Thomas Calderon <calderon.thomas@xxxxxxxxx> writes: > Hi, > > There is no need to add new mechanism identifiers to use specific curves. > > This can be done already using the CKM_ECDSA mechanism parameters (see > CKA_ECDSA_PARAMS > in the standard). > Given that the underlying HW or SW tokens supports Ed25519 curves, then you > could leverage it even with version 2.20 of the PKCS#11 standard. I think you need an OID to put in the namedCurve field of EC Parameters structure, right? The structure is: Parameters:: = CHOICE { ecParametersECParameters, namedCurveCURVES. & id( { CurveNames}), implicitlyCANULL} The ecParametersECParameters approach doesn't work, I believe, for EdDSA, but a namedCurve would probably do. But what OID to use? I'm happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for Ed25519 in PKCS#11. I'm not sure this approach works out -- but let's try. /Simon > Cheers, > > Thomas > > On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert@xxxxxxxxx> wrote: > >> >> >> On 10/8/2015 4:49 AM, Simon Josefsson wrote: >> >>> Mathias Brossard <mathias@xxxxxxxxxxxx> writes: >>> >>> Hi, >>>> >>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11 >>>> support of ssh-agent which will be of interest to other users. >>>> >>> >>> Nice! What would it take to add support for Ed25519 too? Do we need to >>> allocate any new PKCS#11 identifiers? >>> >> >> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these >> can >> get out of hand. Best to try and get them in the standard. OASIS controls >> the >> standard From 14 April 2015: >> >> >> http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html >> >> 2.40 does not define Ed25519. >> >> The Gnuk smartcard supports >>> Ed25519 but I don't know if it is common to use it with OpenSSH through >>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's >>> gpg-agent). At least it might be useful as a test case. >>> >>> /Simon >>> >>> >>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev@xxxxxxxxxxx >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >>> >> -- >> >> Douglas E. Engert <DEEngert@xxxxxxxxx> >> >> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev