ssh-keygen support "RSA, DSA, ECDSA, ED25519" keys by default.
Currently, we only have implemented RSA in libtpm2-pk11.so.
But "ssh-keygen -t ecdsa -D libtpm2-pk11.so" doesn't work as I expected.
For example:
will both output RSA key format.
I guess it might be a bug so ssh-keygen didn't check which mechanism was supported by pkcs module through "C_GetMechanismList()".
Since we have already implemented "C_GetMechanismList()" in libtpm2-pk11.so.
Here is a tool named pkcs11-tool from the OpenSC project.
It can be used to debug our PKCS11 module, for example:
$ sudo apt-get install -y opensc
...
$ pkcs11-tool --module /usr/local/lib/libtpm2-pk11.so --list-mechanisms
Using slot 0 with a present token (0x1234)
Supported mechanisms:
RSA-PKCS
To create an ECDSA key using tpm2-tools, we only replace "tpm2_create -G 0x01" into "-G 0x23", for example:
# TPM 2.0 Primary-object node was still an RSA node
tpm2_createprimary -H o -g sha256 -G rsa -C po.ctx
# Note: the legacy tpm2-tools branch 2.X command was "tpm2_createprimary -A o -g 0x000b -G 0x0001 -C po.ctx"
# Sub-node created with "-G 0x23" means TPM_ALG_ECC algorithm.
tpm2_create -c po.ctx -g 0x000b -G 0x0023 -o ecckey.pub -O ecckey.priv
tpm2_load -c po.ctx -u ecckey.pub -r ecckey.priv -n key.name -C eccobj.ctx
tpm2_evictcontrol -A o -c eccobj.ctx -S 0x81010011
# list all persistent keys
tpm2_listpersistent
Both
will both output RSA key format. I guess it might be a bug so ssh-keygen didn't check which mechanism was supported by pkcs module through "C_GetMechanismList()".
To create an ECDSA key using tpm2-tools, we only replace "tpm2_create -G 0x01" into "-G 0x23", for example: