Closed Jakuje closed 1 year ago
simo5
commented
1 year ago The only reason I haven't coded it yet is that softokn does not provide it as a mechanism. Does softhsm provide support for ed25519? I could use that one to write the necessary tests to commit code that implements it. (In OpenSSL it is a different set of functions so I need testing as it does not share code with ECDSA)
Jakuje
commented
1 year ago SoftHSM supports Ed25519 keys. Dima was implementing support for these in OpenSSH, using softhsm couple of years back so it should be easy to use these keys also in the provider:
beldmit
commented
1 year ago Do you remember what was the problem with softhsm EC25519 key format? I remember we have discussed it with SoftHSM people. But it means my old code can hardly be inherited in pkcs11 provider
Jakuje
commented
1 year ago Initially, the implemented the key mechanism sizes incorrectly [1]. Then there was some mismatch in the representation of the CKA_EC_PARAMS [2], but the current version should have both of these fixed. But cross-checking that it really dos what it is supposed to do with the specs is always good as another pair of eyes might spot different issues. I think the specs were not completely clear so I was bringing it up also in the PKCS#11 WG, but I am not sure anymore if it lead to any changes.
The openssh pr was more like a reference for something working with eddsa keys than anything that could be directly used.
[1] https://github.com/opendnssec/SoftHSMv2/pull/522 [2] https://github.com/opendnssec/SoftHSMv2/pull/526
beldmit
commented
1 year ago The issue I mean is [1] and it was raised later than those PRs you refer to. Some relevant discussion is also here [2]. So it means we will have to deal with both implementations :(
[1] https://github.com/opendnssec/SoftHSMv2/issues/634 [2] https://github.com/openssh/openssh-portable/pull/230#issuecomment-852954500
simo5
commented
1 year ago I was able to generate keys, but I had to lookup the OpenSC source code to find out how, as the man page does not say, and I couldn't find any example with quick searches in the web. For posterity pkcs11-tool ... --key-type ec:edwards25519
Jakuje
commented
1 year ago Feel free to propose an improvement either for the manual page or just open an issue. I think this should be easy to improve.
The RSA and ECDSA are the most common keys these days in the PKCS#11 world, but the EdDSA is becoming also more and more popular. There are HSMs supporting these keys for some time (yubiHSM) as well as some smart cards/tokens based on OpenPGP (NitroKey with the gnuk applet). It will also become more important when the FIPS 186-5 will get approved.