Re: [PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Thomas Calderon <calderon.thomas@xxxxxxxxx> writes:

> Hi,
>
> There is no need to add new mechanism identifiers to use specific curves.
>
> This can be done already using the CKM_ECDSA mechanism parameters (see
> CKA_ECDSA_PARAMS
> in the standard).
> Given that the underlying HW or SW tokens supports Ed25519 curves, then you
> could leverage it even with version 2.20 of the PKCS#11 standard.

I think you need an OID to put in the namedCurve field of EC Parameters
structure, right?  The structure is:

Parameters:: = CHOICE {
    ecParametersECParameters,
    namedCurveCURVES. & id( { CurveNames}),
    implicitlyCANULL}

The ecParametersECParameters approach doesn't work, I believe, for
EdDSA, but a namedCurve would probably do.  But what OID to use?  I'm
happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for
Ed25519 in PKCS#11.

I'm not sure this approach works out -- but let's try.

/Simon

> Cheers,
>
> Thomas
>
> On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert@xxxxxxxxx> wrote:
>
>>
>>
>> On 10/8/2015 4:49 AM, Simon Josefsson wrote:
>>
>>> Mathias Brossard <mathias@xxxxxxxxxxxx> writes:
>>>
>>> Hi,
>>>>
>>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11
>>>> support of ssh-agent which will be of interest to other users.
>>>>
>>>
>>> Nice!  What would it take to add support for Ed25519 too?  Do we need to
>>> allocate any new PKCS#11 identifiers?
>>>
>>
>> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these
>> can
>> get out of hand. Best to try and get them in the standard. OASIS controls
>> the
>> standard From 14 April 2015:
>>
>>
>> http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html
>>
>> 2.40 does not define Ed25519.
>>
>> The Gnuk smartcard supports
>>> Ed25519 but I don't know if it is common to use it with OpenSSH through
>>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's
>>> gpg-agent).  At least it might be useful as a test case.
>>>
>>> /Simon
>>>
>>>
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev@xxxxxxxxxxx
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert@xxxxxxxxx>
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev@xxxxxxxxxxx
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux