[PATCH] Enabling ECDSA in PKCS#11 support for ssh-agent

Simon Josefsson simon at josefsson.org
Fri Oct 9 01:17:41 AEDT 2015


Thomas Calderon <calderon.thomas at gmail.com> writes:

> Hi,
>
> There is no need to add new mechanism identifiers to use specific curves.
>
> This can be done already using the CKM_ECDSA mechanism parameters (see
> CKA_ECDSA_PARAMS
> in the standard).
> Given that the underlying HW or SW tokens supports Ed25519 curves, then you
> could leverage it even with version 2.20 of the PKCS#11 standard.

I think you need an OID to put in the namedCurve field of EC Parameters
structure, right?  The structure is:

Parameters:: = CHOICE {
    ecParametersECParameters,
    namedCurveCURVES. & id( { CurveNames}),
    implicitlyCANULL}

The ecParametersECParameters approach doesn't work, I believe, for
EdDSA, but a namedCurve would probably do.  But what OID to use?  I'm
happy to reserve 1.3.6.1.4.1.11591.9 to mean a namedCurve value for
Ed25519 in PKCS#11.

I'm not sure this approach works out -- but let's try.

/Simon

> Cheers,
>
> Thomas
>
> On Thu, Oct 8, 2015 at 2:00 PM, Douglas E Engert <deengert at gmail.com> wrote:
>
>>
>>
>> On 10/8/2015 4:49 AM, Simon Josefsson wrote:
>>
>>> Mathias Brossard <mathias at brossard.org> writes:
>>>
>>> Hi,
>>>>
>>>> I have made a patch for enabling the use of ECDSA keys in the PKCS#11
>>>> support of ssh-agent which will be of interest to other users.
>>>>
>>>
>>> Nice!  What would it take to add support for Ed25519 too?  Do we need to
>>> allocate any new PKCS#11 identifiers?
>>>
>>
>> Yes, and PKCS#11 allows for *_VENDOR_SUPPLIED identifiers. But using these
>> can
>> get out of hand. Best to try and get them in the standard. OASIS controls
>> the
>> standard From 14 April 2015:
>>
>>
>> http://docs.oasis-open.org/pkcs11/pkcs11-curr/v2.40/pkcs11-curr-v2.40.html
>>
>> 2.40 does not define Ed25519.
>>
>> The Gnuk smartcard supports
>>> Ed25519 but I don't know if it is common to use it with OpenSSH through
>>> PKCS#11 (I would expect it to be used with OpenSSH through GnuPG's
>>> gpg-agent).  At least it might be useful as a test case.
>>>
>>> /Simon
>>>
>>>
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>>>
>> --
>>
>>  Douglas E. Engert  <DEEngert at gmail.com>
>>
>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20151008/b0dc0f82/attachment.bin>


More information about the openssh-unix-dev mailing list