[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent
calderon.thomas at gmail.com
Fri Oct 9 00:36:44 AEDT 2015
There is no need to add new mechanism identifiers to use specific curves.
This can be done already using the CKM_ECDSA mechanism parameters (see
in the standard).
Given that the underlying HW or SW tokens supports Ed25519 curves, then you
could leverage it even with version 2.20 of the PKCS#11 standard.
On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote:
> On 10/8/2015 4:49 AM, Simon Josefsson wrote:
>> Mathias Brossard <mathias at brossard.org> writes:
>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11
>>> support of ssh-agent which will be of interest to other users.
>> Nice! What would it take to add support for Ed25519 too? Do we need to
>> allocate any new PKCS#11 identifiers?
> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these
> get out of hand. Best to try and get them in the standard. OASIS controls
> standard From 14 April 2015:
> 2.40 does not define Ed25519.
> The Gnuk smartcard supports
>> Ed25519 but I don't know if it is common to use it with OpenSSH through
>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's
>> gpg-agent). At least it might be useful as a test case.
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
> Douglas E. Engert <DEEngert at gmail.com>
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
More information about the openssh-unix-dev