[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
Thomas Calderon
calderon.thomas at gmail.com
Fri Oct 9 00:36:44 AEDT 2015
Hi,
There is no need to add new mechanism identifiers to use specific curves.
This can be done already using the CKM_ECDSA mechanism parameters (see
CKA_ECDSA_PARAMS
in the standard).
Given that the underlying HW or SW tokens supports Ed25519 curves, then you
could leverage it even with version 2.20 of the PKCS#11 standard.
Cheers,
Thomas
On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote:
>
>
> On 10/8/2015 4:49 AM, Simon Josefsson wrote:
>
>> Mathias Brossard <mathias at brossard.org> writes:
>>
>> Hi,
>>>
>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11
>>> support of ssh-agent which will be of interest to other users.
>>>
>>
>> Nice! What would it take to add support for Ed25519 too? Do we need to
>> allocate any new PKCS#11 identifiers?
>>
>
> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these
> can
> get out of hand. Best to try and get them in the standard. OASIS controls
> the
> standard From 14 April 2015:
>
>
> http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html
>
> 2.40 does not define Ed25519.
>
> The Gnuk smartcard supports
>> Ed25519 but I don't know if it is common to use it with OpenSSH through
>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's
>> gpg-agent). At least it might be useful as a test case.
>>
>> /Simon
>>
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
> --
>
> Douglas E. Engert <DEEngert at gmail.com>
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list