chris2511
commented
1 year ago This is already supported
It is actually limited by the token ability .....
Open antonio-fr opened 2 years ago
chris2511
commented
1 year ago This is already supported
It is actually limited by the token ability .....
ARGYROU-MINAS
commented
1 year ago This is already supported
It is actually limited by the token ability .....
I can corroborate that, as of version 2.4.0 (2021) on Windows, the ECC options are NOT displayed, even though the tokens support ECC (I have tested on multiple different token models).
chris2511
commented
1 year ago XCA calls the PKCS#11 function C_GetMechanismListand looks for ...KEY-PAIR-GEN
$ pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so -M | grep KEY-PAIR-GEN
Using slot 0 with a present token (0x60704b6)
DSA-KEY-PAIR-GEN, keySize={512,1024}, generate_key_pair
ECDSA-KEY-PAIR-GEN, keySize={112,521}, generate_key_pair, other flags=0x1900000
RSA-PKCS-KEY-PAIR-GEN, keySize={512,16384}, generate_key_pairThe PKSC11 middleware must return those mechanisms to be recognized by XCA in the key-generation dialog. Can you check that your middleware offers those mechanisms ?
ARGYROU-MINAS
commented
1 year ago ized by XCA in the key-generation dialog. Can you check that your middleware offers those m
Example with a YubiKey:
ECDSA is available as a mechanism.
antonio-fr
commented
1 year ago Turns out this feature request might be a bug issue after all.
When creating a new key, the hardware tokens are listed among the key types. And the actual key type for a key created on a token is inferred to be RSA. One can only create RSA keys on a token. It would be a great feature if that limitation were not present.
For example, an additional field about key medium : "software", "token1", "token2",... and then the current selector fields "types". So we can create whatever type we want on a token (ofc limited by the token ability).