene.KeyType.ECDSA, paramsEC: graphene.NamedCurve.getByName("secp256r1").value, id: idKey, token: false, verify: true, encrypt: true, wrap: true, derive: true, }, privateKey: { keyType: graphene.KeyType.ECDSA, token: false, id: idKey, sign: true, decrypt: true, extractable: true, unwrap: true, derive: true, }

[rmhrisk]

To the best of my knowledge PKCS#11 still does not have standard constants for secp256k1, this means the devices that support this curve do so in a proprietary way.

What device do you have?

Do you have sample code showing the method working in any language with that curve?

[anubnair]

I will be using SafeNet Luna PCIe HSM from Gemalto. For now I am trying with softhsm for development

[microshine]

secp256k1

OID: 1.3.132.0.10 HEX: 0x06052b8104000A

Try to use custom value for paramsEC

paramsEC: Buffer.from("06052b8104000A", "hex");

P.S.

node-webcrypto-p11 implements K-256 https://github.com/PeculiarVentures/node-webcrypto-p11/blob/master/src/mechs/ec/crypto.ts#L137-L144

[lmahanand]

secp256k1

OID: 1.3.132.0.10 HEX: 0x06052b8104000A

Try to use custom value for paramsEC

paramsEC: Buffer.from("06052b8104000A", "hex");

P.S.

node-webcrypto-p11 implements K-256 https://github.com/PeculiarVentures/node-webcrypto-p11/blob/master/src/mechs/ec/crypto.ts#L137-L144

Hello @microshine Will it work in AWS Cloud HSM?

[rmhrisk]

We have not tested with AWS CloudHSM but that service is a Cavium and not Safenet; if they have not made the same propoetsry implementation decisions (again this is not specified in P11 spec) or do not support the curve, it will not work.

One way to know is a) contact cavium, b) just try.

[lmahanand]

We have not tested with AWS CloudHSM but that service is a Cavium and not Safenet; if they have not made the same propoetsry implementation decisions (again this is not specified in P11 spec) or do not support the curve, it will not work.

One way to know is a) contact cavium, b) just try.

Hello @rmhrisk Thank you for your swift reply. I understood. We will contact Cavium.

[rmhrisk]

That OID is an ISO assigned OID (http://oid-info.com/get/1.3.132.0.10) for that curve but that doesn’t mean it is the one Cavium will have chosen or what the PKCS11 standards body will settle on when / if they formalize support for this curve.

[rmhrisk]

As of 2017 the CloudHSM product from AWS did not support k1 - https://forums.aws.amazon.com/thread.jspa?messageID=821496

The hardware itself may; https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3254

But it’s unclear if this versions represents what they are running or if they enable this feature in the device.

[lmahanand]

As of 2017 the CloudHSM product from AWS did not support k1 - https://forums.aws.amazon.com/thread.jspa?messageID=821496

The hardware itself may; https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3254

But it’s unclear if this versions represents what they are running or if they enable this feature in the device.

I just verified on AWS Cloud HSM, this OID worked in generating the keys. Also the signing and verification worked. Thank you again :-)

[lmahanand]

As of 2017 the CloudHSM product from AWS did not support k1 - https://forums.aws.amazon.com/thread.jspa?messageID=821496

The hardware itself may; https://csrc.nist.gov/Projects/Cryptographic-Module-Validation-Program/Certificate/3254

But it’s unclear if this versions represents what they are running or if they enable this feature in the device.

AWS Cloud HSM started supporting secp256k1

[rmhrisk]

Then you should be able to use it via graphene. Did you succeed?

[lmahanand]

Then you should be able to use it via graphene. Did you succeed?

Yes @rmhrisk, it worked.